I think with DUO the MFA is out of band so that should protect against MITM?
https://www.duosecurity.com/blog/passwordscon-2014-end-user-authentication-security-on-the-internet -Bryan -----Original Message----- From: Andrew Morgan [mailto:[email protected]] Sent: Thursday, October 16, 2014 11:49 AM To: [email protected] Subject: Re: [cas-user] Has anybody done this? Is there any possible protection if a person can MITM an SSL webpage? I don't see how MFA would help either. Andy On Thu, 16 Oct 2014, Waldbieser, Carl wrote: > > The idea is if MITM is possible, this scheme falls down. The MITM can just > present the same pictures. > > If it is just someone who phished a password, it does make it harder, > depending on how many pictures there are and how many guesses the attacker > gets. > > Of course, the pictures could also be part of a phishing scheme. > > Thanks, > Carl Waldbieser > ITS System Programmer > Lafayette College > > ----- Original Message ----- > From: "Andrew Morgan" <[email protected]> > To: [email protected] > Sent: Thursday, October 16, 2014 1:32:53 PM > Subject: Re: [cas-user] Has anybody done this? > > How would the attacker know which pictures with captions to present to > the user? > > This sounds similar to a scheme my credit union used at one time. I > could choose a picture, which they would display to me on the login > page. If I didn't see the picture I chose, then I would know it > wasn't the credit union's login page. It was a user-friendly way to > verify the identity of the web site. > > Anyways, it still isn't a substitute for MFA because there really > isn't a second factor involved. > > Andy > > On Thu, 16 Oct 2014, Nick Owen wrote: > >> As you may know, since this system uses no cryptography, it is >> susceptible to MiTM attacks. There's nothing to stop the attacker >> from showing the pictures and in turn replaying the choice for your >> server. It's a waste of time, a hassle for the users, more software >> to maintain and it creates a false sense of security. >> >> >> On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote: >>> I heard a rumor today that our Security Office wants to change how >>> CAS works. >>> >>> >>> >>> The want the user’s to pre-select a picture, then add a caption to it. >>> >>> >>> >>> When the user enters their netid they will be presented with >>> multiple pictures and must select the correct one before being >>> prompted for their password. >>> >>> >>> >>> I know this can be done via web flow in the same way that MFA works, >>> but this just seems so wrong. >>> >>> >>> >>> I’d rather force everyone to use MFA. >>> >>> >>> >>> Bryan Wooten >>> >>> >>> >>> UIT-Common Infrastructure Systems >>> >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> -- >> Nick Owen >> WiKID Systems, Inc. >> http://www.wikidsystems.com >> Commercial/Open Source Two-Factor Authentication >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access archives, >> see http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
