[clug] 2 factor authentication in an era of smartphones

Robert Edwards bob at cs.anu.edu.au
Mon Dec 10 16:38:10 MST 2012 

On 10/12/12 16:22, Francis Markham wrote:
> Kim, you are in good company in your musing:
> http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
>

Schneier writes:

"Two-factor authentication is not useless. It works for local login,
and it works within some corporate networks. But it won't work for
remote authentication over the Internet..."

Note that both the scenarios linked to are just pointing out that
there is no such thing as absolute security. Two-factor is an
authentication system, not a security system, and for authentication,
it has to be better than plain passwords.

But if your local system is compromised, smartphone or otherwise,
then stronger authentication is not going to help you at all.

If your bank (like mine) uses an SMS verification code for verifying
some new transactions, you (or your bank...) may want to make sure that
the device receiving the SMS code is not capable of launching an on-line
transaction (ie. it isn't "smart"). A case for "dumb phones" for making
phone calls and receiving SMS's separate to your smartphone/tablet (who
uses smartphones for making phone calls anyway?).

Bob Edwards.

>
> On 10 December 2012 16:16, Kim Holburn <kim.holburn at gmail.com> wrote:
>
>> I'm still trying to decide if two-factor really gets you any more that
>> more trouble logging in legitimately.  Mind you, I am having to implement
>> it anyway.
>>
>>
>> http://www.techspot.com/news/51037-trojan-bypasses-two-factor-authentication-steals-465-million.html
>>
>>
>> On 2012/Dec/10, at 1:23 PM, Michael James wrote:
>>
>>> Dear CLUGers,
>>>
>>> Now that smartphones are ubiquitous
>>> it might be time to revisit 2 factor authentication.
>>>
>>> Instead of an RSA key-generating token just use
>>> an app to provide a One Time Password generator?
>>>
>>> My musings run along these lines:
>>>
>>>   1)   The app is protected by a locally set password
>>>         required to decrypt it.
>>>
>>>   2)   Once decrypted, the app knows a private key,
>>>         registered with the authenticating system.
>>>
>>>   3)   Key and time provide a One Time Password.
>>>
>>>   4)   Asymmetric keys allow authenticating system
>>>         to check OTP without the ability to generate them???
>>>
>>> But there might be some entirely different system possible these days.
>>>
>>> What are people using/investigating?
>>>
>>> michaelj
>>>
>>>
>>> PS:  Security is an illusion caused by lack of imagination.
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>
>> --
>> Kim Holburn
>> IT Network & Security Consultant
>> T: +61 2 61402408  M: +61 404072753
>> mailto:kim at holburn.net  aim://kimholburn
>> skype://kholburn - PGP Public Key on request
>>
>>
>>
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>

More information about the linux mailing list