On Apr 20, 2012, at 4:01 PM, Tom Metro wrote: > > Basic two-factor principle: > > Factor 1: something you know (the password you type into the > single-sign-on prompt on your desktop/laptop);
In the typical case, a two-factor system uses a security token of some sort and a code to unlock that token to make it useful. Problem: users forget their passwords so they write them down on post-it notes. What reason do you have to expect anything different for the token unlock codes? In the atypical case where the token's proximity is required in addition to the desktop password, we still have users writing their passwords on post-it notes and sticking them on their monitors. All that an attacker needs to do is convince the target computer that the token is nearby. This can be done with a relay attack, or it could be some clever bit of scheduling a meeting one floor up or down or next door to the victim's space, or it could be stealing the victim's phone. Or it could be accidental when the victim leaves his iPhone or iPad on the USB wire to charge it. You can layer more and more complexity in order to cover these loopholes and improve your warm, fuzzy feeling of security. Or you can do something simple: lock the door. Maintain good physical site security. Then it won't matter if users write their passwords on post-it notes. If attackers can't gain physical access then those post-its do them no good. Problem solved. --Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
