Two Factor Authentication on Linux / Mac / Windows
Two Factor Authentication on Linux / Mac / Windows
Posted May 5, 2005 16:00 UTC (Thu) by dang (guest, #310)Parent article: Two Factor Authentication on Linux / Mac / Windows
On a quick read, this looks weak. Stronger systems have a password and a use-once, dynamic keycode. It looks like both password and pin are reused here, so the attacker would just need to arrange to get the call. It also strikes me that many tokens are near indestructible whereas phones are pretty fragile; and that my cell signal deep in the bowels of my data center is sketchy at best while my token just keeps generating numbers.
Posted Jul 4, 2005 15:10 UTC (Mon)
by ravenous (guest, #30816)
[Link]
It actually seems quite clever to me. How would an attacker just "arrange to get the call"? That's not possible unless the authentication system has already been compromised. A phone number cannot be redirected unless switches at the phone company have been compromised. In addition to "getting the call" the attacker will also need to have intercepted the password (trivial; off the network)... and the PIN code (non-trivial; by sniffing reverse voice RF traffic to a cell tower).
As for phones being fragile, I agree. They are more complex, hence more susceptible to damage. OTOH, tokens are not viable for public services (banks, online auctions etc.) as deployment, management and replacement would be a big issue. Most places that I've worked that use tokens make a big fuss about handing them out.
Also, think about having to carry a separate token for each service you subscribe to (Work, bank, etrade, client sites, other financial services). Probably not very comfortable.
-- SNIP --Two Factor Authentication on Linux / Mac / Windows
On a quick read, this looks weak. Stronger systems have a password and a use-once, dynamic keycode. It looks like both password and pin are reused here, so the attacker would just need to arrange to get the call. It also strikes me that many tokens are near indestructible whereas phones are pretty fragile; and that my cell signal deep in the bowels of my data center is sketchy at best while my token just keeps generating numbers.
-- SNIP --