assurance - RE: [Assurance] can two-factor be hacked ?
Subject: Assurance
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [Assurance] can two-factor be hacked ?
- Date: Thu, 17 Apr 2014 23:07:44 +0000
- Accept-language: en-US
The difference around FIDO (and SQRL, for that matter) is that there's
basically a two-way validation happening. The private key generated by the
FIDO/SQRL client is based on identity information from the server. At least
in SQRL, the URL of the site being authenticated to also comes into play.
As I understand it, it's sort of like a SAML metadata validation, in that the
acceptable endpoints of an authentication message for a specific
service/target are pre-defined. It's unlike metadata in that there's no out
of band exchange of the endpoints, (it's instead part of the account setup,
defined when the new service-specific private key is created).
If a MiTM gets iTM, it will look like a new service/endpoint, and so the
authentication assertion the MiTM gets from the user won't match up to the
assertion the target service needs. (And the user should be alerted that
he/she is creating a new account, not authenticating with an existing one).
That's at least how I understand the SQRL version of the technology, I think
FIDO is relatively similar, but I'm doing some guessing here.
--- Eric
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom
> Scavo
> Sent: Thursday, April 17, 2014 1:40 PM
> To:
>
> Subject: Re: [Assurance] can two-factor be hacked ?
>
> On Thu, Apr 17, 2014 at 4:06 PM, David Walker
> <>
> wrote:
> >
> > I was just reading the FIDO Alliance's U2F overview
> > (https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-
> 20140209.pdf
> > ), and I think they have a solution to this issue. They use public
> > key cryptography, though not PKI, for mutual authentication of the
> > service and the token, which (I think) should defeat this kind of
> > man-in-the-middle vulnerability.
>
> Duo Push uses public key crypto as well:
>
> https://www.duosecurity.com/blog/heartbleed-defense-in-depth-part-2
>
> but that still doesn't prevent a MiTM (as discussed earlier in the
> thread). Doesn't U2F require a button push by the user? If so, then how
> does it avoid this problem?
>
> Tom
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, David Walker, 04/17/2014
- RE: [Assurance] can two-factor be hacked ?, Eric Goodman, 04/17/2014
- Re: [Assurance] can two-factor be hacked ?, Tom Scavo, 04/17/2014
Archive powered by MHonArc 2.6.16.