Anybody Out There Using PhoneFactor for Two-Factor Authentication? [updated]

PhoneFactor is an interesting Two-Factor Authentication scheme.

Advantages:

  1. Uses an phone number (cell, land, whatever) instead of a token like RSA‘s Securid tokens so it has to be cheaper (RSA tokens are expensive and only last so long).
  2. This second factor is out-of-band so the man-in-the-middle vulnerability is neutralized. [Update: wrong!]

Is anybody out there using it?

Advertisements

6 Responses

  1. The MITM is not neutralized. To neutralize a MITM attack you need some form of mutual authentication.

  2. Nick, you are correct. I don’t know what I thinking. Actually, I know I what I was thinking. My brain saw out-of-band for the second factor and jumped to an erroneous conclusion.

  3. Well, it’s definitely not neutralized, but it does narrow the scope to “active” MITM attacks. PhoneFactor doesn’t say anything about authentication the server, which is the problem with MITM attacks, but because the user has to actually answer the phone and hit # to allow the login, the only MITM attacks that would work would have to be mounted at that time (as opposed to at a later time, by caching credentials. We’re starting to see these in the real world, but they do require a more sophisticated attack.

    -Steve

  4. An advantage of the tokens is that there’s less possibility for communication error. My entire company uses Phonefactor, must have a few hundread accounts, and I dfind it increadably unreliable. Just now it took me 14 attempts to connect to the VPN as it didn’t accept my correct PIN 13 times… very fustrating. God forbid I drop the wifi connection now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: