<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d7648801\x26blogName\x3dThoughtus+Confoundus\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://thoughtusconfoundus.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://thoughtusconfoundus.blogspot.com/\x26vt\x3d-65323157925501362', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script>
Thoughtus Confoundus

High security zone for hazardous thoughts. Think many many times before reading. If you're lucky you'll get away with thinking its plain crap. The author accepts no responsibility for induced insanity. 

Wednesday, October 05, 2005

2 Factor...

With the bank in the hood dishing out these cute little gadgets there's been the predictable spike in interest in 2 factor authentication. The master has this & this to say. A low down on token based 2 factor authentication can be found here.

Schneier sums up by saying something like ".. 2 factor authentication solves the problem of authentication, and hence mitigates some security concerns. But it does not solve non- authentication related vulnerabilities, which unfortunately are the more common. So 2-factor authentication does not infact help much".

Let me present an alternative perspective: 2 factor authentication solves the problem of authentication data compromise at the service-provider-end.

Let's say that a banks authentication data store has been compromised. Take the case in which the bank does not have 2 factor authentication; there is nothing preventing an attacker from using the authentication data.

Now, take the case where the bank does have 2 factor authentication. Then, even if the authentication data (user names, passwords, PINs..) are compromised the attacker is still in the dark, since part of the key is still with the user(i.e. the token which generates a one time password, or a digital certificate located in a smart card). I am assuming that the data store for any secret keys that the 2nd factor uses, is in a separate data store at the bank-end.

So 2 factor authentication guards against the banks authentication data being compromised. It effectively closes one door, in terms of the banks liability.

In contrast to this, authentication data compromise at the user end through, as schneier points out, Man in the Middle attacks and Trojans as well as just nicking the piece of paper your username and password is written on along with the 2-factor authentication token, is not completely solved at the user end. Mitigated, because you have to steal a token or log another key sequence - but not eliminated.

The neat thing is that the bank is effectively securing their end of the stable by introducing a gadget to be used by the customer. I don't know whether to feel awed or used...
12:05 AM

|

© gumz 2005 - Powered for Blogger by Blogger Templates