Re: Device Authentication - The answer to attacks lauched using stolen passwords?

[Nick Owen <nickowen () mindspring com>]

Saqib Ali wrote:
> > mention) than a trusted platform. It might actually be better to use
> > passwords for the session authentication and an OTP for the transaction.
>
> but weren't there attacks on OTP recently:
>
> http://www.channelregister.co.uk/2006/07/13/2-factor_phishing_attack/
> http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
>
>
> I think client device authentication would have prevented these attacks.

Perhaps - I assume you mean with a trusted platform, not easily spoofed
 cookies and ip addresses etc.  But, they are MITM attacks, so host
authentication would *definitely* have stopped the attacks.

It is much easier to do host authentication than to do secure device
authentication.  There a number of ways to do host authentication
available today.  We validate the SSL certificate of the site before
delivering the OTP, for example.  There are a limited number of trusted
platforms available today and it will take forever to replace all the
PCs out there, so it makes sense to me to do host authentication.

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------