Is there any possible protection if a person can MITM an SSL webpage? I
don't see how MFA would help either.
Andy
On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
>
> The idea is if MITM is possible, this scheme falls down. The MITM can just
> present the same pictures.
>
> If it is just someone who phished a password, it does make it harder,
> depending on how many pictures there are and how many guesses the attacker
> gets.
>
> Of course, the pictures could also be part of a phishing scheme.
>
> Thanks,
> Carl Waldbieser
> ITS System Programmer
> Lafayette College
>
> ----- Original Message -----
> From: "Andrew Morgan" <[email protected]>
> To: [email protected]
> Sent: Thursday, October 16, 2014 1:32:53 PM
> Subject: Re: [cas-user] Has anybody done this?
>
> How would the attacker know which pictures with captions to present to the
> user?
>
> This sounds similar to a scheme my credit union used at one time. I could
> choose a picture, which they would display to me on the login page. If I
> didn't see the picture I chose, then I would know it wasn't the credit
> union's login page. It was a user-friendly way to verify the identity of
> the web site.
>
> Anyways, it still isn't a substitute for MFA because there really isn't a
> second factor involved.
>
> Andy
>
> On Thu, 16 Oct 2014, Nick Owen wrote:
>
>> As you may know, since this system uses no cryptography, it is
>> susceptible to MiTM attacks. There's nothing to stop the attacker
>> from showing the pictures and in turn replaying the choice for your
>> server. It's a waste of time, a hassle for the users, more software
>> to maintain and it creates a false sense of security.
>>
>>
>> On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote:
>>> I heard a rumor today that our Security Office wants to change how CAS
>>> works.
>>>
>>>
>>>
>>> The want the user’s to pre-select a picture, then add a caption to it.
>>>
>>>
>>>
>>> When the user enters their netid they will be presented with multiple
>>> pictures and must select the correct one before being prompted for their
>>> password.
>>>
>>>
>>>
>>> I know this can be done via web flow in the same way that MFA works, but
>>> this just seems so wrong.
>>>
>>>
>>>
>>> I’d rather force everyone to use MFA.
>>>
>>>
>>>
>>> Bryan Wooten
>>>
>>>
>>>
>>> UIT-Common Infrastructure Systems
>>>
>>>
>>>
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>
>> --
>> --
>> Nick Owen
>> WiKID Systems, Inc.
>> http://www.wikidsystems.com
>> Commercial/Open Source Two-Factor Authentication
>>
>> --
>> You are currently subscribed to [email protected] as: [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
