Women in Technology

Hear us Roar



Article:
  A Technical Comparison of TTLS and PEAP
Subject:   No Two Factor Authentication in TTLS
Date:   2002-11-29 10:45:29
From:   pauldodd
It's refreshing to see a technically accurate description of WLAN Security instead of the usual hype and misinformation.


However, one topic didn't seem to get much attention in the article. The article mentions the need for "strong authentication" on a WLAN, but it doesn't discuss the relative merits of different authenticators. While it's still a topic of debate in the security community, I think it's generally accepted that static passwords are insufficient where you don't have adequate compensating controls (such as physical security). They are particularily inadequate where you have any type of remote access, which includes Internet-based VPN's, dial-up, and WLAN.


For such situations, a strong case can be made to require two factor authentication. Of the three authentication methods discussed, only EAP-TLS and PEAP currently support two factor authentication. So for sites that have a policy that requires two factor authentication for remote access, there is one less choice.


The PKI requirements of EAP-TLS make PEAP a compelling choice, and we are lucky that more PEAP supplicants are being released. Cisco is shipping their code, and other WLAN vendors are sure to follow. Hopefully, two factor authentication will be added to TTLS to enable more choices for buyers and implementers.


Paul Dodd, CISSP

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • No Two Factor Authentication in TTLS
    2003-07-07 09:05:01  anonymous2 [View]

    >> Hopefully, two factor authentication will be >> added to TTLS to enable more choices for
    >> buyers and implementers.

    TTLS was the first to market with two factor solution (EAP-TTLS(PAP/Token Card)nearly a year and a half ago Peap is only now beginning to catch up.

    Keep in mind that TTLS also supports EAP methods as the secondary authentcation, so you can do TTLS(EAP-Generic Token Card) as well
  • Matthew Gast photo Two Factor Authentication in TTLS with RSA SecurID
    2002-12-10 16:34:13  Matthew Gast | O'Reilly AuthorO'Reilly Blogger [View]

    > Of the three authentication methods discussed,
    > only EAP-TLS and PEAP currently support two
    > factor authentication. So for sites that have a
    > policy that requires two factor authentication
    > for remote access, there is one less choice.

    TTLS supports tunneling using token cards such as SecurID or Secure Computing's SafeWord. You can pass a username and a token code to the two-factor authentication server.

    As an example, RSA has certified the use of Funk's Odyssey TTLS client with the ACE Server and SecurID. (See RSA's page for details, as well as the Implementation Guide with the details.)