Posted by:
admin
10 years, 3 months ago
1. It has to be on.
As many people now know, Apple's two-step verification wasn't enabled for the photo service.
2. Account creation and recovery needs to be as strong as necessary.
Authentication is really about a transfer of trust. I hand you a hardware token. We exchange keys in some secure manner. I assign you a password. Registration and recovery have to be as secure as you need them to be for the risk. I think Twitter is doing some interesting things in this regard. I hardly ever have to validate my logins for Twitter. However, I recently rebuilt two computers. I then had to validate a number of logins (though decreasingly so as it seemed that Twitter started trusting my home computer more).
The trade-off seems to be: have your mobile if your on an unfamiliar device. The most annoying thing that can be done here is security questions. A second token on the PC would be much better.
(It is a bummer that you can only protect one twitter account with two-factor authentication.)
3. Session security needs to be as strong as necessary.
If your session can be intercepted by a man-in-the-middle, then attackers will go around it. There's plenty of examples of this under headlines like "Hackers defeat two-factor authentication". Well, they didn't. They defeated SSL. Maybe you should have used mutual authentication. Hopefully, certificate pinning will reduce this issue.
4. Usability.
Usability isn't really about effectiveness, but it needs to be addressed.
I believe that now people realized that two-factor authentication is as usable as passwords. I'm not thrilled that services continue to use a password and an OTP instead of getting rid of passwords, but it's much safer to reuse passwords or use simple passwords if you are using two-step verification.
For enterprises, you need to be looking at SSO when deploying two-factor authentication. Sadly, standards like OpenID-connect are immature when compared to authentication protocols like RADIUS.
I think it's also time we called BS on articles and blog posts that talk about phishing/malware that gets around two-factor authentication that do not include loss information. Otherwise, how can we judge effectiveness of the protection?
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)