Blaming 2-Factor Authentication...Again

[zencoder]

I think Citigroup and others are using an SEP field here… Krebs, Schneier, and others keep blaming 2-factor authentication, which is incorrect.

First, their arguments, which I will soundly trounce.

• Citibank Phish Spoofs 2-Factor Authentication
• Failure of Two-Factor Authentication

Alright, I call “FOUL” on this one.

Bruce Schneier and other pundits have cried wolf over this sort of attack for some time now. Bruce has said more than once that 2-factor auth is not the answer; he’s right, in and of itself 2-factor user authentication is NOT the answer to all these problems. But it is the answer to a few of them. Some of these people dismiss 2-factor authentication out of hand because of it is not the end-all be-all answer, which is a mistake.

My full dissertation/oration/bitch-fest on the subject.

[ammo]

Couldn't agree more.

People are claiming 2-factor auth to be the wrong, while in fact it is the right answer... if you keep in mind the original question; now they're changing the question and, unsurprisingly, finding the answer to be wrong.

What is "Ultimate Answer to Life, the Universe, and Everything"... everyone should know this..: 42.
Now what's the ultimate question!?


I happened to reflect on this a while back and what I think (IMHO as it is now) would work best right now would be some kind of "Reverse Password" (TM). By that I mean that the site you are logging into should do somekind pre-auth, for example username + one time password (eg: rsa token), then if credentials match, the site display the pre-arranged "Reverse Password" (which you could provide at registration time for example). User verifies*, purely by memory, that said "Reverse Password" is in fact the one he originaly registered, after which, in the same page, user is prompted to provide his password/PIN. Mutual authentication is accomplished.

*Of course, this requires that you educate your users to ALWAYS make sure that when they are accessing your site (or even services like ATMs for which this could work) that they are SHOWN their private and unique reverse password before completing their login.

While this process is conceptually similare to cryptographic mutual auth, I believe that making the process at reach of un-technical users by making it easy to verify the site's authenticity (as opposed to deciphering x509 certificates, which have also been socially engineered in the past) would make the process much more efficient at preventing pishing (although it does not protect against pure network level MITMs; again right answer to right question...).


Comments, critics?


Ammo


Edit: Seems the idea has been thought of already (would have been surprised if not!); variants on this scheam have already been implemented under the appelation "site key" by Bank of America for example.

[nihil]

Hmmmmm,

Seems to me it doesn't matter what factor authentication you use if you are dumb enough to go to a fraudulent site.

The idea of two factor authentification is to provide additional authentication for people who allow their password to be compromised.

An additional feature is that if your system is compromised by a keylogger, there is a strong possibility that the information is obsolete and the session closed before any use can be made of it. Provided of course that the system only allows a single logon and does not permit re-initiation of a session.

An MIM attack works by creating, or riding on the back of a genuine session and keeping it open when the authorised user thinks that it has been closed. It is little different from giving your wife your bank card and pin number....................... the transactions are genuine.

To try to "blame" multi-factor authentication is as ridiculous as blaming antibiotics for not curing viruses. They don't......................get used to it