Defend Against Email Viruses All at No Cost to You!
From the EULA of their software:
The point is to reduce the amount of time that a captured password is valid. Since the fob output is typically only valid for a minute this means that any attacker would either need a very complex automated system or would need to be sitting there waiting for you to log in to your bank instead of just putting up a keylogger or traffic logger and coming back next week. This significantly raises the bar for an attacker and for the cost is some of the best risk reduction you can get.
As long as this is part of the key, the key will have its faults.
The attack is basically what Bruce described. In the case of a Man-in-the-Middle attack, there is basically a proxy/app gateway that presents a fake bank website to the user and acts as a client to the real bank website. This proxy/gateway just passes whatever authentication the user inputs on to the real bank website. Depending on the sophistication of the malicious proxy/gateway, it can then do whatever it wants with the real bank website and present whatever it wants back to the user (user could see web pages that look like they completed a valid transaction, but the proxy/gateway did something completely different with the real bank website). This attack works because the user doesn't properly verify that they are communicating with the real bank website.
Any comments on my two cents!!!
I say Microsoft's CeBIT announcement that they are moving to two-factor authentication is a good sign, as is their move towards leveraging identity technology already deployed:
This is certainly a rather lively discussion!
When I take a step back from this blog entry, what I see is a message that too many companies have built authentication systems on a very weak foundation, so they now must spend a lot of money trying to improve security and win the trust of their customers. But the reality is that they will soon have real choices with regard to stronger authentication, fed by real demand. And I predict that the right combination of investment and demand, based on regulation (self or imposed), will actually lead to innovations and a drop in the amount of fraud and identity theft.
(and this has been a kool discussion ;)
So which is it? Are you just warning everyone against thinking two-factor authentication is some sort of security panacea? Perhaps this is in response to the flurry of comments on your blog regarding remote access to a utility: