Timeline for How is "something you have" typically defined for "two-factor" authentication?
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 17, 2024 at 15:10 | history | edited | Michael come lately | CC BY-SA 4.0 | Fix typo. Markdown formatting. Remove a little fluff. |
| May 18, 2011 at 9:36 | comment | added | AviD♦ | SMS is not a 2nd factor, but it is out-of-band, and that has a different set of benefits. But no, it is definitely not a 2nd factor. | |
| May 16, 2011 at 17:21 | comment | added | nealmcb | Great conversation, @kindofwhat, @john, @rakkhi! Can we get it edited into the answer, which we seem to agree is a bit off-track now with its reasoning? | |
| May 16, 2011 at 15:21 | comment | added | Rakkhi | @kindofwhat you can't forget it is a second factor though. The malware or hacker would still require the password for immediate access. Also the argument that users are far more likely to notice losing their phone rather than a hard token protected by a pin. Thus far at least malware on the iPhone has required user to jailbreak, fair enough Android is different. | |
| May 16, 2011 at 14:51 | comment | added | kindofwhat | @Rakkhi: Not entirely. There still is the notion of a crypto token. Would you consider a hacked iPhone (with that cool "no PIN hack") or a malware-ladden Droid to be a trustworthy crypto token? | |
| May 16, 2011 at 14:44 | comment | added | Rakkhi | Interesting that after the RSA incident there was a lot people and a fair few self interested vendors writing about the advantages of SMS OTP or soft token on mobile over a hard token mainly due to the ability to quickly update. I have 3 hard tokens on my key chain 2 from banks, one from employer none of them require a pin to see the OTP. Only work one requires pin with OTP to use. On the other hand my iPhone has a strong password to secure SMS OTP and soft token. If Google and Apple make a pin mandatory would that change your mind @kindofwhat ? | |
| May 15, 2011 at 16:27 | comment | added | john | I just found a very interesting paper on the subject of NIST Levels and mobile phones: ida.liu.se/~annva/papers/… On section 3 they evaluate severl factors and propose ways to make mobilel phones compliant with different levels. As I read, if certain assumptions hold and can be implemented, Level 3 compliance could be achieved. To sum up, in the usual case, it turns out you are correct: Mobile phones and lists of one-time-passwords are certainly not Level 3 compliant. | |
| May 15, 2011 at 16:01 | comment | added | kindofwhat | @John: you are right. Whatever " a secure authentication protocol " might be in that case.. Otoh, on p. 34 of the NIST-docu, the different authentication token are described. And this definitely rules out written down TANs. | |
| May 15, 2011 at 15:12 | comment | added | john | Hmm, this may not be the case, but I'm not sure. The wording of this paragraph is a bit strange, but pay attention to the 'or' part. First of all the claimant must prove that he is in control of the token. This is a requirement for every level, even the 1st. The added thing on the level 3 is that he must either use a pin to unlock the token, or use a pin while doing the authentication as a second factor. At least this is how I interpret that paragraph. | |
| May 15, 2011 at 14:56 | history | answered | kindofwhat | CC BY-SA 3.0 |