Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multi-Factor Authentication

From: Nick Owen <nickowen () mindspring com>
Date: Thu, 03 May 2007 14:26:07 -0400
jkatricak () linuxmail org wrote:

It was always my understanding that the pictures were more for
anti-phising purposes than for multifactor authentication.  In other
words, if you go to a site and see the picture you originally picked
out, you're probably on the real site.  If you see another picture,
you're on a phishing site (because the phishing site doesn't know
which picture you originally chose).


Exactly. Most host authentication mechanisms are geared toward
online-banking.  I wonder though, if they would be warranted in the
enterprise - specifically to thwart a wi-fi based MITM attack for your
SSL-based VPN.  It's pretty trivial to set up a fake AP, and then set up
an SSL-MITM to get the info even if two-factor authentication is used
for the session. Setting up strong host/mutual authentication would stop
this - though I don't think an image-based solution would as the MITM
could just pass the cookies, IPAddress, etc from the client-side to the
server side.

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
Previous By Date Next
Previous By Thread Next

Current thread: