Date: Mon, 4 Jul 2016 14:45:38 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: 2-Factor vs Authentication On 07/04/2016 02:25 PM, Ark Arkenoi wrote: > Yes, exactly: it was meant to massively reduce false positives, while keeping false negatives acceptably low. false-negatives are never acceptably low, because they tend to occur in very critical moments. for example, with SMS second factor you lose access to your account when travelling -- suddenly the password you carry in your VERY OWN HEAD is no longer proof of this head identity -- this is fucking INSULTING. Your interaction with your virtual representation became dependent on fucking many random factors: your phone battery, your provider availability, your physical location. Not mentioning that the assumed attack cost against SS7 is only applicable to random strangers -- for the mobile phone operator this cost is ZERO. your SMS second factor is compromised by literally many thousands people! therefore, your initially assumed cost/benefit ratio is far from being obvious. for me, it seems too costly, too damaging and barely beneficial at all. > > BTW sms was much less reliable back those days and inter-operator issues happened all the time. > > Sent from my BlackBerry 10 smartphone. > Original Message > From: e@...tmx.net > Sent: Monday, July 4, 2016 14:34 > To: passwords@...ts.openwall.com > Reply To: passwords@...ts.openwall.com > Subject: Re: [passwords] 2-Factor vs Authentication > > On 07/03/2016 07:11 PM, ArkanoiD wrote: > >> The common consensus was .... >> SMS+password being better than password alone, thus adding extra layer >> won't hurt. > > This is a tremendously extraordinary statement in need of a huge proof. > > terms "extra layer" and "better" point to merely a cloud of human feelings. > > I can accept the premise for this statement: > adding SMS to password reduces false-positive auth outcomes. > (no matter how much and how needed) > > But it also increase false-negative auth outcomes!!! > AND THIS REALLY HURTS. > and I speculate sometimes it hurts the security too. > > > and after all, as you now witnessing, when a logically inconsistent > bullshit becomes accepted as a part of an info system, it tends to > overthrow the logic of the host system and turn it into crap entirely. > Same goes to the password policies. >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.