Two Factor Authentication on Linux / Mac / Windows [LWN.net]

From:		Mohit Muthanna <mohit.muthanna-AT-gmail.com>
To:		full-disclosure-AT-lists.grok.org.uk, bugtraq-AT-securityfocus.com
Subject:		OT: Two Factor Authentication on Linux / Mac / Windows
Date:		Thu, 28 Apr 2005 10:00:23 -0400

Apologies for being off-topic.

<shameless plug>

Project Page: http://sourceforge.net/projects/teleauth
Public Service: http://public.paynacea.com

If anyone is interested, I am currently testing my new two-factor
authentication system and am offering the service for free. It does
not use keys, tags or other special hardware since it authenticates a
user by calling them on their land / cell phone and requesting a PIN
code.

The software has a comprehensive easy-to-use API (complete with
documentation), and is designed to be highly-available.

The client tools are open-sourced and distributed under the GPL. The
tools include PAM modules (w/ binaries for Solaris, Linux and OS X),
administration software and samples.

If you have your own web sites, servers, VPNs etc. that you maintain;
you might find this service very useful. Integrating the system with
existing software, sites or services etc. is almost trivial.

</shameless plug>

More information at: http://public.paynacea.com

If you have any questions, feel free to e-mail me off-list.

Mohit.

-- 
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

(Log in to post comments)

Two Factor Authentication on Linux / Mac / Windows

Posted May 5, 2005 16:00 UTC (Thu) by dang (guest, #310) [Link]

On a quick read, this looks weak. Stronger systems have a password and a use-once, dynamic keycode. It looks like both password and pin are reused here, so the attacker would just need to arrange to get the call. It also strikes me that many tokens are near indestructible whereas phones are pretty fragile; and that my cell signal deep in the bowels of my data center is sketchy at best while my token just keeps generating numbers.

Two Factor Authentication on Linux / Mac / Windows

Posted Jul 4, 2005 15:10 UTC (Mon) by ravenous (guest, #30816) [Link]

-- SNIP --
On a quick read, this looks weak. Stronger systems have a password and a use-once, dynamic keycode. It looks like both password and pin are reused here, so the attacker would just need to arrange to get the call. It also strikes me that many tokens are near indestructible whereas phones are pretty fragile; and that my cell signal deep in the bowels of my data center is sketchy at best while my token just keeps generating numbers.
-- SNIP --

It actually seems quite clever to me. How would an attacker just "arrange to get the call"? That's not possible unless the authentication system has already been compromised. A phone number cannot be redirected unless switches at the phone company have been compromised. In addition to "getting the call" the attacker will also need to have intercepted the password (trivial; off the network)... and the PIN code (non-trivial; by sniffing reverse voice RF traffic to a cell tower).

As for phones being fragile, I agree. They are more complex, hence more susceptible to damage. OTOH, tokens are not viable for public services (banks, online auctions etc.) as deployment, management and replacement would be a big issue. Most places that I've worked that use tokens make a big fuss about handing them out.

Also, think about having to carry a separate token for each service you subscribe to (Work, bank, etrade, client sites, other financial services). Probably not very comfortable.