Another security question

Steve D'Aprano steve+python at pearwood.info
Fri Dec 23 20:32:07 EST 2016


On Sat, 24 Dec 2016 11:20 am, Paul Rubin wrote:

> What is it that you are trying to secure?  If it's something important,
> set up 2-factor authentication (such as TOTP) and encourage your users
> to use it.


You say that as if two-factor auth was a panacea.

That's the sort of thinking that leads to:

https://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html
https://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html
http://resources.infosecinstitute.com/two-factor-authentication/
http://www.securityweek.com/two-factor-authentication-bypassed-simple-attacks


not to mention the abomination of "one factor authentication, twice", like
that used by the Australian government unified web portal. To log in, you
have to provide something you know (username and password), plus something
else you know (answer to a low-security question like "what was your
mother's maiden name?").



-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.



More information about the Python-list mailing list