User: Password:
|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 15:11 UTC (Wed) by jzbiciak (subscriber, #5246)
In reply to: Google Authenticator for multi-factor authentication by fuhchee
Parent article: Google Authenticator for multi-factor authentication

I don't think you can collapse these so readily. The three categories have rather different properties.

  • "Things you have" generally refer to dongles, keys, access cards or other trinkets that you are issued. Someone could steal any of those things without physically harming or maiming you.
  • "Things you know" require you to be at least somewhat conscious, and require at least some level of cooperation to access. Sure, duress can beat a password out of you. (I'm reminded of this XKCD), but if someone kills you, the only other option to get the information is to find someone or something else who has it or brute-force guess it.
  • "Things you are" refers to biometrics, at least as far as I understand. Sure, someone could steal a body part (OUCH!), or in the case of the fingerprint machines, fake your fingerprint by lifting it from a glass. There's different levels here. The retinal scan made famous by many movies is a little harder to fake than the el cheapo thumbprint reader on a laptop. I'd like to see someone replicate an eyeball, maliciously or otherwise.

Still, nobody's arguing security can be made perfect, multifactor or otherwise. But, the more (and more varied) the factors are, the higher the bar gets raised. It requires an attacker to compromise more than one path before they achieve their goal, at a minimum reducing the probability of success to the product of the probabilities of compromising either factor. There's also the increased likelihood of detection, which potentially reduces the probability of success further.

So, I wouldn't be so quick to poo-poo multifactor authentication.


(Log in to post comments)

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 17:42 UTC (Wed) by erwbgy (subscriber, #4104) [Link]

Excellent description. It is also worth noting that biometrics are hard to forge but are not secrets and can be easily stolen

.

Google Authenticator for multi-factor authentication

Posted Dec 15, 2011 14:18 UTC (Thu) by gvy (guest, #11981) [Link]

Biometrics are also being pushed down the general public's throat already through chipification, while Nuremberg process ruled out that enumeration of people is a non-expiring crime against humanity.

Google Authenticator for multi-factor authentication

Posted Dec 16, 2011 16:54 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

Nuremberg process ruled out that enumeration of people is a non-expiring crime against humanity.

I'm having trouble parsing that, since the grammatical inconsistency is such as to make it impossible for me to tell what the intended meaning is. (And what does "enumeration of people" mean, beyond "assigning unique numbers to all members of a group of people"?)

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 19:03 UTC (Wed) by jimparis (guest, #38647) [Link]

It doesn't seem to be included when people list those three categories, but maybe "things you are" should also include location: "at work", "connecting from 18.0.0.0/24", etc.

Google Authenticator for multi-factor authentication

Posted Dec 13, 2011 3:09 UTC (Tue) by ghane (subscriber, #1805) [Link]

<quote> I'd like to see someone replicate an eyeball, maliciously or otherwise. </quote>

Does it have to be a working eyeball?

:-)

--
Sanjeev


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds