Assurance

[Brian Arkills <>]

Oops. Meant Eve Maler from Forrester Research, not Betsy Burton ... 

> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of Brian Arkills
> Sent: Tuesday, March 11, 2014 8:36 AM
> To: 
> 
> Subject: RE: [Assurance] can two-factor be hacked ?
> 
> Jacob has some really good points here.
> 
> http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-
> password--oakland.pdf is something the MFA consortium has taken a look at.
> On page 11, you'll find a table with a variety of "web authentication 
> schemes"
> that include MFA ones. Each of those is evaluated across a broad spectrum of
> potential benefits. One of those benefits is 'resilient-to-phishing'. Via 
> their
> analysis, not all of them have the benefit, but some do. There's quite a 
> bit of
> detail on their methodology, and to dig deeper, there's an extended version
> of the paper.
> 
> I know Tom Scavo spent some time extending that table to additional specific
> MFA solutions and benefits. Betsy Burton (Garner's EA analyst) also had
> some work built on top of that paper that she described in a presentation to
> the MFA cohortium.
> 
> Anyhow, I bring up this paper because it takes the time to define a
> methodology and define what they mean, so everyone has a common
> understanding. For example, their definition of 'resilient-to-phishing' is:
> 
> "Resilient-to-Phishing: An attacker who simulates
> a valid verifier (including by DNS manipulation)
> cannot collect credentials that can later be used
> to impersonate the user to the actual verifier. This
> penalizes schemes allowing phishers to get victims
> to authenticate to lookalike sites and later use
> the harvested credentials against the genuine sites.
> It is not meant to penalize schemes vulnerable
> to more sophisticated real-time man-in-the-middle
> or relay attacks, in which the attackers have one
> connection to the victim prover (pretending to be
> the verifier) and simultaneously another connection
> to the victim verifier (pretending to be the prover)."
> 
> So they separate it from the MITM and relay attacks which I note that Scott
> Cantor is including in this thread.
> 
> > -----Original Message-----
> > From: 
> > 
> >  [
> > ]
> >  On Behalf Of Farmer, Jacob
> > Sent: Tuesday, March 11, 2014 4:49 AM
> > To: 
> > <>
> > Cc: 
> > 
> > Subject: Re: [Assurance] can two-factor be hacked ?
> >
> > I think the place where we're getting into trouble in this conversation is
> that
> > we're considering multifactor authentication as a broad category.  Some
> > forms of multifactor provide excellent protection against phishing - for
> > example, certificates when mutual authentication is performed.
> >
> > Unfortunately, more commonly deployed multifactor solutions provide
> much
> > less protection.  Let's look at one time passwords as an example. If I can
> > convince you to enter your OTP in a site I control, I can replay that OTP 
> > into
> > the legitimate site and login as you.  My ability to use that login is 
> > much
> more
> > limited, because the password I acquired will only work once, but it will 
> > still
> > work that first time.
> >
> > Please don't interpret that to mean I think that OTP is not a good
> investment.
> > I think it provides strong protection against a number of attacks. For
> > example, if one of my users is using the same password on multiple sites,
> > and one of the sites is compromised, the OTP will protect them on my
> > systems.  But at the same time, I think it's important to be aware of the
> > threat vectors it does not address.
> >
> > Jacob
> >
> > =========================
> > Jacob Farmer
> > Identity Management Systems
> > (812) 856-0186
> >
> > > On Mar 11, 2014, at 3:21 AM, "Jones, Mark B"
> > <>
> >  wrote:
> > >
> > > Well... no I had not followed the "essay" link.  But now I have.
> > >
> > > I disagree with Mr. Schneier on some points.  He states that "two-factor
> ...
> > > won't defend against phishing".  He doesn't explain this opinion but it
> > > seems self-evident to me that MFA does defend against phishing.
> Perhaps
> > it
> > > was a 2005 notion of what two-factor is?  He does mention that "a two-
> > factor
> > > password is more difficult to guess", and that sounds like a single 
> > > factor
> > > to me.  Or perhaps he is just trying to say that MFA is not a sliver 
> > > bullet
> > > for all security issues?  In one paragraph he excoriates the use of
> > > passwords.  In the next paragraph he states that "Two-factor
> > authentication
> > > mitigates this problem".  Then he describes some attacks that I agree
> > would
> > > not be mitigated by MFA (except phishing) before going back to stating
> > that
> > > "Two-factor authentication is not useless."
> > >
> > > The more I read the blog and the essay I see that I do agree with Mr.
> > > Schneier on many points.  He actually seems to be praising two-factor
> > > authentication as a solution to specific security issues (the issues we
> > > would be most concerned with).  The point where we clearly disagree is
> on
> > > the usefulness of MFA in mitigating phishing.  And we may disagree on
> > MFAs
> > > effect on identity theft, depending on if he draws a distinction between
> > > identity theft and online impersonation by taking control of a user's
> > > authentication credential.
> > >
> > > ... and I wish he had explained what he means by "identity theft and 
> > > bank
> > > fraud are not results of password problems; they stem from poorly
> > > authenticated transactions".  I'm curious what his idea is of a well
> > > authenticated transaction.
> > >
> > > As far as the original question.  It seems to me that MFA is a good
> defense.
> > >
> > >> -----Original Message-----
> > >> From: 
> > >> 
> > >>  
> > >> [mailto:]
> > >>  On Behalf Of
> Tom
> > >> Scavo
> > >> Sent: Monday, March 10, 2014 9:49 PM
> > >> To: 
> > >> 
> > >> Subject: Re: [Assurance] can two-factor be hacked ?
> > >>
> > >> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
> > >> <>
> > >>  wrote:
> > >>>
> > >>> I'm not sure how meaningful this blog is without understanding the
> > >>> specific threats being discussed.
> > >>
> > >> Did you follow the link "essay" in the first line of the blog article?
> > >> The point he is trying to make seems pretty clear to me. It seems to 
> > >> be a
> > >> response to the original question posed by Steven.
> > >>
> > >> Tom