About 2FA on our web-application
Pierre-Yves Chibon
pingou at pingoured.fr
Sat Aug 9 17:12:58 UTC 2014
On Thu, Aug 07, 2014 at 11:44:03PM +0200, Till Maas wrote:
> On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote:
>
> > The key ideas are:
> > ==================
>
> > * the username, password and OTP are not sent in the same request (otherwise, if
> > $attacker intercept this request, $it has all the info at once)
>
> What kind of attacker is able to only intercept this one request, but
> cannot intercept the second request as well? This assumed threat seems
> to lead to more complexity which might allow for more errors without an
> obvious gain in security from what I can see.
So I just discussed this with Kanarip again.
The idea is to decouple the username/password from the OTP so that if you have
10 requests at the same time, then it's harder for the MITM to correlate which
OTP refers to which username/password sent before.
To do the two requests and still have the correlation on the server side which
OTP belongs to which username/password, Kanarip had two propositions:
- Keep the connection open and send the second requests
- Provide to back from username/password a one time token that will be returned
with the OTP
On the other side, Kanarip did say it's all a matter of compromise and we just
need to make a tradeoff on what we want and which risk we're ready to take.
Pierre
More information about the infrastructure
mailing list