[security] [dix] Re: Gathering requirements for in-browser OpenID support
Ben Laurie
benl at google.com
Sat Oct 28 15:28:03 UTC 2006
On 28/10/06, Chris Drake <christopher at pobox.com> wrote:
> BL> 2 factor auth gets you nowhere if the underlying protocols don't
> BL> protect you from MitM.
>
> What he *means* of course - is that 2-Factor auth solves pretty much
> every security problem users are likely to face in the wild
> (especially the most common and dangerous - phishing) - with the
> *exception* of Man-in-the-middle attacks, in some circumstances.
? But many phishing attacks are MitM.
> It certainly doesn't "get you nowhere" - it almost always gets you
> exactly to where you want to be.
We seem to be drifting far from the original point, which was that the
protocols should protect users against MitM. 2-factor auth doesn't do
this, of itself. And if the protocols do provide protection, then
2-factor auth defends against a rather small subset of attacks.
>
> Kind Regards,
> Chris Drake
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the security
mailing list