About 2FA on our web-application

Pierre-Yves Chibon pingou at pingoured.fr
Sat Aug 9 17:12:58 UTC 2014


On Thu, Aug 07, 2014 at 11:44:03PM +0200, Till Maas wrote:
> On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote:
> 
> > The key ideas are:
> > ==================
> 
> > * the username, password and OTP are not sent in the same request (otherwise, if
> >   $attacker intercept this request, $it has all the info at once)
> 
> What kind of attacker is able to only intercept this one request, but
> cannot intercept the second request as well? This assumed threat seems
> to lead to more complexity which might allow for more errors without an
> obvious gain in security from what I can see.

So I just discussed this with Kanarip again.
The idea is to decouple the username/password from the OTP so that if you have
10 requests at the same time, then it's harder for the MITM to correlate which
OTP refers to which username/password sent before.

To do the two requests and still have the correlation on the server side which
OTP belongs to which username/password, Kanarip had two propositions:
- Keep the connection open and send the second requests
- Provide to back from username/password a one time token that will be returned
  with the OTP

On the other side, Kanarip did say it's all a matter of compromise and we just
need to make a tradeoff on what we want and which risk we're ready to take.


Pierre


More information about the infrastructure mailing list