0

I have seen many experts advising usage of some kind of OTP as second step of 2FA schemes.

I fully understand 2FA is more secure than Single Authorization, but it is also more inconvenient for casual user.

We currently have schemes with "strong passwords" changed on regular basis and many users are complaining.

I am wondering if replacing passwords with HOTP (possibly google-authenticator, supported by google-authenticator-libpam) would result in lower security than our present scheme.

Question is:

Using google-authenticator-libpam is considered more or less secure than password (8 chars, mixed case, numeric & special chars)?

If viable, what are pitfalls (if any)?

ZioByte
  • 246
  • 3
  • 15
  • Any 8 char password that is generated by users can not be considered safe. Though this is more a question for Security-Stack-Exchange. Enforcing different symbol sets doesn't necessarily make a password more secure than a longer password with a single symbol set. What users often end up doing is something like "Laura2018!", which is way less secure than "pigbattlecerealunicorntranslation" though equally easy to remember. If your users complain about password changes and you are concerned about security, but don't want 2FA have a look at diceware, it's awesome. Dont replace with HOTP. – Broco Sep 28 '18 at 09:46
  • To clarify, OTP/HOTP is ok-ish as a 2FA addition to another authentication method but it is NOT considered safe as the ONLY authentication method. – Broco Sep 28 '18 at 09:54

0 Answers0