As you may know, since this system uses no cryptography, it is susceptible to MiTM attacks. There's nothing to stop the attacker from showing the pictures and in turn replaying the choice for your server. It's a waste of time, a hassle for the users, more software to maintain and it creates a false sense of security.
On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote: > I heard a rumor today that our Security Office wants to change how CAS > works. > > > > The want the user’s to pre-select a picture, then add a caption to it. > > > > When the user enters their netid they will be presented with multiple > pictures and must select the correct one before being prompted for their > password. > > > > I know this can be done via web flow in the same way that MFA works, but > this just seems so wrong. > > > > I’d rather force everyone to use MFA. > > > > Bryan Wooten > > > > UIT-Common Infrastructure Systems > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
