assurance - Re: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: Josh Alexander <>
- To: <>
- Subject: Re: [Assurance] can two-factor be hacked ?
- Date: Wed, 12 Mar 2014 13:40:38 -0500
>
##>I must be missing something. If there's mutual authentication (as
##>Jacob described earlier), then I see how MiTM is avoided, but how does
##>ordinary TLS client authentication prevent a MiTM from replaying to
##>the authentic IdP?
##There is mutual authentication. A TLS connection with certs on both ends
##involves proof of key possession by both endpoints that leads to the
##session key(s) used. The only risk is not waiting for that final state of
##affairs before sending data, but that's just an application flaw.
Scott and Tom,
I think I get what both of you are saying - but to TomĀ¹s previous question
- what if you could leverage social engineering and
convince/hassle/provoke a user to grant access (press ALLOW) for
un-authentic requests? Additionally, so far the conversation has been
steered toward MiTM attack vectors against MFA, but what about MiTB and
various endpoint attacks that happen post session authentication - what
are your thoughts as to if/how MFA can defend against these attacks behind
session auth?
Great thread BTW - just had to jump in and ask.
Thanks!
--
Joshua D. Alexander
>
- Re: [Assurance] can two-factor be hacked ?, (continued)
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Josh Alexander, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, David Walker, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/12/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 03/10/2014
- Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/12/2014
- RE: [Assurance] can two-factor be hacked ?, Brian Arkills, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Jones, Mark B, 03/11/2014
- RE: [Assurance] can two-factor be hacked ?, Etan Weintraub, 03/11/2014
Archive powered by MHonArc 2.6.16.