Date: Sat, 2 Jul 2016 17:41:18 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: 2-Factor vs Authentication On 07/02/2016 05:20 PM, Yoha wrote: > Le 02/07/2016 à 17:10, e@...tmx.net a écrit : >> On 07/02/2016 04:47 PM, Yoha wrote: >>> Definitely agree with the most common form of 2FA. >> >> the emphasis is: >> the most common variant of any "new technology" >> advocated for by the major market players >> with a choir of "experts" and "gurus" >> is always a very harmful piece crap, >> guaranteed to compromise users security; >> and the populus plays along happy and trustful. >> >> > > Sorry, I was not clear. I meant: I agree with your point of view, > regarding this approach (sending a confirmation code), which seems to be > the most common one from my personal experience. for the sake of a rant i must add: all modern days security "innovations" are founded on a multitude of wildly deranged assumptions. people simply overlook all those assumptions: if we call "my" phone number "my", it must be really mine, doesn't it? >>> [TOPT](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) >>> >>> are very easy to use, more secure than confirmation codes, *and* much >>> faster (there are sometimes delays of a few minutes before the >>> confirmation codes is received). Additionally, they allow better >>> flexibility (e.g. when using multiple phones). >> >> in other words, the second factor is defined here as: >> preshared piece of software. >> >> seems ok, but i am devoid of any deep insight on that. >> > > Well, there is not deep insight, it just look like the correct way to do > any 2FA since, as you described previously, sending a confirmation code > may not add that much security. > so far, it very difficult for me to determine if a well designed and perfectly safe second factor actually improves anything at all. i _FEEL_ as if a hardware second factor (something i carry in my pocket) may have improved auth procedure in the sense of further reducing false-positive authentications. taking that a basis (like an ideal second factor) we may claim that a piece of preshared software may in theory be equivalent to the hardware token. _IF_ customised to be sufficiently unique, and run on a secure device. But here is the trap -- all commonly available devices are absolutely ANTI-secure. All your phones are hijacked by google and apple since the conception. so the software approach to the second factor is seriously undermined. in addition to my theoretic question, i began with: "if it actually add security at all? in the ideal world" we now have another, practical, question: does it add any significant amount of security, given that your CUSTOM software is shared with the entire google corp. -e
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.