Skip to Content.
Sympa Menu

assurance - Re: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

Re: [Assurance] can two-factor be hacked ?


Chronological Thread 
  • From: "Farmer, Jacob" <>
  • To: "<>" <>
  • Cc: "" <>
  • Subject: Re: [Assurance] can two-factor be hacked ?
  • Date: Tue, 11 Mar 2014 11:49:02 +0000
  • Accept-language: en-US

I think the place where we're getting into trouble in this conversation is
that we're considering multifactor authentication as a broad category. Some
forms of multifactor provide excellent protection against phishing – for
example, certificates when mutual authentication is performed.

Unfortunately, more commonly deployed multifactor solutions provide much less
protection. Let's look at one time passwords as an example. If I can
convince you to enter your OTP in a site I control, I can replay that OTP
into the legitimate site and login as you. My ability to use that login is
much more limited, because the password I acquired will only work once, but
it will still work that first time.

Please don't interpret that to mean I think that OTP is not a good
investment. I think it provides strong protection against a number of
attacks. For example, if one of my users is using the same password on
multiple sites, and one of the sites is compromised, the OTP will protect
them on my systems. But at the same time, I think it's important to be aware
of the threat vectors it does not address.

Jacob

=========================
Jacob Farmer
Identity Management Systems
(812) 856-0186

> On Mar 11, 2014, at 3:21 AM, "Jones, Mark B"
> <>
> wrote:
>
> Well... no I had not followed the "essay" link. But now I have.
>
> I disagree with Mr. Schneier on some points. He states that "two-factor ...
> won't defend against phishing". He doesn't explain this opinion but it
> seems self-evident to me that MFA does defend against phishing. Perhaps it
> was a 2005 notion of what two-factor is? He does mention that "a two-factor
> password is more difficult to guess", and that sounds like a single factor
> to me. Or perhaps he is just trying to say that MFA is not a sliver bullet
> for all security issues? In one paragraph he excoriates the use of
> passwords. In the next paragraph he states that "Two-factor authentication
> mitigates this problem". Then he describes some attacks that I agree would
> not be mitigated by MFA (except phishing) before going back to stating that
> "Two-factor authentication is not useless."
>
> The more I read the blog and the essay I see that I do agree with Mr.
> Schneier on many points. He actually seems to be praising two-factor
> authentication as a solution to specific security issues (the issues we
> would be most concerned with). The point where we clearly disagree is on
> the usefulness of MFA in mitigating phishing. And we may disagree on MFAs
> effect on identity theft, depending on if he draws a distinction between
> identity theft and online impersonation by taking control of a user's
> authentication credential.
>
> ... and I wish he had explained what he means by "identity theft and bank
> fraud are not results of password problems; they stem from poorly
> authenticated transactions". I'm curious what his idea is of a well
> authenticated transaction.
>
> As far as the original question. It seems to me that MFA is a good defense.
>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Tom
>> Scavo
>> Sent: Monday, March 10, 2014 9:49 PM
>> To:
>>
>> Subject: Re: [Assurance] can two-factor be hacked ?
>>
>> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
>> <>
>> wrote:
>>>
>>> I'm not sure how meaningful this blog is without understanding the
>>> specific threats being discussed.
>>
>> Did you follow the link "essay" in the first line of the blog article?
>> The point he is trying to make seems pretty clear to me. It seems to be a
>> response to the original question posed by Steven.
>>
>> Tom



Archive powered by MHonArc 2.6.16.

Top of Page