undefined | Better HN

0 pointsSpearchucker13y ago0 comments

The thing that bothers me about semantics (do two-factor, or, use OAuth) is that so many people I've discussed security with can't tell me whether they should, and why they should.

Does the value of the asset merit the cost of the second factor (considering the 2factor is a per-user cost)?

0 comments

4 comments · 2 top-level

icebraining13y ago· 2 in thread

While it's not as secure as an hardware token, you can get second-auth for free for any user with a more capable cellphone (e.g. a Nokia S60, iPhone, Android, BB, etc).

Google Authenticator is free for the user, and the algorithm used (TOTP/OATH - not to be confused with OAuth) is open and easy to implement: it's essentially just feeding the current unix time and a per-user secret to an HMAC-SHA1.

SpearchuckerOP13y ago

So the point was that two factors may not be required (security for security's sake is a waste of resource). But let's go with the cellphone thing for a minute. I'm assuming you'd use it to send some sort of OTP to the user.

Imagine the route that token takes - from your server across the internet to an SMS service (a channel you might secure using TLS/SSL).

From there to any one of an arbitrary number of network operators, again over the public internet. You've no control over this leg. From there the token travels through the network operator's network, to a switch, and then over the GSM network to the handset.

There are at least two places there where you can launch a man in the middle attack.

Which brings me back to the threat model - understanding the value of the asset you're protecting will tell you whether the cost [1] of such an authentication scheme is worth it. Oh, and the cellphone-based OTP is of course an additional asset this authentication scheme introduces.

[1] Cost is not just the cost/per SMS. It's also the cost of developing/aquiring the technology, and then maintaining it and the infrastructure that supports it.

icebraining13y ago

Nope, the solution I posted doesn't use SMS - in fact, it's completely offline. You could have the phone in airplane mode.

It essentially generates a code based on a pre-shared secret and the current time.

As for the costs, as I said there's plenty of free client applications (Google Authenticator is just the most well known), and not only there are plenty of libraries that you can use on your server, as the RFC that details TOTP provides an implementation in less than 50 short lines of code (+ Java boilerplate); see http://tools.ietf.org/html/rfc6238

And you just need that, plus an extra field in your data store for each user (to store the secret) and a textbox in the login page.

1 more reply

Joeri13y ago

That's why you make it optional for your users.

j / k navigate · click thread line to collapse