assurance - Re: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [Assurance] can two-factor be hacked ?
- Date: Thu, 17 Apr 2014 16:40:18 -0400
On Thu, Apr 17, 2014 at 4:06 PM, David Walker
<>
wrote:
>
> I was just reading the FIDO Alliance's U2F overview
> (https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20140209.pdf),
> and I think they have a solution to this issue. They use public key
> cryptography, though not PKI, for mutual authentication of the service
> and the token, which (I think) should defeat this kind of
> man-in-the-middle vulnerability.
Duo Push uses public key crypto as well:
https://www.duosecurity.com/blog/heartbleed-defense-in-depth-part-2
but that still doesn't prevent a MiTM (as discussed earlier in the
thread). Doesn't U2F require a button push by the user? If so, then
how does it avoid this problem?
Tom
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- RE: [Assurance] can two-factor be hacked ?, Eric Goodman, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
Archive powered by MHonArc 2.6.16.