Timeline for How is "something you have" typically defined for "two-factor" authentication?
Current License: CC BY-SA 3.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 15, 2011 at 1:02 | history | bounty awarded | Jeff Ferland♦ | ||
| Jun 13, 2011 at 16:13 | comment | added | this.josh | I'm not trying to get your concession. I'm trying to make sure I understand the limits of your definition. The point of the original question is that 'something you have' is not well understood. My admitedly slightly adversarial comments are my way of trying to think about the problem. | |
| Jun 13, 2011 at 1:16 | comment | added | Jeff Ferland♦ | If you can steal my keys without visual confirmation, physical presence, or really anything coming within a mile of me, you can have a cookie and my concession. | |
| Jun 12, 2011 at 22:23 | comment | added | this.josh | Passwords are not always transmitted, some are authenticaed locally. Even in enterprise Windows environments credentials are often cached, so not every authentication is transmitted. No one needs to be standing next to a key user. Metal cut keys can be duplicated from photographs take at 195 ft. See Reconsidering Physical Key Secrecy. | |
| Jun 12, 2011 at 14:49 | comment | added | Jeff Ferland♦ | The difference is that a password is transmitted and can be monitored by remote compromise of the computer. A lock does not send details of the key anywhere. Even if you were standing next to me, it would likely be challenging to describe the key without me being complicit. They both present the same risk of physical theft, but different risks of compromise in use. | |
| Jun 12, 2011 at 1:00 | comment | added | this.josh | Isn't a password written on a piece of paper as physically controlable as a metal cut key for a tumbler lock? | |
| Jun 10, 2011 at 19:16 | comment | added | Jeff Ferland♦ | A key can be secured by physical control. The use of the key does not transmit information (the lock is local), so an attacker's physical interference is required. That meets the standards I defined. That a user can convey all the information about the key, or all the information from a one time password list does not preclude either of them from being something you have. Neither is compromised through their normal usage. | |
| Jun 10, 2011 at 0:38 | comment | added | this.josh | Your conception places considerable restriction on 'something you have' not leaking any information. For example, a cut metal key for a tumbler lock is a traditional 'something you have'. Yet, since the user sees the key they know some attributes of the key: it has five teeth, it is single sided, my key is made by Yale, etc. That information leakage may allow an attacker without access to the physical key to compromise the lock. I believe a thing which meets your definition is very rare. | |
| Jun 9, 2011 at 14:35 | history | edited | Jeff Ferland♦ | CC BY-SA 3.0 | deleted 6 characters in body |
| Jun 8, 2011 at 19:06 | history | answered | Jeff Ferland♦ | CC BY-SA 3.0 |