Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Jul 2016 14:45:38 +0200
From: "" <>
Subject: Re: 2-Factor vs Authentication

On 07/04/2016 02:25 PM, Ark Arkenoi wrote:
> Yes, exactly: it was meant to massively reduce false positives, while keeping false negatives acceptably low.

false-negatives are never acceptably low, because they tend to occur in 
very critical moments.
for example, with SMS second factor you lose access to your account when 
travelling -- suddenly the password you carry in your VERY OWN HEAD is 
no longer proof of this head identity -- this is fucking INSULTING.

Your interaction with your virtual representation became dependent on
fucking many random factors: your phone battery, your provider 
availability, your physical location.

Not mentioning that the assumed attack cost against SS7 is only 
applicable to random strangers -- for the mobile phone operator this 
cost is ZERO.
your SMS second factor is compromised by literally many thousands people!

therefore, your initially assumed cost/benefit ratio is far from being 
obvious. for me, it seems too costly, too damaging and barely beneficial 
at all.

> BTW sms was much less reliable back those days and inter-operator issues happened all the time.
> Sent from my BlackBerry 10 smartphone.
>   Original Message
> From:
> Sent: Monday, July 4, 2016 14:34
> To:
> Reply To:
> Subject: Re: [passwords] 2-Factor vs Authentication
> On 07/03/2016 07:11 PM, ArkanoiD wrote:
>> The common consensus was ....
>> SMS+password being better than password alone, thus adding extra layer
>> won't hurt.
> This is a tremendously extraordinary statement in need of a huge proof.
> terms "extra layer" and "better" point to merely a cloud of human feelings.
> I can accept the premise for this statement:
> adding SMS to password reduces false-positive auth outcomes.
> (no matter how much and how needed)
> But it also increase false-negative auth outcomes!!!
> and I speculate sometimes it hurts the security too.
> and after all, as you now witnessing, when a logically inconsistent
> bullshit becomes accepted as a part of an info system, it tends to
> overthrow the logic of the host system and turn it into crap entirely.
> Same goes to the password policies.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.