AW: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks) from Jörg Schwenk on 2007-03-14 (public-usable-authentication@w3.org from March 2007)

From: Jörg Schwenk <joerg.schwenk@rub.de>
Date: Wed, 14 Mar 2007 18:24:11 +0100
To: "'Florian Weimer'" <fw@deneb.enyo.de>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
Cc: "'Chris Drake'" <christopher@pobox.com>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
Message-ID: <022601c7665d$94b2dc90$1b289386@jotop>

German banks are currently adopting some kind of "transaction aware OTP"
solution: Customers have to type the target account number together with a
random challenge into an OTP device. This seems to be a good solution
against mitm attacks.

Joerg

-----Ursprüngliche Nachricht-----
Von: Florian Weimer [mailto:fw@deneb.enyo.de] 
Gesendet: Dienstag, 13. März 2007 10:49
An: Dan Schutzer
Cc: 'Chris Drake'; 'Jörg Schwenk'; 'James A. Donald';
public-usable-authentication@w3.org
Betreff: Re: AW: Magic Bullet (proposal for in-browser secure 2-way
authentication resistent to online and offline attacks)

* Dan Schutzer:

> One time passwords are susceptible to real time man in the middle
> attacks

You don't even need real-time attacks, you just block every other
transaction, claiming that the password has already been used, and
have the Trojan horse send you those unused passwords.  That's why
it's interesting to tie one-time passwords to particular transactions.

There are very complex trade-offs involved, and the whole thing is a
topic of ongoing research, on both sides.

> Cookies can be insecure if they store sensitive information in the clear

A lot of sensitive cookies are insecure because they aren't restricted
to HTTPS. 8-(

Received on Wednesday, 14 March 2007 17:24:37 UTC