Comments on: European vs. U.S. 2nd factor acceptance http://eyedentityonline.com/archives/17 Thu, 28 Aug 2008 19:19:22 +0000 http://wordpress.org/?v=2.3.1 By: Andy Steingruebl http://eyedentityonline.com/archives/17#comment-103 Andy Steingruebl Sat, 22 Sep 2007 21:45:00 +0000 http://eyedentityonline.com/archives/17#comment-103 My point was really that if you're doing SSL and *you* are properly authenticating the endpoint via SSL certificates (not mutual auth mind you) then they are perfectly secure as an authenticator. *You* aren't going to get MITM'd. Regular users are potentially... but that isn't an indictment against all forms of OTP, just for using them in certain circumstances - over non-authenticated channels for example. My point was really that if you’re doing SSL and *you* are properly authenticating the endpoint via SSL certificates (not mutual auth mind you) then they are perfectly secure as an authenticator. *You* aren’t going to get MITM’d. Regular users are potentially… but that isn’t an indictment against all forms of OTP, just for using them in certain circumstances - over non-authenticated channels for example.

]]> By: Hahleq http://eyedentityonline.com/archives/17#comment-99 Hahleq Tue, 18 Sep 2007 23:05:41 +0000 http://eyedentityonline.com/archives/17#comment-99 Andy, thanks for the comment. I have been a long-time OTP hater ever since I was asked to implement them and then use them when I worked in IT at a bank. That was a long time ago and a completely different world before the rise of the e-commerce internet and anyone considering Ma & Pa Smith being issued OTPs. Today, I am still an OTP basher because they give a false sense of security. An attacker does not need to have malware locally on my PC to compromise my OTP. These are not theoretical attacks, but real, live, "in the wild" attacks being carried out today. RSA themselves are touting their discovery of MITM kits available for any script kiddie with a dream of accessing and using. The jump from compromising OTP protected authentication to compromising a smartcard or PKI digital credential (to be more generic) is a much higher jump requiring at least a footprint within the local browser itself vs. existing purely on the internet. Certainly, I agree with your point that at some elevated level of local device compromise, there is no defense, OTP, smartcard, biometric, etc. Andy, thanks for the comment. I have been a long-time OTP hater ever since I was asked to implement them and then use them when I worked in IT at a bank. That was a long time ago and a completely different world before the rise of the e-commerce internet and anyone considering Ma & Pa Smith being issued OTPs.

Today, I am still an OTP basher because they give a false sense of security. An attacker does not need to have malware locally on my PC to compromise my OTP. These are not theoretical attacks, but real, live, “in the wild” attacks being carried out today. RSA themselves are touting their discovery of MITM kits available for any script kiddie with a dream of accessing and using.

The jump from compromising OTP protected authentication to compromising a smartcard or PKI digital credential (to be more generic) is a much higher jump requiring at least a footprint within the local browser itself vs. existing purely on the internet. Certainly, I agree with your point that at some elevated level of local device compromise, there is no defense, OTP, smartcard, biometric, etc.

]]> By: Andy Steingruebl http://eyedentityonline.com/archives/17#comment-95 Andy Steingruebl Sun, 16 Sep 2007 19:51:26 +0000 http://eyedentityonline.com/archives/17#comment-95 I'm not sure why OTP wouldn't be good for you. Yes, an OTP can theoretically be snaked by a MiTM attacker but for *you*, a security knowledgeable person to have an issue, you'd either have to get malware involved, or you'd have to ignore things like SSL warnings, etc. If you're worried about users in general, then yes, I can see potential issues with OTP. If you're thinking just about yourself, then perhaps the risks of an OTP solutions are overblown? If you're being owned by local malware that spoofs you, reads the OTP, etc. its isn't very likely that something like a smartcard would fare much better than an OTP scheme. I’m not sure why OTP wouldn’t be good for you. Yes, an OTP can theoretically be snaked by a MiTM attacker but for *you*, a security knowledgeable person to have an issue, you’d either have to get malware involved, or you’d have to ignore things like SSL warnings, etc.

If you’re worried about users in general, then yes, I can see potential issues with OTP. If you’re thinking just about yourself, then perhaps the risks of an OTP solutions are overblown?

If you’re being owned by local malware that spoofs you, reads the OTP, etc. its isn’t very likely that something like a smartcard would fare much better than an OTP scheme.

]]>