Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

otpasswd-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

From:	Luke Faraone
Subject:	Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
Date:	Tue, 22 Dec 2009 17:02:03 -0500

On Tue, Dec 22, 2009 at 16:52, Hannes Beinert <address@hidden> wrote:

I think that
properly authenticating the host is too important, and it's worthwhile
making it as easy as possible for the user. And it does seem awfully
cumbersome to squeeze it into the existing passcard page

Agreed. I don't think it's possible with today's technologies to log in securely when your adversary is not only able to intercept, but to also actively participate in the connection unless the host party is authenticated via well-tested public key crypto. Inventing other solutions, such as a challenge-responce passcard system, are moot unless the transmission is secure.

The use cases OTPasswd should prevent against, in my opinion, are ones of hardware keyloggers, shoulder surfers, or other passive attackers. Active attackers are a solved problem from a technical standpoint; it's now just all a matter of getting people to follow procedure.

--
Luke Faraone
http://luke.faraone.cc

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Otpasswd-talk] Using OTP to kind of fix MITM., (continued)

Prev by Date: Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
Next by Date: Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
Previous by thread: Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
Next by thread: [Otpasswd-talk] Testcase code coverage
Index(es):
- Date
- Thread