[imp] 2-Step Authentication
Michael M Slusarz
slusarz at horde.org
Thu Apr 19 07:48:00 UTC 2012
Quoting Andrew Morgan <morgan at orst.edu>:
> I'm not sure where you are getting your information from - unless
> you think Google's 2-step verification via a cell phone is not
> actually 2-factor authentication? Since a hacker won't have access
> to your phone, they cannot retrieve the one-time PIN generated by
> Google and sent to your phone.
I didn't say this wasn't 2-factor authentication. Of course it is.
But what does that mean? 2-factor authentication in and of itself
doesn't imply any sort of additional security.
AFAICT, with Google's system you could have a password like
"password". You then get a PIN such as "123456". So your password
essentially becomes "password123456". Don't see how this is any
different than forcing a user to have a password of at least 12
characters, and having this password expire every 30 days.
Especially since almost every sane user is NOT going to have the PIN
sent to them on every email access. They are going to have the PIN
sent to them once every 30 days. (I will say that having the PIN sent
every time is similar to the RSA keyfob security method, although not
as secure since the PIN has to be delivered via the cellular network).
Not to mention that if you REALLY care about security, you're not
going to have Google host your data anyway.
> Sending an SMS message to an arbitrary cell phone number is hard
> though. Most providers have email-to-SMS gateways, but that requires
> getting more information from the user than just their cell phone
> number. You need to know their carrier in order to lookup the email
> gateway from a list, or the user must provide the full email-to-SMS
> gateway email address for their phone. Sending "real" SMS messages
> requires getting a special cell card from a carrier and signing a
> contract saying how many messages you'll be sending.
You simply can't require SMS for anything. Cell service is not
universal. And plenty of people don't have SMS, because of cost (e.g.
my parents) or because of technical reasons (I have friends who work
in the finance industry who, because of SEC regulations, are not
allowed to receive SMS messages).
It seems to me that a OTP system is preferable to any kind of system
that requires an additional network. Especially with the prevalence
of smartphones, it is trivial for a user to carry around the pad
(which used to be the limiting factor in implementing). It implements
no further requirements than Google's 2-factor system since both
require a phone, and has the additional bonuses of being easier to
implement and, if implemented correctly, 100% secure.
My point being that at a practical level, you can provide secure
passwords easier/more reliably by enforcing appropriate password
policies rather than by adding additional levels to the process.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list