Skip to Content.
Sympa Menu

assurance - Re: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

Re: [Assurance] can two-factor be hacked ?


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [Assurance] can two-factor be hacked ?
  • Date: Wed, 12 Mar 2014 11:43:13 -0400

On Wed, Mar 12, 2014 at 11:20 AM, Steven Carmody
<>
wrote:
>
> 1) The only way to actively defend against the MITM/proxy-based
> application/attack described in my initial note is to use credentials where
> the secret isn't shared, but rather is used to prove presence. The only
> implementation mentioned that supports this model is client certs; however,
> we all know how difficult it would be to have a large community use that
> model.

I don't think that's quite right. This doesn't have anything to do
with shared secrets and I'm not convinced that client certs are
impervious to this type of attack. Take, for example, Duo Push, which
relies on asymmetric crypto. If the bad guy can trick the user into
pressing the "Approve" button, it's game over.

I don't understand the client cert use case as well as Duo but I
suspect it has the same weakness.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page