assurance - RE: [Assurance] attacks on SMS-based 2FA
Subject: Assurance
List archive
- From: Mark Beadles <>
- To: "" <>
- Subject: RE: [Assurance] attacks on SMS-based 2FA
- Date: Thu, 24 Jul 2014 14:03:19 +0000
- Accept-language: en-US
This seems to be less an attack vs. SMS than an attack vs. mTAN.
Standard TANs are a particularly weak second factor - essentially a OTP with
a lifetime of up to a year.
Mark Beadles Chief Information Security Officer OARnet, a member of the Ohio
Technology Consortium Ohio Board of Regents and the Ohio State University
www.oar.net www.oh-tech.org regents.ohio.gov
direct 614.292.8217 mobile 614.327.8046
________________________________________
From:
[]
on behalf of Tom Scavo
[]
Sent: Thursday, July 24, 2014 8:23 AM
To:
Subject: [Assurance] attacks on SMS-based 2FA
You may have heard this news about attacks on SMS-based 2FA at banks
around the world:
https://twitter.com/trscavo/status/492079055647559681
It's becoming clear that 2FA methods based on telephony, while better
than no 2FA at all, are less effective than other methods. The
relative strength of authentication probably goes something like this:
telephony < soft tokens < hard tokens
but that would require further justification.
Tom
- [Assurance] attacks on SMS-based 2FA, Tom Scavo, 07/24/2014
- RE: [Assurance] attacks on SMS-based 2FA, Caskey, Paul, 07/24/2014
- Re: [Assurance] attacks on SMS-based 2FA, Tom Scavo, 07/24/2014
- Re: [Assurance] attacks on SMS-based 2FA, Von Welch, 07/24/2014
- Re: [Assurance] attacks on SMS-based 2FA, Tom Scavo, 07/24/2014
- RE: [Assurance] attacks on SMS-based 2FA, Caskey, Paul, 07/24/2014
- Re: [Assurance] attacks on SMS-based 2FA, Tom Scavo, 07/24/2014
- RE: [Assurance] attacks on SMS-based 2FA, Farmer, Jacob, 07/24/2014
- Re: [Assurance] attacks on SMS-based 2FA, Cantor, Scott, 07/24/2014
- RE: [Assurance] attacks on SMS-based 2FA, Mark Beadles, 07/24/2014
- RE: [Assurance] attacks on SMS-based 2FA, Caskey, Paul, 07/24/2014
Archive powered by MHonArc 2.6.16.