Jump to content

Database Breach - An Update


Dark0ne

Recommended Posts

There is actually more than just one way to implement 2 factor. I am amazed at the number of people that believe a cell phone MUST be used and ONLY a cell phone can be used for two factor authentication.

Chip and pin is a 2 factor method used for credit cards. And guess what - No cell phone is needed.

Most 2 factor systems use one physical and one data authentication. The data is usually a password or pin. While the physical can be the chip in the card, a USB stick, a physical key, A fingerprint or iris scan or ... a cel phone. There are others as well. Both MS & Google are working on a face recognition or voice recognition system that could be the second factor.

Link to comment
Share on other sites

  • Replies 547
  • Created
  • Last Reply

Top Posters In This Topic

Regarding Two-factor Authentication:

 

<snip>

 

It also gives Nexus access to my phone number, something I am NOT comfortable with. Freely handing out data to prevent the theft of said data is illogical. Requiring users to use a device they may not own is illogical. Linking yet more data to a database that has already been hacked is illogical.

 

All that being said, mandatory Two-Factor Authentication would be the end of my using the Nexus website.

 

My two-cents.

 

Guess you missed the part about the authenticators (passwords, in this case) having been hashed and salted, so not compromised, even though other data was. If a mobile phone were to be used as a piece of a 2FA solution those numbers would be similarly protected. In other words your concern, while not entirely baseless, is misplaced.

 

I'm constantly surprised at the ways in which people misunderstand the fundamentals of encryption and its correct implementation.

 

As usual, xkcd has a great example:

Password Strength

 

http://imgs.xkcd.com/comics/password_strength.png

Link to comment
Share on other sites

In response to post #33294150.


bben46 wrote:

There is actually more than just one way to implement 2 factor. I am amazed at the number of people that believe a cell phone MUST be used and ONLY a cell phone can be used for two factor authentication.

Chip and pin is a 2 factor method used for credit cards. And guess what - No cell phone is needed.

Most 2 factor systems use one physical and one data authentication. The data is usually a password or pin. While the physical can be the chip in the card, a USB stick, a physical key, A fingerprint or iris scan or ... a cel phone. There are others as well. Both MS & Google are working on a face recognition or voice recognition system that could be the second factor.


"While the physical can be the chip in the card, a USB stick, a physical key, A fingerprint or iris scan or ... a cel phone. There are others as well. Both MS & Google are working on a face recognition or voice recognition system that could be the second factor."

ALL of which require the user(me) to provide yet MORE data. Not going to happen. Again, requiring us to provide MORE data to prevent the theft of data is illogical, especially when none of the data is guaranteed to be safe.

Unless the Nexus is selling that data, I see no reason why they would WANT more user information--the more they have, the greater the potential risks, and thus the greater the obligation to protect it.
Link to comment
Share on other sites

In response to post #33294150. #33342585 is also a reply to the same post.


bben46 wrote:

There is actually more than just one way to implement 2 factor. I am amazed at the number of people that believe a cell phone MUST be used and ONLY a cell phone can be used for two factor authentication.

Chip and pin is a 2 factor method used for credit cards. And guess what - No cell phone is needed.

Most 2 factor systems use one physical and one data authentication. The data is usually a password or pin. While the physical can be the chip in the card, a USB stick, a physical key, A fingerprint or iris scan or ... a cel phone. There are others as well. Both MS & Google are working on a face recognition or voice recognition system that could be the second factor.

Bugnexus7 wrote: "While the physical can be the chip in the card, a USB stick, a physical key, A fingerprint or iris scan or ... a cel phone. There are others as well. Both MS & Google are working on a face recognition or voice recognition system that could be the second factor."

ALL of which require the user(me) to provide yet MORE data. Not going to happen. Again, requiring us to provide MORE data to prevent the theft of data is illogical, especially when none of the data is guaranteed to be safe.

Unless the Nexus is selling that data, I see no reason why they would WANT more user information--the more they have, the greater the potential risks, and thus the greater the obligation to protect it.


So you're saying you can't set up one email address from the dozens of free email providers or maybe your ISP dedicated to receiving 2FA auth codes, or perhaps even use your normal email address for your account here? If you're that lazy, maybe you don't really give a damn about security...

If an email address is "too much information", then perhaps you should just stay offline. Edited by petteyg359
Link to comment
Share on other sites

@pettyg359; To be fair, an alternate email account isn't really a second factor. It's simply a second instance of the same single factor: "something the user knows" (username and pw.) It may provide a reasonably adequate degree of protection (for most people) for accounts on a non-commercial site like the Nexus, but it doesn't meet the requirements of 2FA.

Link to comment
Share on other sites

In response to post #33425140.


Thandal wrote:

@pettyg359; To be fair, an alternate email account isn't really a second factor. It's simply a different instance of the same single factor: "something the user knows" (username and pw.) It may provide a reasonably adequate degree of protection (for most people) for accounts on a non-commercial site like the Nexus, but it doesn't meet requirements of 2FA.


Ubikey is pretty cheap, and there are APIs for how to interact with them as a possible 2FA scheme.
Link to comment
Share on other sites

 

In response to post #33425140.

Ubikey is pretty cheap, and there are APIs for how to interact with them as a possible 2FA scheme.

 

 

Think you mean Yubikey.

 

And yes, a (correctly implemented) hardware token-based solution is the most common way to achieve true 2FA. But there are others.

 

At work I'm currently exploring the use of certs on TPM chips as a way to make the physical computer (or tablet, or phone) itself function as the second factor. The tricky part, of course, is the credential store. Who controls it? Do I trust it? Does the other party trust it? This seems to be the major sticking point for Bugnexus7, regardless of the authentication mechanism.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...