Skip to Content.
Sympa Menu

assurance - RE: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

RE: [Assurance] can two-factor be hacked ?


Chronological Thread 
  • From: "Jones, Mark B" <>
  • To: "" <>
  • Subject: RE: [Assurance] can two-factor be hacked ?
  • Date: Tue, 11 Mar 2014 02:20:36 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US
Well... no I had not followed the "essay" link. But now I have.

I disagree with Mr. Schneier on some points. He states that "two-factor ...
won't defend against phishing". He doesn't explain this opinion but it
seems self-evident to me that MFA does defend against phishing. Perhaps it
was a 2005 notion of what two-factor is? He does mention that "a two-factor
password is more difficult to guess", and that sounds like a single factor
to me. Or perhaps he is just trying to say that MFA is not a sliver bullet
for all security issues? In one paragraph he excoriates the use of
passwords. In the next paragraph he states that "Two-factor authentication
mitigates this problem". Then he describes some attacks that I agree would
not be mitigated by MFA (except phishing) before going back to stating that
"Two-factor authentication is not useless."

The more I read the blog and the essay I see that I do agree with Mr.
Schneier on many points. He actually seems to be praising two-factor
authentication as a solution to specific security issues (the issues we
would be most concerned with). The point where we clearly disagree is on
the usefulness of MFA in mitigating phishing. And we may disagree on MFAs
effect on identity theft, depending on if he draws a distinction between
identity theft and online impersonation by taking control of a user's
authentication credential.

... and I wish he had explained what he means by "identity theft and bank
fraud are not results of password problems; they stem from poorly
authenticated transactions". I'm curious what his idea is of a well
authenticated transaction.

As far as the original question. It seems to me that MFA is a good defense.

> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom
> Scavo
> Sent: Monday, March 10, 2014 9:49 PM
> To:
>
> Subject: Re: [Assurance] can two-factor be hacked ?
>
> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
> <>
> wrote:
> >
> > I'm not sure how meaningful this blog is without understanding the
> > specific threats being discussed.
>
> Did you follow the link "essay" in the first line of the blog article?
> The point he is trying to make seems pretty clear to me. It seems to be a
> response to the original question posed by Steven.
>
> Tom

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.16.

Top of Page