The benefits of two factor authentication are pretty much Security 101 material. And we are also told, that two factors are more then "password 1" and "password 2". RSA for example, one of the leaders of two factor authentication, defines this pretty nicely:
There are a number of ways these factors can collapse. For example, for a one-time password token, the user typically needs to remember a password, or a PIN, as second factor. Users tend to write this password on the pack of the token, collapsing the factors. Now you only need to "possess" the token. In a more elaborate case, I ran into a user who had a webcam at home pointed at the token (he always forgot his token at home). Now all you needed to access the system was "something known" (the URL of the webcam and the password). Tokens themselves pose a different threat to collapse factors. Tokens operate by calculating a hash of an internal secret ("seed") and either a timestamp or a counter. You may not know the seed, but someone else may. This issue has come up with the recent breach of RSA that may have lead to the leak of these seeds. The "seed" should not be directly related to the serial number printed on the device, but in the RSA case, it was alleged that the stolen data included some form of lookup table like that. RSA's algorithm to calculate the token value had already been leaked years earlier. Of course in particular for software token, the algorithm can be reverse engineered. Evidently, someone now managed to do just that, and to be able to retrieve the seed value from the software token [3]. Physical tokens are usually hardened to prevent someone from stealing the seed value, in particular to do so undetected. In many ways, a "token" is a secret that you don't know. What should you do about all this? - know the limitations of two factor authentication and educate your users. They aren't the end of password attacks, but the make them substantially harder. [1] http://www.rsa.com/glossary/default.asp?id=1056
------ |
Johannes 3694 Posts ISC Handler |
Subscribe |
May 22nd 2012 7 years ago |
RSA ships the SN/token seeds info to the customer admin. The SN and seed are not related. The customer makes the token assignments to specific users. RSA has no access to that info. Normally, the token serial number is not used during authentication.
|
dave 21 Posts |
Quote |
May 22nd 2012 7 years ago |
- http://arstechnica.com/security/2012/05/rsa-securid-software-token-cloning-attack/
"... should be managed by a industry-wide specification known as the TPM, or trusted platform module*." * https://en.wikipedia.org/wiki/Trusted_platform_module ... sooner is better. |
Jack 160 Posts |
Quote |
May 22nd 2012 7 years ago |
Very good points, Johannes.
I have been confused in recent years by the proliferation of software tokens, whereby the token is displayed via an application on your computer screen and you need a PIN to display it. In short, you need a PIN and your usual password to gain full access, which in my mind is one factor, not two. ('two' things you know...) Unless I am missing something, aren't soft tokens like this misleading and defeating the purpose? Thanks for a good article (as always!) Daniel |
Daniel 5 Posts |
Quote |
May 23rd 2012 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!