WebApp Sec mailing list archives
Re: one-time password (OTP) authentication
From: Achim Hoffmann <ah () securenet de>
Date: Tue, 21 Jun 2005 17:24:08 +0200 (MEST)
.. and we see again that any n-factor authentication on the HTTP(s)-client becomes a one-factor authentication on the wire and hence finally at the server. You may think of something "like" a two-factor if the server sends back a secret via phone or as SMS to your mobile which have to be keyed in also. -- Achim On Tue, 21 Jun 2005, Lyal Collins wrote: !! This is a fundamental point, ignored imho by proponents of OTP tokens. !! Unless the OTP has a keyboard and display (e.g. ATM-like physical security), !! the risk of compromised clients (a mere tactical change by frausters) !! outweighs the implementation cost. !! !! Lyal !! !! -----Original Message----- !! From: Devdas Bhagat [mailto:devdas () dvb homelinux org] !! Sent: Tuesday, 21 June 2005 10:36 PM !! To: webappsec () securityfocus com !! Subject: Re: one-time password (OTP) authentication !! !! !! On 20/06/05 13:21 -0700, maburns () safenet-inc com wrote: !! <snip> !! > Two-factor authentication is 1) "something physical only the user has" - !! > like an USB Key which is the same as a ATM card and 2) a "pin # that !! > only user knows" . This is not difficult to implement there are SDK's !! > available !! !! A "something the user has" plugged into the client makes it something the !! attacker has. Always assume that the client is compromised. !! !! Devdas Bhagat !!
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)