Re: [WEB SECURITY] thoughts on two-factor web authentication?

["Dave Hull" <dphull@xxxxxxxxxxxxxxxxx>]

On Mon, Nov 10, 2008 at 2:22 PM, Nick Owen <nowen@xxxxxxxxxxxxxxxx> wrote:
> Just be aware of what you are relying on and the security implications
> of that.  For example, cell carriers have different incentives regarding
> protection of their accounts.  It is worthwhile for them to have lax
> password reset systems to avoid helpdesk calls because of the size of
> the user base.  See
> http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easily-hijacked%22

Good point. It's good to carefully consider the external dependencies,
but in the case of PhoneFactor, using the techniques in the article to
gain access to someone's cell phone is not necessarily going to
overcome the security of using the phone as an out of band
authentication method. A company that deploys PhoneFactor can require
that the callee enters a PIN of customizable length. So just because
an attacker has taken my phone and gained access to it and my provider
account, does not mean that he knows the PIN that's required when it
is called for AuthN/Z.

Again, I have no affiliation with the product or the company, but felt
compelled to respond anyway.

-- 
Dave Hull
Trusted Signal
Public key: http://trustedsignal.com/pubkey.txt
Fingerprint: 4B2B F3AD A9C2 B4E1 CBDF  B86F D360 D00F C18D C71B

Mentoring SANS Security 508: Computer Forensics, Investigations and
Response in Kansas City
Details at http://www.sans.org/mentor/details.php?nid=14464

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA