Right now, I am looking into alternative multi-factor authentication solutions. There are the obvious contenders such as SecureID or smartcards, but they tend to be on the pricy side, especially if want to use them for your blog, your home VPN, or generally for fun.
Enter Duo Security: this company offers a cell phone based solution for multi-factor. Not overly exciting in itself, since this is something that has been around for quite a while. However, their solution is pretty flexible, since they support the usual callback and text-based flows, but also a smartphone app that leverages the device’s HSM for protection. The neat thing about this (semi-)soft token is that it does provide a OTP PIN solution based on hardware crypto providers, but without the hassle of keyfob distribution management.
In addition to the phone-based authentication flows (which obviously also works with landlines since they support voice callbacks), they also support hardware tokens, including Yubikey. It is ultimately up to the administrator to determine which devices are sufficient, but Duo supports the option to allow multiple devices and let the user choose.
Now, the really nice part about all this is that their Personal Edition for up to 10 users is free. This means that I can finally start to take a look at my personal stuff and determine if and where to enable multi-factor. The first step is this blog, since Duo provides all necessary components (cell phone app, service, WordPress plugin) out of the box. Setting this up took me about 15 minutes. VPN into my home network will be next on my list.