The idea is if MITM is possible, this scheme falls down. The MITM can just present the same pictures.
If it is just someone who phished a password, it does make it harder, depending on how many pictures there are and how many guesses the attacker gets. Of course, the pictures could also be part of a phishing scheme. Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "Andrew Morgan" <[email protected]> To: [email protected] Sent: Thursday, October 16, 2014 1:32:53 PM Subject: Re: [cas-user] Has anybody done this? How would the attacker know which pictures with captions to present to the user? This sounds similar to a scheme my credit union used at one time. I could choose a picture, which they would display to me on the login page. If I didn't see the picture I chose, then I would know it wasn't the credit union's login page. It was a user-friendly way to verify the identity of the web site. Anyways, it still isn't a substitute for MFA because there really isn't a second factor involved. Andy On Thu, 16 Oct 2014, Nick Owen wrote: > As you may know, since this system uses no cryptography, it is > susceptible to MiTM attacks. There's nothing to stop the attacker > from showing the pictures and in turn replaying the choice for your > server. It's a waste of time, a hassle for the users, more software > to maintain and it creates a false sense of security. > > > On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote: >> I heard a rumor today that our Security Office wants to change how CAS >> works. >> >> >> >> The want the user’s to pre-select a picture, then add a caption to it. >> >> >> >> When the user enters their netid they will be presented with multiple >> pictures and must select the correct one before being prompted for their >> password. >> >> >> >> I know this can be done via web flow in the same way that MFA works, but >> this just seems so wrong. >> >> >> >> I’d rather force everyone to use MFA. >> >> >> >> Bryan Wooten >> >> >> >> UIT-Common Infrastructure Systems >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > -- > Nick Owen > WiKID Systems, Inc. > http://www.wikidsystems.com > Commercial/Open Source Two-Factor Authentication > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
