WebApp Sec mailing list archives
RE: one-time password (OTP) authentication
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Tue, 21 Jun 2005 22:56:10 +1000
This is a fundamental point, ignored imho by proponents of OTP tokens. Unless the OTP has a keyboard and display (e.g. ATM-like physical security), the risk of compromised clients (a mere tactical change by frausters) outweighs the implementation cost. Lyal -----Original Message----- From: Devdas Bhagat [mailto:devdas () dvb homelinux org] Sent: Tuesday, 21 June 2005 10:36 PM To: webappsec () securityfocus com Subject: Re: one-time password (OTP) authentication On 20/06/05 13:21 -0700, maburns () safenet-inc com wrote: <snip>
Two-factor authentication is 1) "something physical only the user has" - like an USB Key which is the same as a ATM card and 2) a "pin # that only user knows" . This is not difficult to implement there are SDK's available
A "something the user has" plugged into the client makes it something the attacker has. Always assume that the client is compromised. Devdas Bhagat
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)