Technical details about bypassing either Google password recovery or two factor authentication systems are unclear.
CloudFlare blog:
http://bit.ly/K7QTCg
Google two factor authentication:
http://bit.ly/KD1cmi
According to the CloudFlare blog, the hacker was able to compromise the password recovery and two factor authentication systems and eventually gained access to one of CloudFlare customer's account: "Google reports that they discovered a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts. We've now blocked that attack vector to prevent further abuse." Technical details about bypassing either Google password recovery or two factor authentication systems are unclear. CloudFlare blog: http://bit.ly/K7QTCg Google two factor authentication: http://bit.ly/KD1cmi
2 Comments
All the presentations were pretty interesting. I would especially mark two of them though: Dual Channel Authentication The idea is not new at all but there was well detailed explanation of the implementation. Presenter: Srikar Sagi from PayPal Public Key Cryptography in Depth Current situation and future of asymmetric cryptography with interesting review of RSA and ECC. Presenter: Chuck Easttom (www.chuckeasttom.com) BTW, the lunch wasn't bad too! Click to set custom HTML Using your mobile phone as a token generator for two-factor authentication is becoming de-facto standard and common solution used by major companies operating online for extra protection of user accounts from unauthorized access. Such services are provided for free which is not the case with hardware token products like RSA SecurID and VeriSign VIP. In fact, software solutions also use device, which is your mobile phone, but since this is your phone and they do not have to produce and supply to you any special hardware - such services require no additional costs and therefore can be provided for free. What is two-factor (or two-step) authentication? It combines two factors (from maximum three available factor types according to the security theory): something you know (such as username/password or pin code) with something you have (magnetic or smart card, token key, or mobile phone). Third possible factor is something you are which is biometrics. There are three major methods of two-factor implementation used by online service providers: hardware tokens, SMS, and smart phone application (software) tokens. Hardware tokens are usually offered for money and therefore less common than SMS or software tokens. Also, major hardware token solution RSA SecurID has been recently compromised which even increased the motivation for using software solutions. Many online service providers implement two-factor combined from username/password (first factor) and mobile phone (second factor) which provides relatively high security level comparing to traditional single factor authentication (username/password only). Some giants such as Facebook and Bank of America offer only SMS solutions for mobile phones. One-time token (6 digit number) is generated by the server and sent to user’s mobile phone as SMS text. Other companies such as PayPal provides SMS service as well as more convenient smart phone app (also used by eBay). In latter case VeriSign VIP software installed on iPhone, Android or other smart phone device generates new one-time token code (the same 6 digits) every minute. The advantage of software solutions is that they do not require any communication between mobile device and server which completely eliminates data transfer or text message fees. Google offers even more options - application tokens, SMS and also voice messages. Regardless the particular implementation, any form of two-factor authentication provides higher level of security and makes your account significantly less desirable target for hackers comparing to regular accounts protected by just user/password. Click to set custom HTML |
Books
Recent Posts
Categories
All
Archives
March 2023
|