Ops feedback notes 2015-04-07
OTP preauth, mostly focusing on Duo-type technologies. It's possible that one proposed combined PAKE-OTP preauth would allow online password guessing if deployed with a multi-pass OTP technology such as Duo.
Duo allows a user to have one or more factors registered. These can include hardware tokens, voice response telephone calls, SMS text messages with OTP values, push notifications to smart phones, etc. The current Kerberos-Duo integration deployed at MIT prompts the user for either an OTP value (from hardware token or elsewhere), or to enter an empty string for other options.
One site is doing a launch on a per-service and per-user basis; no explicit Kerberos integration yet. Also Cosign Web SSO. (mostly not using dedicated hardware tokens) Duo is good for deploying to diverse audience. Sometimes want to elect fewer options for some users for security. (e.g., maybe some users should only get to use hardware tokens) Possibly in this sort of case, give the user only the option to enter an OTP value directly, rather than the ability to use the multiple pass capability that would allow for online password guessing in the proposed PAKE preauth mechanism.
Using a cloud-based service can be a concern... what if the cloud service goes away or is unavailable? (Possibly there's an onsite appliance option?)