Security Basics mailing list archives
Re: Multi-Factor Authentication
From: Nick Owen <nickowen () mindspring com>
Date: Thu, 03 May 2007 14:26:07 -0400
jkatricak () linuxmail org wrote:
It was always my understanding that the pictures were more for anti-phising purposes than for multifactor authentication. In other words, if you go to a site and see the picture you originally picked out, you're probably on the real site. If you see another picture, you're on a phishing site (because the phishing site doesn't know which picture you originally chose).
Exactly. Most host authentication mechanisms are geared toward online-banking. I wonder though, if they would be warranted in the enterprise - specifically to thwart a wi-fi based MITM attack for your SSL-based VPN. It's pretty trivial to set up a fake AP, and then set up an SSL-MITM to get the info even if two-factor authentication is used for the session. Setting up strong host/mutual authentication would stop this - though I don't think an image-based solution would as the MITM could just pass the cookies, IPAddress, etc from the client-side to the server side. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen
Current thread:
- Multi-Factor Authentication avasquez80 (May 02)
- Re: Multi-Factor Authentication Nick Owen (May 02)
- RE: Multi-Factor Authentication Zhihao (May 07)
- <Possible follow-ups>
- Re: Multi-Factor Authentication admin (May 02)
- Re: Multi-Factor Authentication jkatricak (May 03)
- Re: Multi-Factor Authentication Nick Owen (May 03)