About 2FA on our web-application
Pierre-Yves Chibon
pingou at pingoured.fr
Sat Aug 9 17:38:48 UTC 2014
On Sat, Aug 09, 2014 at 07:12:58PM +0200, Pierre-Yves Chibon wrote:
> On Thu, Aug 07, 2014 at 11:44:03PM +0200, Till Maas wrote:
> > On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote:
> >
> > > The key ideas are:
> > > ==================
> >
> > > * the username, password and OTP are not sent in the same request (otherwise, if
> > > $attacker intercept this request, $it has all the info at once)
> >
> > What kind of attacker is able to only intercept this one request, but
> > cannot intercept the second request as well? This assumed threat seems
> > to lead to more complexity which might allow for more errors without an
> > obvious gain in security from what I can see.
>
> So I just discussed this with Kanarip again.
> The idea is to decouple the username/password from the OTP so that if you have
> 10 requests at the same time, then it's harder for the MITM to correlate which
> OTP refers to which username/password sent before.
>
> To do the two requests and still have the correlation on the server side which
> OTP belongs to which username/password, Kanarip had two propositions:
> - Keep the connection open and send the second requests
> - Provide to back from username/password a one time token that will be returned
> with the OTP
>
> On the other side, Kanarip did say it's all a matter of compromise and we just
> need to make a tradeoff on what we want and which risk we're ready to take.
Oh one more remark, he said that if we send username/password/otp in one single
request, we should ban time-based OTP
Pierre
More information about the infrastructure
mailing list