HackerTrans
TopNewTrendsCommentsPastAskShowJobs

RaisingSpear

no profile record

comments

RaisingSpear
·2 ปีที่แล้ว·discuss
I think we're talking past each other a bit here.

If I were trying to phish someone, I wouldn't attack the public key crypto part, so how domains come into play during authentication doesn't matter. I'd just grab the "unencrypted" session token at the end of the exchange.

Even if you somehow protected the session token (sounds dubious), there's still plenty a phisher could do, since it has full MITM capability.
RaisingSpear
·2 ปีที่แล้ว·discuss
From my understanding, FIDO isn't MFA though (the authenticator may present its own local challenge, but I don't think the remote party can mandate it).

There's also the issue of how many sites actually use it, as well as how it handles the loss of or inability to access private keys etc. I generally see stuff like 'recovery keys' being a solution, but now you're just back to a password, just with extra steps.
RaisingSpear
·2 ปีที่แล้ว·discuss
The phisher can just pass on whatever you sign, and capture the token the server sends back.

Sure, you can probably come up with some non-HTTPS scheme that can address this, but I don't see any site actually doing this, so you're back to the unrealistic scenario.
RaisingSpear
·2 ปีที่แล้ว·discuss
> That's why I qualified it with "certificate-based". The private key never leaves the device

Except that phishing doesn't require the private key - it just needs to echo back the generated token. And even if that isn't possible, what stops it obtaining the session token that's sent back?
RaisingSpear
·2 ปีที่แล้ว·discuss
> I don't think phishing is such an obscure scenario.

For a typical person, maybe, but for a tech-minded individual who understands security, data entropy and what /dev/random is?

And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

I'm also looking at this from the perspective of an individual, not a service provider, so the activities of the greater percentage of users is of little interest to me.
RaisingSpear
·2 ปีที่แล้ว·discuss
But password managers typically don't send keyboard commands to fill in a password, so a physical device would be useless.

> There are plenty of scenarios where MFA is more secure than just a strong password.

And how realistic are they? Or are they just highly specific scenarios where all the stars must align, and are almost never going to happen?
RaisingSpear
·3 ปีที่แล้ว·discuss
AVX-512's VPCOMPRESS* instructions are very useful for binary-radix sorting though.