a multi factor authentication requires at least two sets of credentials. This is typically something you know (e. g. a password) and something you own (e. g. a token generator or mobile phone)
12
votes
2answers
176 views
Mitigating the loss of a mobile phone used for second-factor login
Take the following scenario: John is using GMail for his primary email account and LastPass as his password management system. Both of these accounts are using the Google Authenticator mobile ...
4
votes
4answers
217 views
What are the ways to implement two factor authentication?
We have devices that can generate tokens. So we can use tokens with passwords to perform two factor authentication. There are many ways to implement such systems to enhance security. One of two I ...
5
votes
6answers
219 views
Is there multi-factor authentication for machines?
Most of what I have seen on mutiifactor authentication (eg wikipedia or here on se) seems human centric. Ie it is a human interacting with a machine and the factors are associated with authenticating ...
0
votes
0answers
59 views
Are there any SmartCards with NFC or Bluetooth technology? [closed]
I'm looking for a Smartcard that has integrated NFC communication, (or any other contact based transfer).
Does this technology exist, and must I rely on non-integrated solutions?
1
vote
1answer
75 views
What is more secure for voice and SMS OTP: A random number or generated similar to HOTP?
Many providers are creating OTP authentication for their sign in. However I noticed that all the voice and SMS OTPs I've come across are a series of 6 digits... similar to the HOTP RFC Standard ...
19
votes
11answers
904 views
Is it safe to use a weak password as long as I have two-factor authentication?
I'm careful to use strong passwords (according to How Big is Your Haystack, my passwords would take a massive cracking array 1.5 million centuries to crack), I don't reuse passwords across sites, and ...
7
votes
2answers
219 views
What is the risk and mitigation of accidentally typing a YubiKey password in an open forum?
I have a YubiKey in my laptop (for testing) and accidentally broadcast my YubiKey password out to the Internet. Since this is only a test key, and has no access to anything of value, here are some ...
2
votes
1answer
158 views
Is Dual Factor possible during boot with whole disk encryption on Mac FileVault 2
Mac FileVault 2 is the default disk encryption for newer Macs that occurs in the EFI pre-boot phase. The challenge here is that most smartcard drivers are loaded after the OS loads.
Is anyone aware ...
2
votes
2answers
73 views
Options for simple phone verification with pin delivery
My website needs to verify phone numbers in order to ensure that customers claiming a business actually work there. The service calls and gives the customer a pin which they put into the site. Many ...
6
votes
4answers
906 views
(SoHo) Multi-Factor Authentication for Remote Desktop Gateway
I am looking at implementing some sort of multi-factor authentication for a Remote Desktop Gateway at a small office (less than 20 users).
Where would be a good place to start for a quality, ...
7
votes
3answers
140 views
If multi factor authentication is enabled, how should that affect self-service password reset?
Given that security is only as secure as its weakest link, suppose I have website with additional authentication enabled in any of these ways: (example, multiple conditions may be required)
...
5
votes
6answers
1k views
Is tokenless (specifically SMS) 2FA a security compromise over OTP tokens?
I've been looking into the various pros/cons of tokenless (particularly SMS based) and traditional token based two-factor authentication (think RSA SecurID). After doing some research, I think I have ...
-1
votes
1answer
81 views
Does PayPal support a backup code for two-factor auth? [closed]
Google and DropBox have backup codes in case you can't get access to one of the devices you have registered. Does PayPal have a backup code?
4
votes
5answers
143 views
When should I issue more than one multi-factor device to a user? Is it OK to give several active tokens vs none at all?
Most of the conventional IT.Sec thinking I've seen says that a user can only have one multi factor authentication device. I'd like to challenge that defacto-thinking and ask if there is ever an ...
3
votes
1answer
89 views
How safe is “trust this computer” option for websites?
Many sites have a "trust this computer" option that allows one to bypass some security measures (ex.: with Google's 2-step authentication enabled, one does not need to enter the phone's code if the ...
