A Technical Comparison of TTLS and PEAP
Subject:   No Two Factor Authentication in TTLS
Date:   2002-11-29 10:45:29
From:   pauldodd
It's refreshing to see a technically accurate description of WLAN Security instead of the usual hype and misinformation.

However, one topic didn't seem to get much attention in the article. The article mentions the need for "strong authentication" on a WLAN, but it doesn't discuss the relative merits of different authenticators. While it's still a topic of debate in the security community, I think it's generally accepted that static passwords are insufficient where you don't have adequate compensating controls (such as physical security). They are particularily inadequate where you have any type of remote access, which includes Internet-based VPN's, dial-up, and WLAN.

For such situations, a strong case can be made to require two factor authentication. Of the three authentication methods discussed, only EAP-TLS and PEAP currently support two factor authentication. So for sites that have a policy that requires two factor authentication for remote access, there is one less choice.

The PKI requirements of EAP-TLS make PEAP a compelling choice, and we are lucky that more PEAP supplicants are being released. Cisco is shipping their code, and other WLAN vendors are sure to follow. Hopefully, two factor authentication will be added to TTLS to enable more choices for buyers and implementers.

Paul Dodd, CISSP

1 to 2 of 2
  1. No Two Factor Authentication in TTLS
    2003-07-07 09:05:01  anonymous2 [View]

  2. Matthew Gast photo Two Factor Authentication in TTLS with RSA SecurID
    2002-12-10 16:34:13  Matthew Gast | O'Reilly AuthorO'Reilly Blogger [View]

1 to 2 of 2