Security Basics mailing list archives
Re: Device Authentication - The answer to attacks lauched using stolen passwords?
From: Nick Owen <nickowen () mindspring com>
Date: Thu, 07 Sep 2006 16:54:08 -0400
Saqib Ali wrote:
mention) than a trusted platform. It might actually be better to use passwords for the session authentication and an OTP for the transaction.but weren't there attacks on OTP recently: http://www.channelregister.co.uk/2006/07/13/2-factor_phishing_attack/ http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html I think client device authentication would have prevented these attacks.
Perhaps - I assume you mean with a trusted platform, not easily spoofed cookies and ip addresses etc. But, they are MITM attacks, so host authentication would *definitely* have stopped the attacks. It is much easier to do host authentication than to do secure device authentication. There a number of ways to do host authentication available today. We validate the SSL certificate of the site before delivering the OTP, for example. There are a limited number of trusted platforms available today and it will take forever to replace all the PCs out there, so it makes sense to me to do host authentication. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 05)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)