two factor authentication
William Ahern
william at 25thandClement.com
Wed Jul 26 07:06:05 EST 2006
On Tue, Jul 25, 2006 at 01:44:55PM -0400, Chris Rapier wrote:
>
> Now is there a better solution than smartcards? Well, smart cards are a
> compromise between security and convenience. They provide reasonably
> good security but its not perfect. In fact, if you think about it ATM
> cards are two factor security - very much like smartcards - you need the
> card and the pin to access your money. However, a little ingenuity and
> you come up with
> http://www.snopes.com/crime/warnings/atmcamera.asp
> http://www.crimes-of-persuasion.com/Crimes/InPerson/atm_scams.htm
> and
> http://www.engadget.com/2005/03/29/beware-phony-atm-facades/
>
> Anyway, this doesn't have much to do with OpenSSH. My point was really
> just that most any security protocol can be broken by someone who is
> determined enough to do it.
ATM cards are not like smart cards wrt to a very critical characteristic,
you cannot "copy" a smart card. An ATM card is just a piece of plastic w/ a
number on it.
You can copy a PIN, but with biometric smart cards, which would require, for
instance, a fingerprint scan, you have an extremely strong security device
with hard limitations. A smart card can still be exploited (i.e., stealing
and chopping off a finger, for instance), but since it can't be copied it's
faaaaarrrrrr easier to mitigate the effects of attacks than w/ most any
other mechanism in use today.
This is why I'd rather have a single-factor smart card than most any other
two-factor mechanism. When I lose my smart card--and you know when you've
lost it--I can disable my accounts and prepare a new smart card. It's
impossible to know whether somebody else has your PIN, your bank account
number, your super-secret Unix account password, or for that matter your
RSA private key sitting on your harddrive (encrypted or not).
Sometimes people make sarcastic comments like, "if you're afraid somebody is
going to install a password sniffer or backdoor on your computer then you
should keep your computer on your person at all times". Well, a smart card
is a computer you keep in your pocket or at your side 24/7, and even more
it's a computer that is, in all practicality, impossible to install malware
on.
More information about the openssh-unix-dev
mailing list