assurance - Re: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: David Langenberg <>
- To: "" <>
- Subject: Re: [Assurance] can two-factor be hacked ?
- Date: Fri, 7 Mar 2014 15:23:00 -0700
Ah, that is not the direction I thought you were going to go with it. Good suggestion, though.
I was thinking using some kind of app to interact with the enterprise SSO to help defend against this kind of behavior.
Jacob
From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 07, 2014 5:19 PM
To:
Subject: Re: [Assurance] can two-factor be hacked ?
Sure, take Mr Bear Bucks JS, package it up into a .crx and upload to the Google Chrome Web Store
Docs:
Getting someone to use the new extension is as simple as a link to the app on the web-store. If the browser can display it, you can mess with it. Some popular ones you may have heard of include AdBlock and SocialFixer. Yes, updates to the enterprise app will break your thing, but it's easy to push updates out.
As for lazy users, I've noticed that once they see how they can be even more lazy with your extension, that will quickly overcome the too-lazy-to-install factor.
Dave
On Fri, Mar 7, 2014 at 3:08 PM, Farmer, Jacob <> wrote:
Dave,
That sounds like an interesting idea – do you mind expanding on it a bit?
Jacob
From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 07, 2014 5:06 PM
To:
Subject: Re: [Assurance] can two-factor be hacked ?
Even if you start chasing addresses & blacklisting proxies they'll just escalate to my favorite way of handling enterprise apps which have dumb UI issues & committees who refuse to implement common-sense suggestions: the browser extension.
Dave
On Fri, Mar 7, 2014 at 2:31 PM, Cantor, Scott <> wrote:
On 3/7/14, 4:27 PM, "Steven Carmody" <> wrote:
>
>The _javascript_ runs completely within the server platform. That's
>something that's new....Or old, as the case may be. Proxies are really only defeatable in the
usual ways. If they're screen scraping, then you can have an arms race
implementing anti-scraping tricks, but that goes away as soon as you
support something like, say, ECP or Moonshot, that's implementing a
non-browser UI for authentication.
So that leaves chasing addresses, and blacklisting proxies when you find
them.
>As you say, *should*. However, if its identical to the application's
>login page, then the user would have to look at the url bar... does
>anyone know of anything that could be embedded in the real page, but not
>duplicated in the fake page ?Nothing I can imagine.
-- Scott
--
David LangenbergIdentity & Access Management
The University of Chicago
--
David LangenbergIdentity & Access Management
The University of Chicago
David Langenberg
- RE: [Assurance] can two-factor be hacked ?, (continued)
- RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Dana Watanabe, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Joe St Sauver, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Walker, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/07/2014
Archive powered by MHonArc 2.6.16.