Two-factor authentication finds home in Red Hat, Windows OS
Red Hat is introducing new identity management features as part of Red Hat Enterprise Linux 7.1, including a much-anticipated two-factor authentication option based on FreeOTP.
Not to be outdone, Microsoft will introduce a native multi-factor authentication infrastructure in Windows 10. Both operating system releases are due out by this summer.
The enterprise security features come at a time of unprecedented hacks that are growing ever larger in terms of records stolen. The intent of both companies is to negate phishing attacks and other social engineering theft of passwords by providing end-users with a second-factor (something they have) that is in their possession and not the hackers.
RHEL 7.1 includes a number of additions to its Identity Management platform to provide new levels of security. The additions include the first implementation of the standard OTP mechanism known as FreeOTP, a soft-token authenticator. (You can read about identity and other improvements to the 7.1 platform as reported by my colleague Steven J. Vaughn-Nichols).
Microsoft is also adding two-factor authentication into its Windows 10 platform (as reported by my colleague Ed Bott) that will ship in the summer. But Microsoft isn't going the open source route (but it did recently join the FIDO Alliance, which is developing strong authentication standards). Jim Alkove, director of program management for the enterprise and security group at Microsoft, wrote in his blog that multi-factor authentication (servers, PC, tablet, phones) is built "right into the operating system and device itself, eliminating the need for additional hardware security peripherals."
RHEL 7.1's one-time password (OTP) authentication supports Internet Engineering Task Force (IETF) OTP standards - HOTP and TOTP. It does not require proprietary server-side components.
Red Hat recommends the FreeIPA server, which supports TOTP via LDAP and Kerberos protocols. The server will support FreeOTP soft tokens and OTP hardware tokens from various vendors.
FreeOTP is very similar to Google Authenticator and was developed after Google took Authenticator out of the ranks of open source software in 2013. FreeOTP is available as both Android and iOS apps, and the source code is available from FredoraHosted.com. FreeOTP also supports multiple settings for configuring a token and supports a number of hashing algorithms, including MD5, SHA1, SHA256, SHA512 for Android.
Red Hat also considered enterprise migration strategies adding a mechanism to ease the move from proprietary software to open source. RHEL 7.1 includes a method to proxy OTP requests to proprietary RADIUS servers.
Microsoft's Next Generation Credential will support a cryptographically generated key pair (private and public keys) generated by Windows itself or a certificate provisioned to the device from existing enterprise PKI infrastructures. Active Directory, Azure Active Directory, and Microsoft Accounts will support the new user credentials.
Alkove says the intent is to protect access tokens that are generated for users after they are authenticated. "With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology," he wrote in his blog.
(Discloser: My employer develops a one-time password hardware token)