Date: Sat, 2 Jul 2016 12:41:36 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: 2-Factor vs Authentication 2-Factor "Auth": Something you know + Something you have (if you prefer HTML formatting, read the http://ithipster.com/34.html) Previously (in "What Makes Your Password Yours" and "Auth vs ID") We have established that your exclusive and complete control over your password makes the password belong to you, and this is the one and only characteristic property of a valid password. Now, we are to scrutinize the second member of the 2-Factor formula. Peeking at the final page of the story, the picture above is lying to you blatantly and insultingly. It could be true, however, if you are using a password plus a custom (sufficiently unique) hardware token, but is not the case. The proponents of «2-Factor» call for using your telephone as the second «factor», and it requires some clarification, what is «your phone» and how is it associated with you. Do you own «something you have»? The typical «2F» scheme is the following: the service provider sends a one-time password on a previously known phone number; then the user inputs this one-time password, as a proof of receiving it — supposedly this scheme should establish a fact: the user is in possession of a telephone associated with the given phone number. The information core of this scheme is the one-time token making its way through a 3rd party network to the user and back to the service provider… and it is absolutely safe and logically consistent — the trouble is in the phone. The scheme presumes that since its initiation the given phone number is still associated with a phone in your possession and this phone is the only recipient of the message. Both assumptions are atrociously stupid and deranged from reality. Nevertheless they effectively define your «second-factor» token as: «YOUR» PHONE NUMBER. Despite everything you may think about «your» phone number it is not yours by any stretch of imagination. Do you have any control of «your» phone number? No you don't. You may merely ask your service provider to perform certain (irrelevant to our topic) manipulations with «your» number, but can you guarantee the most important property of it (required by the 2-Factor) that the number will remain assigned to you next minute? NO YOU CAN NOT! The number belongs to your service provider and they have complete and exclusive control over it (and even that is questionable). Similarly you do not own «your» e-mail, «your» domain name, «your» passport number — all those things belong to other people whom you do not know even by names! Your typical second token in the 2-Factor does not belong to you, not even slightly. Well, you may now claim: "but it is only the second! you still need your password" and bla-bla-bla ignoring the fact that this argument of yours destroys the necessity of this second factor altogether… My initial intention was to say: just wait a little bit, soon enough it will become the first, but the «soon enough» had happened before I finished the sentence. The youtuber Boogie2988 was hacked (his youtube account was closed and all his works deleted). According to his own testimony: Someone has seized my phone number and then using SMS «authentication» seized the control over my account. And keep in mind, the security experts do not give two shits about your security, their primary concern is PROFIT, and what is the most profitable activity in Computer Science? — Reproducing the mainstream bullshit, no matter how harmful and dangerous.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.