Assurance

[Brian Arkills <>]

Jacob has some really good points here. 

http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-password--oakland.pdf
 is something the MFA consortium has taken a look at. On page 11, you'll find 
a table with a variety of "web authentication schemes" that include MFA ones. 
Each of those is evaluated across a broad spectrum of potential benefits. One 
of those benefits is 'resilient-to-phishing'. Via their analysis, not all of 
them have the benefit, but some do. There's quite a bit of detail on their 
methodology, and to dig deeper, there's an extended version of the paper.

I know Tom Scavo spent some time extending that table to additional specific 
MFA solutions and benefits. Betsy Burton (Garner's EA analyst) also had some 
work built on top of that paper that she described in a presentation to the 
MFA cohortium.

Anyhow, I bring up this paper because it takes the time to define a 
methodology and define what they mean, so everyone has a common 
understanding. For example, their definition of 'resilient-to-phishing' is:

"Resilient-to-Phishing: An attacker who simulates
a valid verifier (including by DNS manipulation)
cannot collect credentials that can later be used
to impersonate the user to the actual verifier. This
penalizes schemes allowing phishers to get victims
to authenticate to lookalike sites and later use
the harvested credentials against the genuine sites.
It is not meant to penalize schemes vulnerable
to more sophisticated real-time man-in-the-middle
or relay attacks, in which the attackers have one
connection to the victim prover (pretending to be
the verifier) and simultaneously another connection
to the victim verifier (pretending to be the prover)."

So they separate it from the MITM and relay attacks which I note that Scott 
Cantor is including in this thread.

> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of Farmer, Jacob
> Sent: Tuesday, March 11, 2014 4:49 AM
> To: 
> <>
> Cc: 
> 
> Subject: Re: [Assurance] can two-factor be hacked ?
> 
> I think the place where we're getting into trouble in this conversation is 
> that
> we're considering multifactor authentication as a broad category.  Some
> forms of multifactor provide excellent protection against phishing - for
> example, certificates when mutual authentication is performed.
> 
> Unfortunately, more commonly deployed multifactor solutions provide much
> less protection.  Let's look at one time passwords as an example. If I can
> convince you to enter your OTP in a site I control, I can replay that OTP 
> into
> the legitimate site and login as you.  My ability to use that login is much 
> more
> limited, because the password I acquired will only work once, but it will 
> still
> work that first time.
> 
> Please don't interpret that to mean I think that OTP is not a good 
> investment.
> I think it provides strong protection against a number of attacks. For
> example, if one of my users is using the same password on multiple sites,
> and one of the sites is compromised, the OTP will protect them on my
> systems.  But at the same time, I think it's important to be aware of the
> threat vectors it does not address.
> 
> Jacob
> 
> =========================
> Jacob Farmer
> Identity Management Systems
> (812) 856-0186
> 
> > On Mar 11, 2014, at 3:21 AM, "Jones, Mark B"
> <>
>  wrote:
> >
> > Well... no I had not followed the "essay" link.  But now I have.
> >
> > I disagree with Mr. Schneier on some points.  He states that "two-factor 
> > ...
> > won't defend against phishing".  He doesn't explain this opinion but it
> > seems self-evident to me that MFA does defend against phishing.  Perhaps
> it
> > was a 2005 notion of what two-factor is?  He does mention that "a two-
> factor
> > password is more difficult to guess", and that sounds like a single factor
> > to me.  Or perhaps he is just trying to say that MFA is not a sliver 
> > bullet
> > for all security issues?  In one paragraph he excoriates the use of
> > passwords.  In the next paragraph he states that "Two-factor
> authentication
> > mitigates this problem".  Then he describes some attacks that I agree
> would
> > not be mitigated by MFA (except phishing) before going back to stating
> that
> > "Two-factor authentication is not useless."
> >
> > The more I read the blog and the essay I see that I do agree with Mr.
> > Schneier on many points.  He actually seems to be praising two-factor
> > authentication as a solution to specific security issues (the issues we
> > would be most concerned with).  The point where we clearly disagree is on
> > the usefulness of MFA in mitigating phishing.  And we may disagree on
> MFAs
> > effect on identity theft, depending on if he draws a distinction between
> > identity theft and online impersonation by taking control of a user's
> > authentication credential.
> >
> > ... and I wish he had explained what he means by "identity theft and bank
> > fraud are not results of password problems; they stem from poorly
> > authenticated transactions".  I'm curious what his idea is of a well
> > authenticated transaction.
> >
> > As far as the original question.  It seems to me that MFA is a good 
> > defense.
> >
> >> -----Original Message-----
> >> From: 
> >> 
> >>  
> >> [mailto:]
> >>  On Behalf Of Tom
> >> Scavo
> >> Sent: Monday, March 10, 2014 9:49 PM
> >> To: 
> >> 
> >> Subject: Re: [Assurance] can two-factor be hacked ?
> >>
> >> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
> >> <>
> >>  wrote:
> >>>
> >>> I'm not sure how meaningful this blog is without understanding the
> >>> specific threats being discussed.
> >>
> >> Did you follow the link "essay" in the first line of the blog article?
> >> The point he is trying to make seems pretty clear to me. It seems to be a
> >> response to the original question posed by Steven.
> >>
> >> Tom