Comments on: Google Adds 2-Factor Security to Gmail, Apps

By: Dave

Dave — Tue, 22 Mar 2011 16:16:11 +0000

Saints –

I was actually pleasantly surprised to find that Google has somewhat of a control to address this. Services like POP/IMAP that do not support the 2-factor authentication cannot be used with your regular password. They allow you to setup an “application password” that is a nice long, strong, password, that you use only with that one service. Obviously it could still be compromised, but it is less likely to be compromised if you never type it in (safe from keyloggers) and you use it only for one service (less likely to escalate a compromise across services). Google lets you have as many of these as you want.

-Dave

By: Ross

Ross — Sun, 13 Feb 2011 14:08:53 +0000

You are right to be circumspect to be dubious about such claims. However ours are not made lightly.

If you take a bit of time to investigate the solution ( lots of information on the website ) – you will find that :

It’s not just the device, it’s the session/user context for that factor, and we support third party factors as well – creating our “N-Factor” synthesis ( as opposed to a sequential exchange of credentials over the browser – used by most solutions today ) which generates a one time signature at the device and at our stack – which are then compared over a separate communication path ( not the browser).

So yes – it is not just the device and no a device on its own is not multi-factor authentication.

Please test it for yourself. Download the code / mash it up and use it on your own site. You will be surprised. It has been through pen tests with some of the biggest names in the industry.

By: AD

AD — Thu, 10 Feb 2011 23:18:52 +0000

Re: Ross Macdonald – CEO of Liveensure

Device Fingerprinting is not multi factor authentication, no matter how much vendors like yourselves want to call it that. It is generally considered a part of any authentication solution, usually as a mechanism for profiling a user’s session to identify when it is necessary to request a higher level of authentication. To claim that it is “orders of magnitude” stronger than a proper 2 factor system is laughable.

By: Ross Macdonald

Ross Macdonald — Sun, 26 Sep 2010 18:04:58 +0000

it is laudable that the big boys like Google have finally woken up to the fragility of the user name / password paradigm. However there a few problems with the mobile phone route :

1. Cost – who carries the cost of the text messages ( especially cross border )
2. Reliability – SMS is a store and forward protocol. Fire and forget. There are a number of reasons why it may not be delivered. a) Network congestion; b) Bad network coverage ( in building ) c) Good old security – who is monitoring those text messages to make sure that no one from the network isn’t actually ‘skimming’ them?

All is not lost. There is a solution that addresses all of the above. Check out http://www.liveensure.com. This is a multi-factor authentication solution that is orders of magnitude stronger than this proposed solution.

By: JCitizen

JCitizen — Fri, 24 Sep 2010 22:57:34 +0000

I don’t really know – phones are getting pwned now too; but at least this should work on dumb cell phones, which is at least some protection. On a smart phone the malware could record the voice snippet and keylog the rest of it. I’m not sure their are very many phones now, that are totally invulnerable to malware. Especially since people always want to connect them to the PC anyway – Oops! There goes the PC bank session too!

I was sure I read of a second factor phone jacking session on web security somewhere recently. However this is definitely better than 99.9999% of what most banks are doing, which is nearly nothing! Add a third factor, and you got a pretty tight system. Cell cameras should be a good source for something along this line!

By: Steve Hendricks

Steve Hendricks — Fri, 24 Sep 2010 10:57:50 +0000

Brian-
My continuing struggle to get my local, small Town government to adopt a dedicated Linux OS for these delicate, high value data exchanges has brought me to a web service that seems to fill a void for those 2 groups (banks and clients) who can’t get institution offered, dual bandwidth transaction verification.
Called “PhoneFactor”, it appears to have many security elements and features much needed by average home users who likewise insist on using Windows to bank.
It’s worth looking at for those who aren’t security experts, and it’s free for some users.
http://www.phonefactor.com/how-it-works/overview

By: Mike

Mike — Thu, 23 Sep 2010 14:29:00 +0000

From a practical standpoint, there’s a fairly great hurdle for a single bad guy to gain access to both a particular consumer’s compromised phone and computer. So if a bank requires both of those, and you’re not high-profile enough to actually be worth spending effort targeting, you’re safe enough. (Now, if you do your banking from your phone, and the phone is the second factor, you’re in a much riskier place.)

By: Mike

Mike — Thu, 23 Sep 2010 14:23:54 +0000

The concept is that you don’t enter your password unless you see the picture showing you that you’re on the right site. The picture is associated with a cookie on your machine, and if you go to a new machine you need to answer extra questions before you get the picture. So a man in the middle attack spoofing the bank’s web server in theory can’t show you the right picture, and you should get suspicious. If the bad guy prompts for the answers to the questions, though, most people will just answer without seeing that as a red flag. So in practice there’s not that much difference between a password and a password plus answers to questions. (It’s multiple single factors, not a 2-factor mechanism.) And if there’s a zeus trojan controlling your computer, the bad guy can just log in from there and ignore the whole secret question issue (because your browser already has the cookie and won’t be prompted to answer the questions). So the whole sitekey solution addresses only a small part of the problem, and does it in a way that requires an exceptionally alert customer to know when a sometimes-normal transaction is actually a red flag — it’s just window dressing to make it look like the institution cares about security. If they really cared about security they’d implement an out-of-band transaction authentication which depends on something physical (not stored on the computer).

By: JCitizen

JCitizen — Tue, 21 Sep 2010 23:23:46 +0000

Although xAdmin has the best advice on smart practices, my clients refuse to comply. Therefor I felt forced to find what I though had the best idea for password management.

Bear in mind I have no axe to grind and there may be better free managers out there. I picked LastPass because it was free, open source, stored all passwords and sensitive information in the cloud, came highly recommended by the IT community, communicated over SSL (of course) and stored no information on the client side hard drive. You only need one password to gain access to the console, so that one should be authored like xAdmin’s guidelines. Changing it every three months or earlier isn’t a bad idea either.

I read an article by Michael Kassner on TechRepublic where he worked with the developers at LastPass; and he did a remote session into his account and couldn’t see any of the information himself without using his console! LastPass claims even local technicians have no access to the data. I must admit I don’t understand their special host intrusion system, so I defer making comments on it.

All cautions about keyloggers and screen capture apply here, using a utility that works at the kernel level while you are infected is the best practice in preventing such attacks.

By: xAdmin

xAdmin — Tue, 21 Sep 2010 18:03:46 +0000

The best password manager is the human brain! Seriously.

While password managers use some type of encryption, the information is a: stored on the computer and b: is software that can be hacked on that computer. If your computer is compromised or stolen, that password information is included with it for the bad guys to hack into and use at will. That’s also why I always turn off the browsers built-in autocomplete function that stores usernames and passwords and don’t like password managers.

I know it’s difficult to remember multiple passwords, but it is easier if you use passphrases of something you’ll easily remember, but at the same time are complex enough to be difficult to hack. I use a few different ones and will use them randomly across a few non-critical accounts while anything critical such as online banking gets its own unique one for maximum security.

Besides, using your brain this way gives it exercise and helps your memory retention.