User: Password:
|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 17:17 UTC (Thu) by iabervon (subscriber, #722)
In reply to: Google Authenticator for multi-factor authentication by ekj
Parent article: Google Authenticator for multi-factor authentication

It was originally something you had (the card), and something you knew (how to get a pen to produce your signature). But neither of these works without a semi-trusted point-of-sale agent who watches you sign and sees that you actually have the card. Providing effective authentication for credit cards now (considering both how they're used and the state of forging technology) would cost more than fraud costs, so they haven't bothered. To the extent that they've done anything, it's just an attempt to make their accounts a bit harder to abuse than other cards. (Asking for an extra password to use a card would probably cut way down on fraud at the moment even if you don't compare the password to anything, because attackers will tend to think, "this one's weird" and go on to the next number in their list, which will work fine without anything special.)


(Log in to post comments)

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 1:23 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The signature is something you are, not something you know. It comes from too low a part of the brain to be in the same category as a password.

The system really doesn't rely on a semi-trusted point-of-sale agent; the retailer is about as untrusted as anyone by VISA, which is why he used to have to get an imprint of the card, and now has to swipe it through a reader. To prove to a large extent that the card was actually present. In addition, the retailer has to produce a signature that reasonably matches the one on the card, proving to some extent that the owner of the card was there too.

The only thing I've seen change since the early days is that for small transactions, someone - I don't know if it's Visa or the retailer - is now willing to take the risk of fraud in exchange for speed and convenience.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 10:20 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:27 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

And yet the main reason signatures exist is that many people do regard them as something you are, being difficult for a fraudster to learn.

I, for example, could almost certainly not reproduce your signature, no matter how much I practiced. So there's one fewer fraudster to worry about.

None of the security mechanisms we're talking about are perfect, so it's all about reducing, not eliminating, the chance of fraud.

In any case, it's not "something you know" -- if it were, then you could instantly disclose to someone how to write your signature.

(Incidentally, the other major purpose of a signature that people often overlook is not as security, but as a statement. The fact that someone wrote his name (or even an X) on a piece of paper makes it impossible for him to argue he didn't mean to commit himself. As most people are honest, whether he signed or not is often not disputed).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds