|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: one-time password (OTP) authentication
From: Achim Hoffmann (ah
securenet.de)
Date: Tue Jun 21 2005 - 10:24:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
.. and we see again that any n-factor authentication on the HTTP(s)-client
becomes a one-factor authentication on the wire and hence finally at the
server.
You may think of something "like" a two-factor if the server sends back
a secret via phone or as SMS to your mobile which have to be keyed in also.
-- Achim
On Tue, 21 Jun 2005, Lyal Collins wrote:
!! This is a fundamental point, ignored imho by proponents of OTP tokens.
!! Unless the OTP has a keyboard and display (e.g. ATM-like physical security),
!! the risk of compromised clients (a mere tactical change by frausters)
!! outweighs the implementation cost.
!!
!! Lyal
!!
!! -----Original Message-----
!! From: Devdas Bhagat [mailto:devdasdvb.homelinux.org]
!! Sent: Tuesday, 21 June 2005 10:36 PM
!! To: webappsecsecurityfocus.com
!! Subject: Re: one-time password (OTP) authentication
!!
!!
!! On 20/06/05 13:21 -0700, maburnssafenet-inc.com wrote:
!! <snip>
!! > Two-factor authentication is 1) "something physical only the user has" -
!! > like an USB Key which is the same as a ATM card and 2) a "pin # that
!! > only user knows" . This is not difficult to implement there are SDK's
!! > available
!!
!! A "something the user has" plugged into the client makes it something the
!! attacker has. Always assume that the client is compromised.
!!
!! Devdas Bhagat
!!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]