Assurance

[Tom Scavo <>]

On Thu, Jul 24, 2014 at 9:11 AM, Von Welch 
<>
 wrote:
>> telephony < soft tokens < hard tokens
>
> Why are "soft tokens" - which I interpret as mobile app based approaches - 
> stronger than SMS?

As I said, that requires further justification (which is where we're
headed with this conversation, I suppose). My gut reaction is that the
telcos are completely untrustworthy and moreover there's no obvious
way to apply crypto and other security measures to their
infrastructure and protocols.

> Is the inter-application separation stronger such that it is  harder for a 
> trojan to scrape SMS messages than data from another App?

I don't totally understand that question but clearly the Bad Guy has
subverted SMS first so evidently that is the weakest link. At least
with mobile apps, the telco is cleanly removed from the security
equation (as evidenced by the fact that an iPod touch functions well
as a device with soft token).

> How much harder and how long before we expect that to fail?

I don't know. Maybe others would care to hazard a guess?

Tom

> On Jul 24, 2014, at 8:23 AM, Tom Scavo 
> <>
>  wrote:
>
>> You may have heard this news about attacks on SMS-based 2FA at banks
>> around the world:
>>
>> https://twitter.com/trscavo/status/492079055647559681
>>
>> It's becoming clear that 2FA methods based on telephony, while better
>> than no 2FA at all, are less effective than other methods. The
>> relative strength of authentication probably goes something like this:
>>
>> telephony < soft tokens < hard tokens
>>
>> but that would require further justification.
>>
>> Tom
>