

Hacking Two-Factor Authentication - lamnk
http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html

======
roc
Sure, that works for some things.

But what's _the_ transaction in the case of, say, a secured extranet? Is it
requesting tabular data? Downloading a file? Kicking off a workflow?

Or what's _the_ transaction of an online banking session? Checking my
balances? Initiating a payment? Transferring funds?

Authenticating much more often than once a session is impractical from a user
experience standpoint. People are just not going to enter their PIN & token
code a half-dozen times. Security has always required usability trade-offs and
authenticating transactions is going to be far too much hassle for most
services.

I suppose you could batch transactions and ask for a second log-in before you
process them. That would offer a sanity check and mitigate potential damage.
But even that would require awfully security-conscious users to accept that
process, tolerate the changes it implies in how the service can operate and
actually pay attention to the batch to see if something was slipped in -- at
which point I wonder how much additional security the transaction batch is
truly providing.

------
djahng
So the lesson is don't worry so much about authenticating the user, but focus
on authenticating the transaction. It would have been a much more useful
article if he actually described how (rather than just saying, "do it like the
credit card companies").

