Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 Jul 2016 17:41:18 +0200
From: "" <>
Subject: Re: 2-Factor vs Authentication

On 07/02/2016 05:20 PM, Yoha wrote:
> Le 02/07/2016 à 17:10, a écrit :
>> On 07/02/2016 04:47 PM, Yoha wrote:
>>> Definitely agree with the most common form of 2FA.
>> the emphasis is:
>> the most common variant of any "new technology"
>> advocated for by the major market players
>> with a choir of "experts" and "gurus"
>> is always a very harmful piece crap,
>> guaranteed to compromise users security;
>> and the populus plays along happy and trustful.
> Sorry, I was not clear. I meant: I agree with your point of view,
> regarding this approach (sending a confirmation code), which seems to be
> the most common one from my personal experience.

for the sake of a rant i must add:
all modern days security "innovations" are founded on a multitude of 
wildly deranged assumptions.
people simply overlook all those assumptions: if we call "my" phone 
number "my", it must be really mine, doesn't it?

>>> [TOPT](
>>> are very easy to use, more secure than confirmation codes, *and* much
>>> faster (there are sometimes delays of a few minutes before the
>>> confirmation codes is received). Additionally, they allow better
>>> flexibility (e.g. when using multiple phones).
>> in other words, the second factor is defined here as:
>> preshared piece of software.
>> seems ok, but i am devoid of any deep insight on that.
> Well, there is not deep insight, it just look like the correct way to do
> any 2FA since, as you described previously, sending a confirmation code
> may not add that much security.

so far, it very difficult for me to determine if a well designed and 
perfectly safe second factor actually improves anything at all.

i _FEEL_ as if a hardware second factor (something i carry in my pocket) 
may have improved auth procedure in the sense of further reducing 
false-positive authentications.

taking that a basis (like an ideal second factor)
we may claim that a piece of preshared software may in theory be 
equivalent to the hardware token. _IF_ customised to be sufficiently 
unique, and run on a secure device. But here is the trap -- all commonly 
available devices are absolutely ANTI-secure. All your phones are 
hijacked by google and apple since the conception. so the software 
approach to the second factor is seriously undermined.

in addition to my theoretic question, i began with: "if it actually add 
security at all? in the ideal world"
we now have another, practical, question:
does it add any significant amount of security, given that your CUSTOM 
software is shared with the entire google corp.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.