Assurance

[Etan Weintraub <>]

Truthfully though, nothing will protect you from every vector of attack. The 
main thing that a lot of people overlook is response time to closing a 
vector. Part of that is knowing how the attack is coming in, the other part 
is having tools to quickly block it and handle the fall out (i.e. resetting 
passwords of users, notifying users, locking them until they go through some 
advanced steps, etc.).

-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT@Johns
 Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: 


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jones, Mark B
Sent: Tuesday, March 11, 2014 11:05 AM
To: 

Subject: RE: [Assurance] can two-factor be hacked ?

Right.  So, in summary, MFA is a good worthwhile defense, but will not
protect you from every vector of attack.

> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of Cantor, Scott
> Sent: Tuesday, March 11, 2014 9:34 AM
> To: 
> 
> Subject: Re: [Assurance] can two-factor be hacked ?
> 
> On 3/11/14, 3:20 AM, "Jones, Mark B" 
> <>
>  wrote:
> >
> >As far as the original question.  It seems to me that MFA is a good
> >defense.
> 
> Then I think you misunderstand the question, it's the exact scenario where
> typical OTP approaches to MFA do not solve the problem. A MITM attack
> against all legs can simply steal and play the OTP to obtain a session.
> Normally it's done innocently as in this case, but it can be done as an
> attack.
> 
> -- Scott