Assurance

["Joe St Sauver" <>]

Hi,

Dana Watanabe commented:

#Part of the problem, it seem to me, is that while we call it multi-factor,
#there's really only one factor:  Information.

Normally folks think of the factors as "something you know" (like a password),
"something you have" (like a hard token), and "something you are" (biometrics,
perhaps a palm print or iris scan). True, each of those (including the
biometric case) represents information, but how that information is 
represented and stored and conveyed may vary from method to method.

If you are a believer in Shanon and information theory (c.f.,
http://en.wikipedia.org/wiki/Information_theory ), sometimes it seems as
if there's little except information (well, and noise. :-; )

#Both the "something i have" and the "something i know" are transmitted the
#same way.  

Actually, the same argument could be made for "something you are", too, for
that matter: the biometric is sensed and converted into a digital signal,
and then conveyed as a bit pattern or whatever. 

#As long as all factors are turned into information that is passed remotely, 
#it would seem to me that there would always be a susceptibility to a MITM 
#issue.

The exception, as I mention, is probably the client certificate example. If
the client and the server mutually authenticate, and establish an end-to-end
encrypted tunnel using the same credentials, it becomes difficult to MITM
that sort of multifactor approach.

#I think David (among others) points to the trickier, but more useful,
#question:  How do we train users?

Some cybersecurity types would assert that you basically want to take nice, 
happy, trusting and obedient non-technical users and turn them into cranky,
cynical, distrustful and security-obsessed geeks who are prone toward 
being non-compliant when faced with demands from authority (after all, 
that's what most phishing attacks rely on: the lockstep and unthinking 
obedience of the masses when faced with a security-related demand from
someone purportedly installed above them).

Some sites reportedly do internal phishing trials, and then schedule
remedial training for those who "fall for it," but I generally tend to 
oppose that course as one prone toward generating ill will (and based
on annecdotal evidence from colleagues, the ones who fall for it the
first time tend to fall for it again, even after focused educational
efforts).

#Certificate and Browser folks came up with the nifty EV / Green Bar
#standard, which is an interesting try.  

Do a test of your local users. Ask them,

  "If you see a green bar in your browser when you visit a web page,
  what does it mean?"

If you can get even 10% of the folks you ask to correctly explain what
it means, I'll be impressed. I've seen some people who actually think
that the green bar is a sign that there's something WRONG with the
site ("Whoa! What's that! Never had *that* happen before," etc.)

#It is probably least effective for
#people most susceptible to phishing.   And the Green Bar doesn't seem to be
#on any of the browsers on my phone. And, of course, if we just got users to
#look at the URL in the first place, we'd probably catch >90% of the issue
#anyway.

Interesting exercise some time for your lunch hour: check out the reported
phish URLs at http://www.phishtank.com/phish_search.php?verified=u&active=y
(you'll need to sign up for a free account if you'd like to actually vote
on which ones are and aren't phishing).

Some of the URLs are easily assessed; others, less so. (I've been working
against phishing for maybe ten years (I think I did my first talk with
"phish" in the title back in 2005 or so), but I still wouldn't claim to
be able to definitively assess all the URLs you see at something like
Phishtank -- or at least in the past I've certainly seen times where my
assessment (phish/non-phish) doesn't line up 100% with what others think)

#I'm not sure how to train users, but one thing that doesn't help is having
#it be valid for users to use the same username/password in multiple login
#screen.

Are you thinking of federated identity when you say this, or something else?
Even if the WAYF screens look different on different sites, the institutional
login page should have a consistent look and feel AND a consistent URL.

Regards,

Joe