Does it allow to do "nested" logins? E.g., first login from machine A to machine B, then login from machine B to machine C, while the security token is on machine A?
PAM + OTP. See the Arch Wiki [0], though it's applicable on almost every single distribution. You can use keys for known devices, and use passphrase and OTP for unknown devices if you need to SSH in a bind.
The difficult question regarding two factor authentication is "what do you do if you lose the second factor?"
The answer to that question can often range all the way from "your account is lost forever" to "you have to go through a whirlwind of bureaucratic pain" to "the alternative method of entry is easy, hassle free, and how your account will end up compromised."
Yubico's answer to this is to own & register two of them against the account/software they are being used as the 2nd factor for. Some accounts also offer something short of the whirlwind but not as socially engineerable as the obvious easy, hassle free methods - for example Google issues backup codes for signing into the account when you lose all your means of 2FA.
Unfortunately Apple Watch and Android Wear don't seem to have an offline H/TOTP generator.
Pebble is the only real wearable that does have an open source on-device OTP generator => https://github.com/JumpMaster/QuickAuth and it's one of the main reasons I've stuck with Pebble.
14 comments
[ 3.8 ms ] story [ 32.8 ms ] threadSuper easy to setup and use. About $1/user/month, so fairly cheap.
0. https://wiki.archlinux.org/index.php/Google_Authenticator
The answer to that question can often range all the way from "your account is lost forever" to "you have to go through a whirlwind of bureaucratic pain" to "the alternative method of entry is easy, hassle free, and how your account will end up compromised."
Another dongle
Pebble is the only real wearable that does have an open source on-device OTP generator => https://github.com/JumpMaster/QuickAuth and it's one of the main reasons I've stuck with Pebble.