Skip to Content.
Sympa Menu

assurance - RE: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

RE: [Assurance] can two-factor be hacked ?


Chronological Thread 
  • From: "Farmer, Jacob" <>
  • To: "" <>
  • Subject: RE: [Assurance] can two-factor be hacked ?
  • Date: Fri, 7 Mar 2014 22:08:36 +0000
  • Accept-language: en-US

Dave,

 

That sounds like an interesting idea – do you mind expanding on it a bit?

 

Jacob

 

From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 07, 2014 5:06 PM
To:
Subject: Re: [Assurance] can two-factor be hacked ?

 

Even if you start chasing addresses & blacklisting proxies they'll just escalate to my favorite way of handling enterprise apps which have dumb UI issues & committees who refuse to implement common-sense suggestions: the browser extension.  

 

Dave

 

On Fri, Mar 7, 2014 at 2:31 PM, Cantor, Scott <> wrote:

On 3/7/14, 4:27 PM, "Steven Carmody" <> wrote:
>
>The _javascript_ runs completely within the server platform. That's
>something that's new....

Or old, as the case may be. Proxies are really only defeatable in the
usual ways. If they're screen scraping, then you can have an arms race
implementing anti-scraping tricks, but that goes away as soon as you
support something like, say, ECP or Moonshot, that's implementing a
non-browser UI for authentication.

So that leaves chasing addresses, and blacklisting proxies when you find
them.


>As  you say, *should*. However, if its identical to the application's
>login page, then the user would have to look at the url bar... does
>anyone know of anything that could be embedded in the real page, but not
>duplicated in the fake page ?

Nothing I can imagine.

-- Scott



 

--
David Langenberg

Identity & Access Management

The University of Chicago


Archive powered by MHonArc 2.6.16.

Top of Page