Personal tools
You are here: Home wikidblog Two-factor authentication hysteria continues!
« September 2008 »
Mo Tu We Th Fr Sa Su
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          
Recent comments
Re:Security and Oil admin Apr 25, 2008
Re:Security and Oil Paul feet Apr 24, 2008
Re:100% open source admin Apr 22, 2008
Re:100% open source Adam Apr 22, 2008
Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007
 

Two-factor authentication hysteria continues!

Two-factor authentication completely fails to bring peace to middle-east


As I predicted, the hysteria around the , well, hysteria in the information security blogosphere, which is a pretty small part of the blogosphere.

As I discussed before, this is a failure of mutual authentication not two-factor authentication. Here are some the headlines:

On the other hand, and sadly in the minority, zencoder has it right: Pundits Blaming 2-Factor Authentication…Again

you can’t use 2-factor authentication to protect a telnet session and expect it to be valid hosts guaranteed on both ends…telnet doesn’t have that sort of capability built into the protocol; but that’s not a problem with the 2-factor auth.

Security Curve, is also on the right track transaction authentication to make financial services acceptably secure online.

I think we do as much of a disservice to the Internet community when we inaccurately blame technology as when we inaccurately promote it as a silver bullet.

The URL to Trackback this entry is:
http://www.wikidsystems.com/WiKIDBlog/two-factor-authentication-hysteria-continues/tbping

Re:Two-factor authentication hysteria continues!

Posted by nowen at Mar 22, 2007 08:17 AM
but, could you use two-factor authentication as a captcha? If you are reading this, then it looks like a yes.

Re:Two-factor authentication hysteria continues!

Posted by admin at Mar 22, 2007 08:17 AM
cross-browser testing of anonymous two-factor authenticaiton as a captcha. this from IE.

Re:Two-factor authentication hysteria continues!

Posted by zencoder at Mar 22, 2007 08:17 AM
Sorry, should have put a xD ;) *grin* (or insert your emoticon of choice here) after my crack-smoking statement. Was meant as a humrous/jibe reply. In re-reading, it comes across much harsher than I intended. My bad.

Re:Two-factor authentication hysteria continues!

Posted by Joel at Mar 22, 2007 08:17 AM
Bottomline: 2-factor authentication doesn't accomplish the purpose for which it is being promoted--stopping identity theft and online fraud. You can argue the merits of the protocol, and whether it's the fault of the protocol itself or the people writing the specs, ultimately if it doesn't accomplish what needs to be accomplished, what good is it?

The only people I have seen arguing in favor of 2-factor authentication are the people trying to sell it to someone, and it is mistakenly (whether innocently or not I can't say) being sold as the end-all solution to online fraud and identity theft, which it definitely is not.

Re:Two-factor authentication hysteria continues!

Posted by Anonymously Authenticated User at Mar 22, 2007 08:17 AM
2-factor authentication also won't save you money on car insurance.

Re:Two-factor authentication hysteria continues!

Posted by Anonymous User at Mar 22, 2007 08:17 AM
more testing

Re:Two-factor authentication hysteria continues!

Posted by admin at Mar 22, 2007 08:17 AM
testing anonymous two-factor - FF on windows

Re:Two-factor authentication hysteria continues!

Posted by Anonymous User at Mar 22, 2007 08:17 AM
IE on windows

Re:Two-factor authentication hysteria continues!

Posted by support at Mar 22, 2007 08:17 AM
testing anonymous 2fa as

Re:Two-factor authentication hysteria continues!

Posted by admin at Mar 22, 2007 08:17 AM
Testing anonymous two-factor authentication as a form of captcha.

Re:Two-factor authentication hysteria continues!

Posted by zencoder at Mar 22, 2007 08:17 AM
Anonymous 2-factor authentication? Are you smoking crack?

Anonymous != authentication. Authentication != anonymous. Next question?

Authenticating that a PERSON, and not a bot/script/process/spider is receiving the text...ok, I can see that argument. But as in InfoSec practitioner, I call bullsh!t on that position. It's NOT AUTHENTICATION. It's categorization of the user, perhaps; Validation of a biological interaction. But it can be ANY HUMAN...or any smarter-than-the-state-of-Captcha bot-script, too. However, we dont know which person/ip/computer, so it's not authenticated. Perhaps I'm splitting hairs.

Mutual Authentication is the bone we need to pick with this hysteria. I'm really dissapointed that Bruce S. uses the terminology and headline in this way. He is supposed to be smarter than that. Maybe it was an intentional blunder, to stir the controversy and discussion.
Add comment

You can add a comment by filling out the form below. Plain text formatting. Comments and Trackbacks are moderated.

(Required)
(Required)
(Required)
(Required)
This helps us prevent automated spamming.