tag:blogger.com,1999:blog-5710205.post8430341205153693070..comments2024-02-08T11:00:53.069-06:00Comments on Gordon's Tech: RIP Password - Google's two factor authenticationJGFhttp://www.blogger.com/profile/14580785981874040314noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-5710205.post-87341759563759735322011-02-14T16:52:47.927-06:002011-02-14T16:52:47.927-06:00Google's open source move for PAM is very agre...Google's open source move for PAM is very agreeable.John Gordon jrhttps://www.blogger.com/profile/16788172186096983097noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-33030298339109706702011-02-14T15:42:09.994-06:002011-02-14T15:42:09.994-06:00I think the PAM combined with the mobile app is pa...I think the PAM combined with the mobile app is particuarly useful. The PAM is fairly simple to compile and configure for use on a Linux system. Should be usable on OS X too (full disclosure, I've had no joy compiling the module for OS X). Quick and easy two-factor authentication on Linux at least.Unknownhttps://www.blogger.com/profile/11422607407119732878noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-80293924518788567562011-02-13T20:01:26.807-06:002011-02-13T20:01:26.807-06:00Great comment - thanks! A recent bank technology n...Great comment - thanks! A recent bank technology news had details about an attack on "Out-of-Band Authentication".<br /><br />http://www.americanbanker.com/btn_issues/22_12/security-out-of-band-authentication-gets-outfoxed-1004394-1.html<br /><br />A wikipedia article on two factor authentication confirms my suspicion about man-in-the-middle attack vulnerability --<br /><br />http://en.wikipedia.org/wiki/Two-factor_authentication<br /><br />Still, it seems like Google's approach increased the cost of an attack. My understanding is that's the best security can do. Nothing will stop a sufficiently determined attacker, the goal is to make attacks so expensive that they're no longer profitable.<br /><br />What do you think they should do instead of two factor authentication?JGFhttps://www.blogger.com/profile/14580785981874040314noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-61965370450986980752011-02-13T13:00:47.428-06:002011-02-13T13:00:47.428-06:00Take it from an expert with over 15 years of exper...Take it from an expert with over 15 years of experience in online security... This is the wrong direction. Google chose the worst form of two-factor authentication available ("out-of-band").<br /><br />Google is perpetuating the misconception that a hacker cannot compromise the process since the hacker is not in possession of the user's phone. However, the hacker does not need to be in possession of the user's phone to compromise an "out-of-band" process. The hacker simply needs to trick the user into divulging the received phone code. This is the method typically used by hackers to compromise out-of-band authentication. The hacker constructs a counterfeit webpage to solicit the user's credentials (a relatively easy task for a hacker). Then, using scripting on the counterfeit webpage, they transmit the solicited credentials to the legitimate google website. Google sends the user's phone a code, and the user, believing they are communicating with the legitimate google website, enters the received code on to the counterfeit webpage. The counterfeit webpage then sends this additional information to the genuine google website and...presto... they are logged into the victim's account.<br /><br />All google has done is add more complexity to their login process but they have not added any real additional security. Companies who have toyed with this method in the past (google is by no means the first) typically abandon it after several months due to high user complaints, great losses of users, and little security benefits realized.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5710205.post-81642745391293386842011-02-13T12:04:18.340-06:002011-02-13T12:04:18.340-06:00Application specific passwords are fully vulnerabl...Application specific passwords are fully vulnerable, they should only be used on trusted devices. They're mostly for iPhone use or desktop email clients; these should only be used on trusted machines.JGFhttps://www.blogger.com/profile/14580785981874040314noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-92093384854454933202011-02-13T07:02:45.640-06:002011-02-13T07:02:45.640-06:00I still don't understand the application-speci...I still don't understand the application-specific passwords though. They seem to have the same access so what's to stop someone for stealing one of them instead?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5710205.post-11498650651993992332011-02-12T23:58:38.550-06:002011-02-12T23:58:38.550-06:00The keystroke loggers will get both my password an...The keystroke loggers will get both my password and the Google provided code, but the code is only good for a short time.<br /><br />I assume the combination of a keystroke logger and "man in the middle" attack could still steal credentials, but that's currently an expensive attack.JGFhttps://www.blogger.com/profile/14580785981874040314noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-9850934722397980162011-02-12T22:56:53.230-06:002011-02-12T22:56:53.230-06:00"Soon it will be safe to use my Google servic..."Soon it will be safe to use my Google services on untrusted (keystroke logger possible) machines -- like my office XP box. I'll configure my trusted machines to remember verification."<br /><br />You really think the keylogger machines will honor your request not to remember verification?Jeffrey Yasskinhttps://www.blogger.com/profile/07441481987954238849noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-31258155921258797892011-02-12T11:00:25.290-06:002011-02-12T11:00:25.290-06:00I understand that's also true in India. The US...I understand that's also true in India. The US is a late adopter of most security measures.JGFhttps://www.blogger.com/profile/14580785981874040314noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-13485382787075801412011-02-12T10:02:55.971-06:002011-02-12T10:02:55.971-06:00Waiting is fine, I learnt a few lessons too, i.e.,...Waiting is fine, I learnt a few lessons too, i.e., I'm no longer buy first-generation Apple products, my gadgets last longer than just a year, etc. With age comes wisdom I guess! ;)<br /><br />I don't consider two-factor authentication geeky, at least in Switzerland it's standard for many websites with higher security requirements (e.g. online banking, health insurance accounts, VPN access in commercial environments, digital legal signatures, etc.). The main difference is that Google offers a smartphone app and not only SMS or a dedicated token generator/card reader.Unknownhttps://www.blogger.com/profile/03603090157336578512noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-59265842781881238592011-02-12T09:40:25.184-06:002011-02-12T09:40:25.184-06:00I should have written "Brave and inexperience...I should have written "Brave and inexperienced and natively lucky like Martin and Andrew ...".<br /><br />I swear it's a curse. I attract bugs the way Goldman Sachs attracts money. So I always have to wait.<br /><br />I'm impressed by how thorough they seem to have been with this. In their FAQ they also make clear this is for geeks and security types -- which is just right. It is the future, but it will take time to percolate.<br /><br />Google is doing good.JGFhttps://www.blogger.com/profile/14580785981874040314noreply@blogger.comtag:blogger.com,1999:blog-5710205.post-42791971084832506832011-02-11T12:17:06.689-06:002011-02-11T12:17:06.689-06:00Of course I will wait several weeks before I switc...<i>Of course I will wait several weeks before I switch over. I'm no fool. I'll let the brave and inexperienced take the arrows of early adoption.</i><br /><br />Don't worry, as a paying Google Apps user I've used two-factor authentication for a few months now without any problems. For direct access I use Google Authenticator on my iPhone, for applications such as Apple Mail and Spanning Sync I use application-specific passwords generated by Google.Unknownhttps://www.blogger.com/profile/03603090157336578512noreply@blogger.com