assurance - RE: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: Brian Arkills <>
- To: "" <>
- Subject: RE: [Assurance] can two-factor be hacked ?
- Date: Tue, 11 Mar 2014 16:38:51 +0000
- Accept-language: en-US
Oops. Meant Eve Maler from Forrester Research, not Betsy Burton ...
> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Brian Arkills
> Sent: Tuesday, March 11, 2014 8:36 AM
> To:
>
> Subject: RE: [Assurance] can two-factor be hacked ?
>
> Jacob has some really good points here.
>
> http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-
> password--oakland.pdf is something the MFA consortium has taken a look at.
> On page 11, you'll find a table with a variety of "web authentication
> schemes"
> that include MFA ones. Each of those is evaluated across a broad spectrum of
> potential benefits. One of those benefits is 'resilient-to-phishing'. Via
> their
> analysis, not all of them have the benefit, but some do. There's quite a
> bit of
> detail on their methodology, and to dig deeper, there's an extended version
> of the paper.
>
> I know Tom Scavo spent some time extending that table to additional specific
> MFA solutions and benefits. Betsy Burton (Garner's EA analyst) also had
> some work built on top of that paper that she described in a presentation to
> the MFA cohortium.
>
> Anyhow, I bring up this paper because it takes the time to define a
> methodology and define what they mean, so everyone has a common
> understanding. For example, their definition of 'resilient-to-phishing' is:
>
> "Resilient-to-Phishing: An attacker who simulates
> a valid verifier (including by DNS manipulation)
> cannot collect credentials that can later be used
> to impersonate the user to the actual verifier. This
> penalizes schemes allowing phishers to get victims
> to authenticate to lookalike sites and later use
> the harvested credentials against the genuine sites.
> It is not meant to penalize schemes vulnerable
> to more sophisticated real-time man-in-the-middle
> or relay attacks, in which the attackers have one
> connection to the victim prover (pretending to be
> the verifier) and simultaneously another connection
> to the victim verifier (pretending to be the prover)."
>
> So they separate it from the MITM and relay attacks which I note that Scott
> Cantor is including in this thread.
>
> > -----Original Message-----
> > From:
> >
> > [
> > ]
> > On Behalf Of Farmer, Jacob
> > Sent: Tuesday, March 11, 2014 4:49 AM
> > To:
> > <>
> > Cc:
> >
> > Subject: Re: [Assurance] can two-factor be hacked ?
> >
> > I think the place where we're getting into trouble in this conversation is
> that
> > we're considering multifactor authentication as a broad category. Some
> > forms of multifactor provide excellent protection against phishing - for
> > example, certificates when mutual authentication is performed.
> >
> > Unfortunately, more commonly deployed multifactor solutions provide
> much
> > less protection. Let's look at one time passwords as an example. If I can
> > convince you to enter your OTP in a site I control, I can replay that OTP
> > into
> > the legitimate site and login as you. My ability to use that login is
> > much
> more
> > limited, because the password I acquired will only work once, but it will
> > still
> > work that first time.
> >
> > Please don't interpret that to mean I think that OTP is not a good
> investment.
> > I think it provides strong protection against a number of attacks. For
> > example, if one of my users is using the same password on multiple sites,
> > and one of the sites is compromised, the OTP will protect them on my
> > systems. But at the same time, I think it's important to be aware of the
> > threat vectors it does not address.
> >
> > Jacob
> >
> > =========================
> > Jacob Farmer
> > Identity Management Systems
> > (812) 856-0186
> >
> > > On Mar 11, 2014, at 3:21 AM, "Jones, Mark B"
> > <>
> > wrote:
> > >
> > > Well... no I had not followed the "essay" link. But now I have.
> > >
> > > I disagree with Mr. Schneier on some points. He states that "two-factor
> ...
> > > won't defend against phishing". He doesn't explain this opinion but it
> > > seems self-evident to me that MFA does defend against phishing.
> Perhaps
> > it
> > > was a 2005 notion of what two-factor is? He does mention that "a two-
> > factor
> > > password is more difficult to guess", and that sounds like a single
> > > factor
> > > to me. Or perhaps he is just trying to say that MFA is not a sliver
> > > bullet
> > > for all security issues? In one paragraph he excoriates the use of
> > > passwords. In the next paragraph he states that "Two-factor
> > authentication
> > > mitigates this problem". Then he describes some attacks that I agree
> > would
> > > not be mitigated by MFA (except phishing) before going back to stating
> > that
> > > "Two-factor authentication is not useless."
> > >
> > > The more I read the blog and the essay I see that I do agree with Mr.
> > > Schneier on many points. He actually seems to be praising two-factor
> > > authentication as a solution to specific security issues (the issues we
> > > would be most concerned with). The point where we clearly disagree is
> on
> > > the usefulness of MFA in mitigating phishing. And we may disagree on
> > MFAs
> > > effect on identity theft, depending on if he draws a distinction between
> > > identity theft and online impersonation by taking control of a user's
> > > authentication credential.
> > >
> > > ... and I wish he had explained what he means by "identity theft and
> > > bank
> > > fraud are not results of password problems; they stem from poorly
> > > authenticated transactions". I'm curious what his idea is of a well
> > > authenticated transaction.
> > >
> > > As far as the original question. It seems to me that MFA is a good
> defense.
> > >
> > >> -----Original Message-----
> > >> From:
> > >>
> > >>
> > >> [mailto:]
> > >> On Behalf Of
> Tom
> > >> Scavo
> > >> Sent: Monday, March 10, 2014 9:49 PM
> > >> To:
> > >>
> > >> Subject: Re: [Assurance] can two-factor be hacked ?
> > >>
> > >> On Mon, Mar 10, 2014 at 8:48 PM, Jones, Mark B
> > >> <>
> > >> wrote:
> > >>>
> > >>> I'm not sure how meaningful this blog is without understanding the
> > >>> specific threats being discussed.
> > >>
> > >> Did you follow the link "essay" in the first line of the blog article?
> > >> The point he is trying to make seems pretty clear to me. It seems to
> > >> be a
> > >> response to the original question posed by Steven.
> > >>
> > >> Tom
- RE: [Assurance] can two-factor be hacked ?, (continued)
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Etan Weintraub, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Dana Watanabe, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
Archive powered by MHonArc 2.6.16.