Comments on: Two factor authentication http://www.fenris.org/2007/11/06/two-factor-authentication "Baby someone is crazy and it's you" Sun, 23 Nov 2008 09:58:11 +0000 http://wordpress.org/?v=2.6.3 By: cec http://www.fenris.org/2007/11/06/two-factor-authentication#comment-20205 cec Wed, 07 Nov 2007 17:04:24 +0000 http://www.fenris.org/index.php/2007/11/06/two-factor-authentication/#comment-20205 Hunter: so you're suggesting some big long random string stored on a thumb drive. Would the user cut and paste the string as if it were a password? Or would there need to be client-side code to manage the authentication? Bryn: the advantages/disadvantages I mentioned were intended to be specific to this instantiation of something-you-have authentication, i.e., commodity USB keys instead of customized hardware. Losing the key/token is a generic problem with something-you-have, regardless of implementation: if you lose it, then you no longer have it :-) Hunter: so you’re suggesting some big long random string stored on a thumb drive. Would the user cut and paste the string as if it were a password? Or would there need to be client-side code to manage the authentication?

Bryn: the advantages/disadvantages I mentioned were intended to be specific to this instantiation of something-you-have authentication, i.e., commodity USB keys instead of customized hardware. Losing the key/token is a generic problem with something-you-have, regardless of implementation: if you lose it, then you no longer have it :-)

]]> By: Bryn http://www.fenris.org/2007/11/06/two-factor-authentication#comment-20204 Bryn Wed, 07 Nov 2007 16:58:04 +0000 http://www.fenris.org/index.php/2007/11/06/two-factor-authentication/#comment-20204 There's a 6th problem for physical keys, that of someone losing the key (or having it stolen) - that way, you don't have access anymore and someone else does. There is some security-through-obscurity, of course, given that the chances of anyone who finds or steals a key would know what to do with it are pretty low, but there are deliberate malicious bastards out there who would target a key. There’s a 6th problem for physical keys, that of someone losing the key (or having it stolen) - that way, you don’t have access anymore and someone else does. There is some security-through-obscurity, of course, given that the chances of anyone who finds or steals a key would know what to do with it are pretty low, but there are deliberate malicious bastards out there who would target a key.

]]> By: Hunter http://www.fenris.org/2007/11/06/two-factor-authentication#comment-20203 Hunter Wed, 07 Nov 2007 16:51:56 +0000 http://www.fenris.org/index.php/2007/11/06/two-factor-authentication/#comment-20203 What I had in mind was even simpler. The file .something_probably_unique on the key contains a random sha1 hash. And thats it. In my role as random internet target, I'm not trying to keep someone competent out. They'll just social engineer around anything technical at a university anyway. I'm trying to keep out the other 99.9% of the black hats on the internet, and ANY kind of physical key is sufficient for that. What I had in mind was even simpler. The file .something_probably_unique on the key contains a random sha1 hash.

And thats it. In my role as random internet target, I’m not trying to keep someone competent out. They’ll just social engineer around anything technical at a university anyway. I’m trying to keep out the other 99.9% of the black hats on the internet, and ANY kind of physical key is sufficient for that.

]]>