assurance - Re: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: David Walker <>
- To:
- Subject: Re: [Assurance] can two-factor be hacked ?
- Date: Thu, 17 Apr 2014 13:06:43 -0700
Perhaps beating a dead horse...
I was just reading the FIDO Alliance's U2F overview
(https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20140209.pdf),
and I think they have a solution to this issue. They use public key
cryptography, though not PKI, for mutual authentication of the service
and the token, which (I think) should defeat this kind of
man-in-the-middle vulnerability.
David
On 03/07/2014 11:39 AM, Steven Carmody wrote:
> Hi,
>
> I'll summarize the long back story.. a student recently brought us an
> new app that they had recently built. Its 120 lines of javascript, and
> leverages both node.js and the meteor platform. This app sits in front
> of our Banner student system and acts as a proxy. It presents its own
> login page, and immediately navigates thru Banner and retrieves how
> many dining hall points that user currently has. The good news is that
> while the student actually deployed this in the cloud
> (bearbucks.meteor.com), he also brought it to our attention. It didn't
> take much effort to develop this app. We've also determined that a
> slightly modified version of this app works just fine with our IDP
> login page.
>
> Up until now, we had been thinking that 2-factor would provide a
> defense against phished and stolen passwords.
>
> But, this is a little different. This proxy sits in front of our apps;
> it isn't a dead end that's just trying to trick people into entering
> their passwords.
>
> Most worrisome, tho, is that we think that if we implemented some
> forms of two factor in the authN process of our apps that this proxy
> could quickly evolve to handle the extra step. If we TXTed a code to
> the person's mobile phone and presented a web form, the proxy could
> easily handle that. We also expect that the proxy could evolve to deal
> with CAPTCHA style approaches.
>
> So, beyond user education, what might people suggest as a way to
> detect, block, or prevent this sort of potentially-password-stealing
> approach, that could even handle some forms of two-factor ?
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- RE: [Assurance] can two-factor be hacked ?, Eric Goodman, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
Archive powered by MHonArc 2.6.16.