How would the attacker know which pictures with captions to present to the
user?
This sounds similar to a scheme my credit union used at one time. I could
choose a picture, which they would display to me on the login page. If I
didn't see the picture I chose, then I would know it wasn't the credit
union's login page. It was a user-friendly way to verify the identity of
the web site.
Anyways, it still isn't a substitute for MFA because there really isn't a
second factor involved.
Andy
On Thu, 16 Oct 2014, Nick Owen wrote:
> As you may know, since this system uses no cryptography, it is
> susceptible to MiTM attacks. There's nothing to stop the attacker
> from showing the pictures and in turn replaying the choice for your
> server. It's a waste of time, a hassle for the users, more software
> to maintain and it creates a false sense of security.
>
>
> On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote:
>> I heard a rumor today that our Security Office wants to change how CAS
>> works.
>>
>>
>>
>> The want the user’s to pre-select a picture, then add a caption to it.
>>
>>
>>
>> When the user enters their netid they will be presented with multiple
>> pictures and must select the correct one before being prompted for their
>> password.
>>
>>
>>
>> I know this can be done via web flow in the same way that MFA works, but
>> this just seems so wrong.
>>
>>
>>
>> I’d rather force everyone to use MFA.
>>
>>
>>
>> Bryan Wooten
>>
>>
>>
>> UIT-Common Infrastructure Systems
>>
>>
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> --
> --
> Nick Owen
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
