Comments on: The Connected Web: Why It’s Time For Strong Authentication

By: Verisign VIP: A “Weakest Link” Case in Point | danielmiessler.com

Wed, 07 Apr 2010 01:45:36 +0000

[...] am an enthusiastic user of the Verisign PIP two-factor authentication service. It’s a system that allows you to add [...]

By: Dual Sim Phones

Dual Sim Phones — Mon, 07 Sep 2009 17:32:10 +0000

great post

By: Rob Lewis

Rob Lewis — Thu, 21 May 2009 17:01:51 +0000

At what point does authentication as a proxy for authorization become inadequate, in terms of data level acess or behavior enforcement?

By: Rob Lewis

Rob Lewis — Thu, 21 May 2009 13:01:51 +0000

At what point does authentication as a proxy for authorization become inadequate, in terms of data level acess or behavior enforcement?

By: Daniel Miessler

Daniel Miessler — Thu, 21 May 2009 05:16:56 +0000

The risk presented by a hole in a castle wall that is easily visible is much
higher than the risk presented by an equally sized hole in the wall that's
more obfuscated.
Not because the hole is of a different size, or because it's easier to pass
through, but because it's more likely to be noticed and therefore taken
advantage of.

By: Daniel Miessler

Daniel Miessler — Thu, 21 May 2009 03:52:08 +0000

The risk presented by a hole in a castle wall that is easily visible is much higher than the risk presented by an equally sized hole in the wall that's more obfuscated.

Not because the hole is of a different size, or because it's easier to pass through, but because it's more likely to be noticed and therefore taken advantage of.

By: Nerves of steel, No Coffee Needed, who am i kidding | The CaffiNation Podcast

Thu, 21 May 2009 03:46:02 +0000

[...] Strong Authentication rules, Facebook now playing nice with OpenID [...]

By: davidkma

davidkma — Thu, 21 May 2009 01:22:59 +0000

On what basis are you claiming that the attack vector is less likely? Relying on obfuscation or the visibility of an exploit for security is a recipe for disaster, especially in this case where the existing attack vector still exists in single sign-on.

Consider how esoteric and technically difficult exploiting various browser bugs is and even how much effort is required to effectively leverage buffer overruns. Engineering exploits using these vulnerabilities requires significant technical knowledge and insight, yet we frequently see real world working attacks based on these vectors. Worse still, once the knowledge and code of how to exploit these vulnerabilities is released into the wild, it becomes almost trivial for someone who is less skilled to leverage the same attack vector.

There is no technical difference between weak OpenID passwords versus weak e-mail passwords. They can be leveraged in same fashion and it just requires the simple insight that having access to someone's e-mail account allows you to recover their passwords.

Just because the public in general is less aware of this issue doesn't make it any less real. Counting on the ignorance of a malice attacker doesn't seem like a good idea.

Two factor authentication is obviously preferred, but I don't agree with your argument that single sign-on exposes users to higher risks, hence we should reinforce security. The same vulnerability and risk already exist in web authentication, hence the question is more why are we currently not using two factor authentication rather then we now have increased risk hence we should use two factor authentication.

Only a single password protects us now, so what has stopped the spread of two factor authentication? It seems like a more important question since the things that had held us from deploying two factor authentication en mass in the past will likely hinder us moving forward.

By: Daniel Miessler

Daniel Miessler — Wed, 20 May 2009 21:27:03 +0000

Very interesting argument.

I agree that password recovery is a similar weak link, but I don't agree that the introduction of SSO doesn't make compromise more serious.

There is a difference between vulnerabilities that exist and vulnerabilities that are likely to be exploited, and while the password recover vector is real, it's far less likely to be taken advantage of just because it's not as intuitive and visible.

The probability of exploitation of the SSO vulnerability is much higher, therefore the overall risk is higher as well. But I agree, this is mostly due to the fact that the SSO issue is more visible and less because it's fundamentally different than weak password security on email accounts.

By: davidkma

davidkma — Wed, 20 May 2009 18:47:49 +0000

For reference, I've worked on cryptographic software in the past.

Your argument that single sign-on increases the impact of an account compromise is flawed. Almost all web based authentication mechanisms bind to a user's e-mail address to give some assurance the user is a unique person, and more importantly, to allow for password recovery.

Right now the vast majority of users have a primary e-mail address which they use to register most, if not all, of their accounts through, hence a single point of failure already exists. Compromising a single e-mail password will give an attacker access to just about every account an individual has registered for via password recovery.

If your argument is we should use two factor authentication because all that stands between an attacker and all of a user's various accounts, then we should ALREADY be using two factor authentication. Single sign-on does not introduce any risks that aren't already an inherent in web authentication, it simply is easier to distinguish that a single point of failure exists.

By: dmitr

dmitr — Wed, 20 May 2009 18:19:04 +0000

This is pretty cool stuff. Unfortunately, in their infinite wisdom, Verisign has restricted the soft token to the American AppStore only. Lame.

Also, the twitter button above the comment form doesn't work. Clicking it brings up a new window which then disappears. The page reloads and I'm still a 'guest'.

By: Naks

Naks — Wed, 20 May 2009 08:26:13 +0000

check out www.fireid.com for an innovative 2FA solution.