Skip to main content

unofficial-review-of-mutual-authentication-schemes

(0 comments)

For some reason, I really enjoyed this impromptu review of image-based "multi-factor authentication". These image-based site authentication tools are sadly mislabeled as two-factor authentication, which is a personal cocktail party tragedy for me:

Party go-er: You do what? What is two-factor authentication?

Me: Well, you use it all the time at the ATM where you need both possession of the card and knowledge of the PIN to get your cash. Ours is like that, only you need possession of the secret key in our software and knowledge of the PIN to get a one-time passcode that you then use to get access to a corporate VPN or a website.

Party Go-er: Oh, my bank is using two-factor authentication. The second factor is a picture of a cat they have to show me.

Me:Yeahhh, that's not really two-factor. They are trying to prevent a man-in-the-middle attack by trying to identify the site to you in way that is simple. Unfortunately, there is still nothing that prevents and man-in-the-middle from replaying that picture to you because there is no cryptograpy involved. We have a process that combines one-time passcodes and a cryptographically secure mutual https authentication mechanism to prevent network-based man-in-the-middle attacks...

Pary Goner Oh, are they bringing our more pigs-in-a-blanket. I have to get more of those...

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom