Posted by:
admin
15 years, 12 months ago
For some reason, I really enjoyed this impromptu review of image-based "multi-factor authentication". These image-based site authentication tools are sadly mislabeled as two-factor authentication, which is a personal cocktail party tragedy for me:
Share on Twitter Share on FacebookParty go-er: You do what? What is two-factor authentication?
Me: Well, you use it all the time at the ATM where you need both possession of the card and knowledge of the PIN to get your cash. Ours is like that, only you need possession of the secret key in our software and knowledge of the PIN to get a one-time passcode that you then use to get access to a corporate VPN or a website.
Party Go-er: Oh, my bank is using two-factor authentication. The second factor is a picture of a cat they have to show me.
Me:Yeahhh, that's not really two-factor. They are trying to prevent a man-in-the-middle attack by trying to identify the site to you in way that is simple. Unfortunately, there is still nothing that prevents and man-in-the-middle from replaying that picture to you because there is no cryptograpy involved. We have a process that combines one-time passcodes and a cryptographically secure mutual https authentication mechanism to prevent network-based man-in-the-middle attacks...
Pary Goner Oh, are they bringing our more pigs-in-a-blanket. I have to get more of those...
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)