Assurance

["Farmer, Jacob" <>]

I think the place where we're getting into trouble in this conversation is 
that we're considering multifactor authentication as a broad category.  Some 
forms of multifactor provide excellent protection against phishing – for 
example, certificates when mutual authentication is performed. 

Unfortunately, more commonly deployed multifactor solutions provide much less 
protection.  Let's look at one time passwords as an example. If I can 
convince you to enter your OTP in a site I control, I can replay that OTP 
into the legitimate site and login as you.  My ability to use that login is 
much more limited, because the password I acquired will only work once, but 
it will still work that first time.

Please don't interpret that to mean I think that OTP is not a good 
investment. I think it provides strong protection against a number of 
attacks. For example, if one of my users is using the same password on 
multiple sites, and one of the sites is compromised, the OTP will protect 
them on my systems.  But at the same time, I think it's important to be aware 
of the threat vectors it does not address.

Jacob

=========================
Jacob Farmer
Identity Management Systems
(812) 856-0186

> On Mar 11, 2014, at 3:21 AM, "Jones, Mark B" 
> <>
>  wrote:
> 
> Well... no I had not followed the "essay" link.  But now I have.
> 
> I disagree with Mr. Schneier on some points.  He states that "two-factor ...
> won't defend against phishing".  He doesn't explain this opinion but it
> seems self-evident to me that MFA does defend against phishing.  Perhaps it
> was a 2005 notion of what two-factor is?  He does mention that "a two-factor
> password is more difficult to guess", and that sounds like a single factor
> to me.  Or perhaps he is just trying to say that MFA is not a sliver bullet
> for all security issues?  In one paragraph he excoriates the use of
> passwords.  In the next paragraph he states that "Two-factor authentication
> mitigates this problem".  Then he describes some attacks that I agree would
> not be mitigated by MFA (except phishing) before going back to stating that
> "Two-factor authentication is not useless."
> 
> The more I read the blog and the essay I see that I do agree with Mr.
> Schneier on many points.  He actually seems to be praising two-factor
> authentication as a solution to specific security issues (the issues we
> would be most concerned with).  The point where we clearly disagree is on
> the usefulness of MFA in mitigating phishing.  And we may disagree on MFAs
> effect on identity theft, depending on if he draws a distinction between
> identity theft and online impersonation by taking control of a user's
> authentication credential.
> 
> ... and I wish he had explained what he means by "identity theft and bank
> fraud are not results of password problems; they stem from poorly
> authenticated transactions".  I'm curious what his idea is of a well
> authenticated transaction.
> 
> As far as the original question.  It seems to me that MFA is a good defense.
> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Tom
>> Scavo
>> Sent: Monday, March 10, 2014 9:49 PM
>> To: 
>> 
>> Subject: Re: [Assurance] can two-factor be hacked ?
>> 
>> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
>> <>
>>  wrote:
>>> 
>>> I'm not sure how meaningful this blog is without understanding the
>>> specific threats being discussed.
>> 
>> Did you follow the link "essay" in the first line of the blog article?
>> The point he is trying to make seems pretty clear to me. It seems to be a
>> response to the original question posed by Steven.
>> 
>> Tom