WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 1 Jul 2006 00:46:41 +1000
On 30/06/2006, at 4:03 PM, Tim wrote:
the only way I see that you can accurately validate someone would be through biometrics (something you are)
This is not possible, as:All devices in general are tamperable and not trustworthy when in the hands of the attacker
Biometric devices have a long history of being little more than snake oil or toys. The good ones are significantly more expensive than ANY other form of actual 2FA authentication device
Many attacks against existing biometric devices are so trivial as to be a complete joke. Check out this page:
http://www.heise.de/ct/english/02/11/114/Lastly, trustworthy biometric registration requires an in-person visit, thus negating any possibility of remote authentication.
No matter what 2FA device you use, evidence of identity is only as strong as the registration process. I'd prefer to see the initial registration (and recovery of registration) done only in-person. Otherwise the process is open to abuse by definition.
thanks, Andrew
Attachment:
smime.p7s
Description:
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- <Possible follow-ups>
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 28)
- RE: Two-Factor Authentication on the Web King, Stuart (REHQ-LON) (Jun 29)