Posted by:
admin
15 years, 8 months ago
Anton Chuvakin posts a response to this post about the PayPal tokens. These posts point out a number of desired features for broad-based consumer roll-out of two-factor authentication, such as the hope for a single token to work everywhere. but fail to mention that token won't stop phishing (one of the commenters does point that out).
For some reason, there is very little understanding about how to fight the phishing problem, even among technologist and technology writers - that write about phishing! It is very frustrating to me that no one seems to be able to match both desired features for a broad, consumer-based roll out and the security required to fight phishing. So here you go:
Here is a list of desired features:
- Users should be able to choose the token form of choice.
- The token should be able to work across multiple services.
- The token should be replaceable.
- Apparently, users don't mind paying for it, if it is less than $5.
The problems with using typical, shared-secret tokens for broad consumer-based applications are:
- They don't stop phishing, attacks will just become automated.
- Since you can't securely share a shared secret across multiple servers, some form of federation is required. This is problematic for companies that want to maintain control of their security and user databases and for users who value privacy.
So here is my list of the required features and functionality for consumer-based two-factor authentication:
- It must be inexpensive
- It must be available in a broad selection of platforms, including Windows, Mac, Linux, wireless devices and USB drives.
- It should work across multiple services from multiple organizations without requiring federation.
- It has to support strong mutual authentication to stop man-in-the-middle attacks.
- It has to support transcation authentication that is cryptographically distinct from session authentication to thwart session-hijacking trojans and malware.
- It should be very scalable.
- It should be open source, so the code can be reviewed.
Hmmm, did I miss anything?
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)