Jump to content

It is time for Linden Labs to put in two factor authentication


You are about to reply to a thread that has been inactive for 1942 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

On 9/7/2018 at 10:15 AM, Bradford Mint said:

It's not a question of blame, that's entirely irrelevant.  The issue is about best protecting assets and the appropriate tools are not provided.

 

Useing ones brain properly would protect 99% of the "hacked" accounts. If people hold so much monetray value and "assets" in their accounts, this shouldn't be so difficult to do.

  • Like 2
Link to comment
Share on other sites

Being able to change our user ID for logon purposes would be a positive forward step.

2FA using smartphones is an extremely poor idea, commonly championed by people who live their life in one single country. Should any change ever happen I hope it is an option, not compulsory. Nothing worse than being forced to do something which claims to be for my own good when I don't want it.

I log in and out of SL all the time, as I'm sure many do. I don't want it to turn into a palaver, otherwise it's likely I will begin to log in less and less. 

  • Like 4
Link to comment
Share on other sites

Just now, Candice LittleBoots said:

2FA using smartphones is an extremely poor idea, commonly championed by people who live their life in one single country. 

Please explain why you believe this as i'm interested in why you perceive it to be a) a poor idea and b) why it's a single country thing?

Link to comment
Share on other sites

2 minutes ago, Syo Emerald said:

Useing ones brain properly would protect 99% of the "hacked" accounts. If people hold so much monetray value and "assets" in their accounts, this shouldn't be so difficult to do.

Even smart people can get caught out.  Odd how that happens.  Assets could be their creations, where would you like them to hold them?  What would be the value of say the inventory of Maitreya or Blueberry would you estimate?

  • Haha 1
Link to comment
Share on other sites

1 hour ago, Bradford Mint said:

So your device suffers a drift, then either put a SIM card in and turn the data off so that it derives clock from the network or leave wifi on, this really isn't an issue and I was addressing the paranoia of having a smartphone based soft token.

There's still no reason to not be offered stronger authentication, these are made up, imaginary reasons to avoid doing something better.  OCRA based tokens are but one 2FA mechanism, others exist.

Again, the request is there to have it available, nobody is suggesting that it should be forced on those who still believe that passwords alone are good enough.

I'll use it, but only if it's using the google authenticator, that's as simple as that,  that means people will need to keep their time synced and stay on either data or wifi to do that.  but callum is more than correct,  we've got people whom are still using SL with systems build during the SL hayday 2007,  lots of people are using potatoes and they wont ever come up off of them, we end up with arguments when LL has to stop supporting a certain OS, lots of people whom use SL, dont have that much of a grip on what they need to do SL with and their is so much misinformation floating around, but the one thing I can tell you,  The login services are legacy systems that were not built with 2fa in mind at all, LL will not revamp this as it's tied into way to many legacy back end systems, sorry but this is how your cookie crumbles.

Link to comment
Share on other sites

2 hours ago, bigmoe Whitfield said:

I'll use it, but only if it's using the google authenticator, that's as simple as that,  that means people will need to keep their time synced and stay on either data or wifi to do that.  but callum is more than correct,  we've got people whom are still using SL with systems build during the SL hayday 2007,  lots of people are using potatoes and they wont ever come up off of them, we end up with arguments when LL has to stop supporting a certain OS, lots of people whom use SL, dont have that much of a grip on what they need to do SL with and their is so much misinformation floating around, but the one thing I can tell you,  The login services are legacy systems that were not built with 2fa in mind at all, LL will not revamp this as it's tied into way to many legacy back end systems, sorry but this is how your cookie crumbles.

They don't need data or wifi, a cellular network connection would suffice or an authenticator that's not based on a time sync for those who find keeping time is just too difficult.  Old equipment for the SL viewer has no factor here so is irrelevant.  I've already mentioned other authenticators. At no point is the addition of extra authentication factors suggested to be mandatory, nor a removal of insecure methods by those convinced that they're good enough and still relevant, they're really not but live the dream.

Viewer login methods may be legacy and interwoven in such a way that makes current authentication integration challenging, we'll just have to accept mediocrity there then but there's no reason to prevent additional factors being made available for the web UI. If the game login user credentials were decoupled from the account login to the web UI, that would be a huge step forward.

As it stands, relying on username and password is hugely outdated and that's about all there is to it and did they appear to learn anything for Sansar?  Nope!

  • Haha 1
Link to comment
Share on other sites

1 hour ago, Bradford Mint said:

As it stands, relying on username and password is hugely outdated

That might be so, but the vast majority of the financial institutions that I deal with still use it.  

I don't have a problem with LL implementing a tighter security method as long as they either made it optional or choose something that is not a hindrance to the majority of the users.

  • Like 1
Link to comment
Share on other sites

1 hour ago, LittleMe Jewell said:

That might be so, but the vast majority of the financial institutions that I deal with still use it.  

I don't have a problem with LL implementing a tighter security method as long as they either made it optional or choose something that is not a hindrance to the majority of the users.

Ask yourself who is liable in the event of a loss, then there's your answer.

With regard to hindrance by employing additional factors, you are aware that additional factors can reduce the burden of authentication?

For example, most risk engines will allow multiple attributes to be considered before even prompting for authentication to be stepped up.  For example, if you're on the usual PC, in the usual location, usual login times etc. there's no need to prompt for additional human responses via authenticators.  Only when funds above a threshold or new PC or unusual location are involved would a need for an additional authenticator.

Passwords can be eradicated too when additional authenticators are in play.

The assumption that multi factor authentication is hassle just means that the wrong factors have been adopted.  Times have changed!

Link to comment
Share on other sites

20 hours ago, Bradford Mint said:

Please explain why you believe this as i'm interested in why you perceive it to be a) a poor idea and b) why it's a single country thing?

"Thank you for using your Borogravian Telecom iSpend Dumbphone.

WARNING: Borogravian Telecom has detected that you are using your iSpend in Slobenia! 

Your current BC Contract does NOT include free unlimited global roaming, therefore, you will incure a penalty charge of B$ 25 for each voice call / sms message sent or received..."

...

You also assume that EVERYONE uses a Dumbphone, with access to "apps", and that EVERYONE has a contract with unlimited text messages, with which to respond to the bloody 2FA nonsense.

Personally, I dislike the idea of being charged every time I have to send a damn text to some Parasite Website, so they can tell SL that it's ME logging into MY account.

I might log in several times a day, with viewer crashes, relogs because of lag, or just from logging out to go emergency shopping for more coffee...

Why should I spend £5 or £10 a month telling "2FA Parasites Web Security Subcontractors Inc" that I'm logging into SL again, JUST because some idiots are too damn dumb to check the url's they click on, and too damn dumb to tell a fake site from a real one...

https://MarkingPiece.SecondWife.Con/Please-Log-in-with-your-SL-ID-and-password-to-collect-this-Offer-thats-too-good-to-be-true.html

Bloody stupid idea...

How would YOU react if I told you that to log into SL, you had to have a brand of Dumbphone you don't have?

Let's thin the SL: population by banning logins from everyone who doesn't have the RIGHT kind of dumbphone!

"Sorry, you are using Mandroid/iSpend, (delete as applicable) but you need to use iSpend/Mandroid (delete as applicable) otherwise you cannot log into SL..."

*rolls eyes*



 

Edited by Klytyna
  • Like 2
Link to comment
Share on other sites

Then that person would be a candidate for either continuing with weaker authentication as they are right now or a non data  bound authenticator or if no phone, a desktop authenticator.

Also, "You also assume that EVERYONE uses a Dumbphone, with access to "apps", and that EVERYONE has a contract with unlimited text messages, with which to respond to the bloody 2FA nonsense. "

At NO point have I mentioned an SMS channel, assumption that EVERYONE should have or use a phone and no mention of contracts.  Those just aren't in my statements or assumptions at all.  Notwitsthanding that SMS is deprectated as a recommendation by both NIST and NCSC.  We're way beyond SMS as the 2FA method of choice.

On premise service operated by LL, nobody other than LL would be party to the data mentioned.

I can't stress this enough, MFA should be available for those who would choose to use extra security to protect their assets and account so none of the response given applies as the user would have opted to do this.  You don't want it? Don't use it.

Next contender with "problems" step up... :)

Edited by Bradford Mint
  • Like 1
  • Thanks 1
  • Haha 1
Link to comment
Share on other sites

Nothing is 100%, but it is unlikely you'll have problems if you:

1. use strong passwords

2. don't reuse the same password across multiple sites

3. don't give them out

4. don't click on links you get in emails and enter your password there (see #3)

5. install antivirus/malware scanner on your device 

If you aren't doing the last one even 2FA will not save you.

  • Like 1
Link to comment
Share on other sites

3 hours ago, Bradford Mint said:

At NO point have I mentioned an SMS channel, assumption that EVERYONE should have or use a phone and no mention of contracts.  Those just aren't in my statements or assumptions at all.  Notwitsthanding that SMS is deprectated as a recommendation by both NIST and NCSC.  We're way beyond SMS as the 2FA method of choice.

Thank you for mentioning this.

I really suspect that folks responding negatively here simply don't understand what 2FA is, and have no idea how many of their online accounts are already protected by 2FA, especially practically any financial institution.

For the vast majority of interactions, 2FA was a one-time thing done a long time ago, and after that first time the device "becomes" one of the factors needed for authentication.

And that first time by no means requires a smartphone; it's just that the phone-resident authenticator is so effortless for the user.

  • Like 1
  • Haha 1
Link to comment
Share on other sites

4 hours ago, Bradford Mint said:

At NO point have I mentioned an SMS channel, assumption that EVERYONE should have or use a phone and no mention of contracts.  Those just aren't in my statements or assumptions at all.

Yadda yadda yadda...

You blather on about 2FA, and using devices to do this, like dumbphones, somebody with a brain mentioned that this does kind of assume you only operate in one country.

You didn't seem to understand that...

On 08 September 2018 at 9:44 AM, Bradford Mint said:

Please explain why you believe this as i'm interested in why you perceive it to be a) a poor idea and b) why it's a single country thing?

I pointed out WHY it's a single country thing... Roaming Charges.

Many mobile phone operators around the world CHARGE YOU EXTRA to use your phone while in "Foreign Places (tm)", this is part of your "contract" with said phone operator.

You never mentioned countries, or contracts, but you should have, THAT is your omission and your failing. THAT is where you made assumptions.

As for not mentioning SMS, again yadda yadda yadda...

Phones currently engage in exactly THREE kinds of data transmission that's available to Parasite Security Inc, "phone calls", "text messages" and "internet bandwidth".

Any attempt to get a dumbphone to respond to Parasite Security Inc's 2FA demands before Parasite Security tells SL to let you log in, WILL involve ONE of those 3 methods, which depends on what Parasite Security Inc are using, but potentially, any and or all of them can cost the phone user money, if

a) Their contract doesn't include free (communications type) or

b) Their contract means additional charges for (communications type) if outside their own country.

,,,

45 minutes ago, Qie Niangao said:

I really suspect that folks responding negatively here simply don't understand what 2FA is, and have no idea how many of their online accounts are already protected by 2FA, especially practically any financial institution.

Oh we know what it is, and think it's intrusive BS by paranoid people using the stupidity of others to justify complicating everyones lives...

My BANK doesn't use this crap...

They just use login ID, password, and "security question", because they are SMART enough to know that people CHANGE their PC's, or phones, or move house and end up with a different IP number, etc., and that these "auto-magical" device based security systems simply annoy the customers to a degree that makes them more of a problem than a help.

54 minutes ago, Qie Niangao said:

And that first time by no means requires a smartphone; it's just that the phone-resident authenticator is so effortless for the user.

*IF* you HAVE a dumbphone of a type that's compatible with Parasite Security Inc's verification app system, and are willing to pay the phone charges that may be involved.

Of course, for everyone else, it's NOT effortless at all, as then they get told to use other means to verify etc.

19 hours ago, Bradford Mint said:

For example, if you're on the usual PC, in the usual location, usual login times etc. there's no need to prompt for additional human responses via authenticators.  Only when funds above a threshold or new PC or unusual location are involved would a need for an additional authenticator.

Passwords can be eradicated too when additional authenticators are in play.

Yeah, another very cool reason to stomp on this crap hard...

Somebody steals your phone/tablet/laptop, logs into SL without needing your password because Parasite Security Inc's 2FA bs, has determined that it's your device, in your usual town, within your usual time window, therefore it MUST be you, and who needs those stupid old school "password" things huh?

Back when bluetooth chips were first launched, some cretin of a marketing sith proposed a "cool" use for them.

You'd have a (as the price was then) £400 bluetooth chip in the petrol pump, and another in your car, and when you went to the petrol station, you'd just pull up, fill the tank, get in your car and drive away.

The Bluetooth chip in the petrol pump would auto-magically contact the bluetooth chip in your car with the bill for the petrol, and the chip in your car would auto-magically send your credit card number and pin code, via secure digital transmission...

And nobody would EVER need to visit the shop in the petrol station forecourt to pay, ever again...

Then people with IQ's LARGER than their shoesizes pointed out that

a) Petrol stations make about 60% of their profits from selling stuff in the store, impulse purchases while you wait in line to pay for the petrol, cigs, candy, Best of Queen Vol 57 CD's...

b) Replacing all the old petrol pumps with new bluetooth enabled ones would cost the petrol companies a small fortune.

c) The car makers wouldn't like adding several hundred pounds to the cost of a new car in a very competitive market

d) And last but not least... To add insult to injury...

If some swine stole your car, the bluetooth chip would make YOU pay for their getaway petrol as well!

...

We've had this crap before, was a time clueless people demanded that websites should use IP addresses to verify you were logging in from the same place as last time.

Being told you cant access a web site where you are a forum Mod, because the new security system doesn't like the fact that your connection gives you a different IP every time you connect to the web, becaue it was designed by idiots.

Those stupid "captcha" things, where they show you some tiny little picture and you have to type in the leters and numbers, sooooo essential to life, NOT, all of this crap, because some people are too paranoid for their own good, and want to share it around.

...

People are constantly coming up with new examples of the inappropriate use of technology, to make all our lives worse, in a vain attempt to solve UN-problems of their own imagining.

Device based 2FA is a classic example of this.
 

Link to comment
Share on other sites

Nope Klytna, this isn't how modern 2FA authenticators work, they're just not restricted or enforced in the methods you statesd.

Offline use, removes all the fuss about country, networks, roaming, SMS etc. while still allowing the authenticator to work.

Someone stealing the phone, yep, that's a very targetted attack and would still need them to validate to the authenticator itself, protected by a PIN or biometric.  You'd need your phone thief to get past that too.  Is this extra authenticator preventing the phishing attack and the weak username/password from being used the other side of the world?  Absolutely and that's by far the most likely threat actor involved here and again, I will yet once more point out that a phone isn't the only authenticator that can respond here, I have stated a desktop authenticator several times so please don't get hung up on phones.

I don't understand the objection to a reasonable request for stronger authentication for those it would benefit, if it would be optional and your choice is to remain weak.  That's fine but that's not a reason to champion what is fundamentally weak authentication.

With regard to your bank not using it, they will if they're not already because they will be bound by PSD2 (Payment Services Directive 2) which is an EU directive which apart from other things, mandates Secure Customer Authentication and username/password ain't it! (Brexit won't remove this requirement either, it's already being implemented by banks in the UK).

  • Haha 1
Link to comment
Share on other sites

@Klytyna  2FA does not have to be used on phones or via SMS.  A time-based PC-based token  generator will not care what country you are in and would take a second for you to click to copy and then paste it into the relevant field in the browser.  Not a big pain at all.

Of course, if your post was performance art then I applaud you, very amusing ?

  • Haha 1
Link to comment
Share on other sites

17 minutes ago, Bradford Mint said:

Nope Klytna, this isn't how modern 2FA authenticators work, they're just not restricted or enforced in the methods you statesd.

Offline use, removes all the fuss about country, networks, roaming, SMS etc. while still allowing the authenticator to work.

Stop talking complete crap...

When Parasite Security Inc's "inappropriate use of technology" 2FA crap contacts my phone to prove that I am ME, it expects a response...

When MY phone sends that response, THAT is bandwidth usage, and COSTS MONEY.

Offline authentication? So now you are claiming your 2FA crap can authenticate me when my phone os offline?

Shut up, seriously.

21 minutes ago, Bradford Mint said:

Someone stealing the phone, yep, that's a very targetted attack and would still need them to validate to the authenticator itself, protected by a PIN or biometric.

So this "painless and convienient to use" piece of inappropriate technology, now requires that my phone check my finger prints and retina scan, before it allows me to log in to SL...

No... Just NO.

23 minutes ago, Bradford Mint said:

Is this extra authenticator preventing the phishing attack

Best defense against phishing attacks is...

TEACH PEOPLE NOT TO CLICK URLS WITHOUT READING THEM FIRST!

24 minutes ago, Bradford Mint said:

I will yet once more point out that a phone isn't the only authenticator that can respond here, I have stated a desktop authenticator several times so please don't get hung up on phones.

And will my desktop need to be fitted with a retinal scanner and fingerprint detector too? Does EVERY PC that I might ever use anywhere need a retinal scanner and fingerprinter? Hell with that. Are you going to pay for this crap on my PC ?

28 minutes ago, Bradford Mint said:

and the weak username/password

28 minutes ago, Bradford Mint said:

your choice is to remain weak

I spent a quarter of a century working in Corporate IT Operations, login-id / password is only "weak" if people chose stupid passwords, such as the day and month of their birthday for a pin code, or the name of their partner as a password, etc.

31 minutes ago, Bradford Mint said:

I don't understand the objection to a reasonable request for stronger authentication for those it would benefit

Optional has a nasty habit of becoming mandatory... And basically , demanding a complete rebuild of the login system for SL, based around the intrusive and inconveinient use of inappropriate technology, because SOME people are TOO STUPID and TOO LAZY to READ a web url before clicking on it, is in NO WAY "reasonable.

You are flogging a dead horse, from a 2 year old necro thread, one of two 2 year old necro threads revived by dead-horse-floggers.

35 minutes ago, Gabriele Graves said:

A time-based PC-based token  generator will not care what country you are in and would take a second for you to click to copy and then paste it into the relevant field in the browser.

Hmmm, switch on PC, connect PC to internet, wait while PC updates it's clock, start up Parasite Security Inc's 2FA application, remove glasses, press eyeball to retinal scanner, try to press thumb to fingerprint scanner while half blind because one eye in the retina scanner and no glasses, try to click the "authenticate me" button, remove thumb and eyeball from scanners, wear glasses, cut n paste code from Parasite Security Inc's app into SL Viewer login fields, get told the code has expired because I took too long, start over from scratch...

Let's not and say we did...

39 minutes ago, Gabriele Graves said:

Not a big pain at all.

Hah...

39 minutes ago, Gabriele Graves said:

Of course, if your post was performance art then I applaud you

The only "performance" here is the one certain dead-horse-floggers are demanding we go though because they are too lazy to READ a web url...



 

  • Like 1
  • Haha 1
Link to comment
Share on other sites

Fortunately the security world has moved on from the belief that passionate support of weak authentication is all that's required and yes, you will no doubt discover how offline authenticators work when your bank plops their PSD2 compliant service in your lap :). (It's not difficult to do offline MFA, rather simple actually).

The rest isn't worth responding to i'm afraid, it's based upon outdated beliefs and lack of understanding as to modern authentication and what appears to be a failure to actually read what was written because there are certainly no demands from me, only requests and those don't even involve a complete revamp so we'll just have to agree to differ.

As to it being a necro thread, that's actually irrelevant because the situation hasn't changed so the original question remains valid. Not really much need to start the same thread again is there?

  • Haha 1
Link to comment
Share on other sites

7 hours ago, Bradford Mint said:

Fortunately the security world has moved on from the belief that passionate support of weak authentication

If YOUR password is "weak", that is because you made it so, that is your fault, and your responsibility, and demanding that others pay  through the nose to install new systems, to compensate for your error, is not "reasonable".

7 hours ago, Bradford Mint said:

you will no doubt discover how offline authenticators work when your bank plops their PSD2 compliant service in your lap

No, I won't, because I dislikwe "online banking" and prefer to actually walk into a bank, and because...

There is no such thing as "offline authentication".

Quite simple to test really...

Take your dumbphone, and take it offline, then see if it authenticates...

1. Take the phone offline by opening the case and removing the battery... Does offline authentication work? Not bloody likely...

2. Smash the phone with a 10lb lump hammer into tiny tiny pieces, does the offline authentication work? No.

If an authentication system sends a request to your phone or PC, that request does NOTHING unless your phone or PC responds. If your device does not respond in any way, due to lack of an app, or disconnected from the web, or switched off, or no power, or smashed into fragments... Then "authentication" does not happen.

If your device does respond it is using some kind of data bandwidth, and depending on your contract, you may incur charges for that, 

7 hours ago, Bradford Mint said:

and what appears to be a failure to actually read what was written because there are certainly no demands from me, only requests

You forgot to say "reasonable requests"...

Because the request is not "reasonable", you want LL to spend a pile of money reworking the whole login system, and inconvieniencing most of its customers, because...

You feel Stupid & Lazy people who deliberately violate the ToS by giving their passwords to Phrank the Phisher, because they were more interested in getting that "hella kewl offer" than in checking WHAT website they were trying to log in to, is not and never will be reasonable.

8 hours ago, Bradford Mint said:

Not really much need to start the same thread again is there?

And even less to necro TWO threads about flogging dead horses...
 

Link to comment
Share on other sites

Offline authentication, yes it's very real.  You're just demonstrating petulant ignorance i'm afraid so no need to further add to this even though yet again, you completely ignore the fact that desktop based authenticators remove the phone use case entirely. It would probably be a surprise to you that cash can be withdrawn from an ATM, using a phone and not a bank card, where that phone has no radio connections of any sort. That's just another use case of course.

"inconveniencing most of its customers"?  Where has that been stated other than in your text?  What part of "for those who would wish to use it" is difficult to understand here? I also proposed changes which only impacted the web login which is pretty trivial to incorporate 2FA.  You might have missed that suggestion along the way.

"deliberately violate Tos by giving their password", now you're really pulling things from thin air.

Sorry but your incorrect assertions and ignorance about modern authentication methods are evident and it's probably better to let those who are current continue the thread.

  • Haha 1
Link to comment
Share on other sites

6 hours ago, Bradford Mint said:

Offline authentication, yes it's very real.  You're just demonstrating petulant ignorance i'm afraid so no need to further add to this even though yet again, you completely ignore the fact that desktop based authenticators remove the phone use case entirely.

More of your assumptive crap...

...

"Parasite Security Inc Intrusive Arseware Server calling Klytyna's PC... Please transmit evidence that user has passed biometric retina scan/thumb printing checks to eliminate need for passwords, over..."

*static hiss*

"Arseware Server to PC, please respond! Over"

*static hiss*

"Why won't you respond? Over"

Because I told my firewall to block all communications with Parasite Security Inc., so as not to waste MY internet bandwidth talking to pointless parasites... That's why...

"But...But... We are tech illiterate Cyber-Geek wannabe Sci-Fi-Otaku Futureness! Where nobody needs to be smart enough to remember a password, and not enter it into phisher websites..."

...

And if my PC is "offline" how will the arseware app on my PC respond to the Arseware server via the web, if the PC isn't talking via the web to Arseware.con, because it's OFFLINE.

Again more of your assumptive crap, assuming EVERYONE's "devices" are permanently connected to the web, with unlimited bandwidth, and no roaming charges, etc.

THIS is exactly why somebody else correctly accused you of assuming single country use only earlier in the thread.

6 hours ago, Bradford Mint said:

"deliberately violate Tos by giving their password", now you're really pulling things from thin air.

No. I'm not...

If YOU choose to click https://markinplace.secondwife.con of your own free will, that's YOUR choice and YOUR responsibility.

If, having clicked the phisher link, YOU then choose to enter your login ID and password, that is, again YOUR choice and YOUR responsibility.

YOU have chosen to visit a phisher website, and enter your login details into a fraudulent web page login screen, because YOU chose NOT to read the URL or exercise basic security procedures.

That is YOUR choice and YOUR responsibility, and doing so violates the part in the ToS about not giving away YOUR login credentials.

7 hours ago, Bradford Mint said:

I also proposed changes which only impacted the web login which is pretty trivial to incorporate 2FA.  You might have missed that suggestion along the way.

No. YOU changed your "proposal" after it was pointed out that the chances of a substantial rewrite of the viewer login code to support 2FA Arseware were somewhere between ZERO and NAFF ALL

7 hours ago, Bradford Mint said:

What part of "for those who would wish to use it" is difficult to understand here?

That's the same crappy excuse that was given for accessing the benefits system via the internet... "for those that wish to use it"...

Now, if some 93 year old pensioner who has never even used a PC, let alone owned one and arranged broadband (on their meager state pension) needs to query why their pension payment hasn't arrived this month... They have to hobble several miles to the local library (because many libraries have closed because... wikipedia!) and hopefully ask one of the overworked librarians to help them with this "online stuff".

Assumptions...

Some middle class suburbanite politico's middle class suburban research assistant, ASSUMED that because THEY have 100mb Optical glass broadband with unlimited bandwidth, and a dumbphone, and a tablet, and a laptop and a home office desktop and a work office desktop and a work laptop and a blackberry, all with constant and unlimited online data access...

They assume EVERYONE does...

And hey presto, "for those who wish to use it" becomes "The only way to access the service".

I am confident, that in the unlikely event that anyone took your "proposal" seriously, it would only be a matter of time before you, or those like you "proposed" that the system be extended to include EVERYONE, because... "Cyber-Geek Futureness Otaku Reasons!"

6 hours ago, Bradford Mint said:

It would probably be a surprise to you that cash can be withdrawn from an ATM, using a phone and not a bank card, where that phone has no radio connections of any sort.

No, actually, it wouldn't, it's exactly the kind of inappropriate technology use that idiots in Marketing Sith departments dream up, like that "Bluetooth in your car to give your credit card number and pin to petrol pumps" nonsense that some idiot dreamed up in the late 90's.

It's as bad as that "touch n go" crap with credit/debit cards now, where somebody who picks your pocket, or handbag, and gets your card, can spend small amounts at stores all over town with NO authentication at all, just by touching the stolen card to the pay point in the store.

Only a complete idiot would design a system where stealing a phone lets you raid somebody's bank account too.

Retarded Cyber-Geek Marketing Sith Futureness...

Put it where it belongs... In the trash...
 

  • Haha 1
Link to comment
Share on other sites

That makes for a humourus read but i'd be rather embarrassed to have written that if it were me because anyone can do a quick google to look up offline 2FA authentication and cardless ATM  operation. It's a bit like watching the flat earth videos on YouTube, just because it's not understood, don't go claiming that things cannot be so.

Similarly, i'm sure that anyone championing that it's all the users fault will not dare take the stage at the next infosec conference available and deliver a session on how username and password are the way forward and that everything else is just marketing.

Did you hear the one about the dinosaur that said to it's friendly dino's "Nah mate, that meteor stuff is rubbish, it's going to miss us by a mile!"

  • Haha 1
Link to comment
Share on other sites

7 hours ago, Bradford Mint said:

anyone can do a quick google to look up offline 2FA authentication

You should follow your own advice...

Look at what I found...

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

"The Failure of Two-Factor Authentication

Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today."

...

And I know what "offline Authentication" is... That's why I despise it, I've used it years ago, and it was a bloody pain in the arse then and still is.

An obscure game, called Sacred 2, used it, having the install DVD in the drive and typing in the product key wasn't "good enough" so they put in one of these offline authentication tokens" things.

You ran a key gen app which generated a key file, then you logged into a website, uploaded the generated key file, recieved a reply key, which you cut and pasted into the app, which set the authentication file, that allowed you to play the damn game, it made reinstalling the game on a new drive, or repairing a corrupted install, those routine things we do all the time, something like a 3 hour process, because the website that handled this didn't like most modern web browsers, you HAD to use microbloat's IE, and the whole process was a damn PITA.

The whole "offline" part simply means that AFTER your system burns bandwidth connecting to Parasite Security incs website, you end up with a "token" stored in a file some place on your system, utterly worthless, really except say, to stop a burglar using their laptop to connect to your lan after they break into your corporate office so they don't have to crack the userid/password on one of your desktops...

...

I've seen all kinds of this rubbish, from "hardware tokens" like the old authentication dongles you had to plug into a com port to use a certain 3d application, 20 odd years ago, through keygen based "stored data tokens", those stupid sms/voice-call/web-page based one-time-tokens with a 60 second expiry, where failure to recieve the code and use it promptly means you have to start all over again.

Then there's that "push notification" crap, that requires a direct and secure connection between you, the 2FA parasites, and the people you are actually doing business with... Only of downloadable app friendly devices with constant internet access of course...

And last and by all means lease... Biometric Data is coming...

The British Govt., under the Tories, tried introducing "voluntary biometric ID cards" more than 20 years ago, these things were going to be the ultimate protection against identity theft, totally un-forgable.

The specially manufactured cards had a wrote once read only memory chip in them, that would store text and visual data on your appearance, photo, description, age gender weight, fingerprints, all that "biometric" crap.

These "voluntary" ID cards were going to cost something insane like £80 each to issue, and since they were "obviously the way forward to better security" why wouldn't any "honest person" get one, in fact they should be compulsory, right?

The scheme failed...

Why?

The cretins who conceived this scheme failed to realise that if you can READ the data on the card, and card readers would have to be available to use the stored biometric id data... Then you can COPY the data, edit it, and write it on another blank card, with say a different photo, description and set of fingerprints...

Then there was the fact that a 40 ton truck filled with blank ID cards was stolen, and the black market forgers were offering cards that looked exactly like the real ones (because they were made from real blank cards) for HALF the price in any damn name you wanted, 2 weeks before the real ones were due to launch...

...

Reality is, the ONLY people activ ely pushing this crap today, are the people trying to charge you to use it, who constantly tell you you MUST use this because

2FA Parasite Security Inc's Marketing sith department wrote:

"Reasons, good ones, umm, that have nothing to do with us making a ton of money selling this worthless crap... No, really!"
 

  • Like 1
  • Haha 1
Link to comment
Share on other sites

Yet again, just more evidence that this really isn't your world of knowledge but i'm not here to teach it so continue with the misbelief, makes no difference to me :)

That article from 2005 (#LOL) is out of date, those problems are OLD, dinosaur problems long since addressed.

Evidence that you're clueless as to how smartcards work, how biometric data is actually stored and accessed and how match on card works for example.

Your examples of offline auth are so old that they appear to be fossils too. 

Let me know when the seminar on "Passwords are all we need" is running though please.

As regards stolen cards, they only value that a current ID card based around PKI would have would be the visual presentation of the card.  Simply because the list of serial numbers of the stolen cards would be blacklisted in the CMS and would not be valid for enrolment. Further they would not be writable by someone "just stealing a truck load" would be because the SOPIN's are diversified at manufacture based upon an agreed algorithm and key seed value that is HSM generated at the manufacturer and moved securely by means of a key ceremony and imported into the CMS.

Further, each batch of cards will have it's Global Platform Keys which need to be defined and entered into the CMS before anything can happen.  Get this stuff wrong and you lock the cards pretty smartish and end up with ice scrapers.

All of this before even writing digital certificates onto the cards.  But yeah, you can print one that looks pretty and "looks" ok to a passing copper but try to actually validate it (which is simple to do in the field by said copper) and it'll fail all over the place. Plus, any decent ID card may just be a blank card but then has to go through various forms of additional security which includes various things like laser etching, holograms, lamination etc.

Of course, you know all this right, which is how you magically transformed a blank plastic card into a fully valid ID card.  There's more but clearly no need to point it out.

Honestly, please stop now with decades old beliefs. OUT OF DATE!

  • Haha 1
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 1942 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...