Another example of the futility of hardwareless 2 factor authentication

[mouse at Rodents.Montreal.QC.CA (der Mouse)]

> Consider the following attempt at el-cheapo (no hardware)
> authentication:  [...]

> It is possible to imagine an authentication scheme that wants to use
> something like a certificate with signing, encrypting random nonces
> etc., to verify that someone agrees to some transaction(s).  If the
> certificate is on a PC, though, it gets exposed to theft.

There is no way to avoid this (as long as you stick to the no-hardware
restriction).  You can get clever with third parties and whatnot all
you like, but anything the user's desktop can do with the data it has
(possibly including data that is typed in by the user during operation
as intended), an impostor who has the same data (lifted from disk,
snooped on keystrokes, whatever) can do equally well.

To defeat this, in principle, you need *something* the user's computer
does not have access to.  This can be as simple as the next entry on a
list of nonces (sent to the user by some other means such as snailmail)
all the way up to something as complex as the stuff underlying SecurID.

Of course, that's not to say that simpler measures can't defeat any
specific examples, such as current attacks.  You can make it moderately
difficult, in fact.  But you can't make it impossible.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse at rodents.montreal.qc.ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B