1

I need some help for my understanding while reading through this authentication scheme in WEP.

In a WEP authentication scheme, the station first sends a request for authentication. However, this authentication scheme is a one-way authentication because it does nothing to prove to the station that the access point knows the key. Does this show the need for a two-factor authentication and the importance of a two-factor authentication?

Thanks very much!

Papple.
  • 115
  • 7
  • 2
    Do you mean WEP or WPA2? As you will get a flood of comments about [WEP insecurity](http://www.makeuseof.com/tag/what-is-wep-wi-fi-encryption-and-why-is-it-really-insecure-makeuseof-explains/) if you just mean WEP. – LateralFractal Oct 16 '13 at 10:07
  • Agreed - 2FA will not help you in WEP. It's horribly broken. Switch to WPA2 if you want any semblance of wireless security. – Polynomial Oct 16 '13 at 10:11
  • Hi, I meant WEP. – Papple. Oct 16 '13 at 13:18

2 Answers2

4

"Two-factor" is not "two-way".

"Two-way" authentication, aka mutual authentication, is when two entities (let's call them A and B, e.g. a WiFi access point and a client system) prove to each other that they are who they claim to be; A gains confidence in the fact that it talks to the genuine B, and B gains confidence in the fact that it talks to the genuine A.

"Two-factor" authentication is when one entity proves its identity to the other twice, using two methods which are qualitatively different. E.g. A shows to B a password and a code which B just sent to A's mobile phone (with a SMS); this is "two-factor" because A's password is bound to A's brain (that's "something A knows"), while the code over SMS is bound to A's phone (that's "something A owns").

The two notions are orthogonal to each other.

Iszi
  • 26,997
  • 18
  • 98
  • 163
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Oh I see. Now I see the difference between a two-factor and a two-way authentication. That really helped alot, thank you very much! – Papple. Oct 16 '13 at 13:22
2

No. That shows a need for mutual authentication.

Two factor authentication is a way to increase the confidence or assurance in an authentication. Passwords are weak; passwords combined with either token or biometrics are stronger. But the authentication is still one way; the relying party has confidence in the identity of the claimant, but two factor (or three factor or N factor) authentication doesn't intrinsically make any statement about the identity of the relying party.

Mutual authentication can be single factor or multifactor. You may derive some confidence from an SSL certificate, or an extended validation SSL certificate. Some banks have implemented a "secret image protocol"; they store an image of your choice, and if they don't display it during logon, you should be suspicious.

WEP is of course inherently insecure for unrelated reasons. Even if you mutually authenticate with multifactor authentication, you have no confidence that an adversary won't read the traffic afterwards, or even break in midstream and replace one of the parties with a MITM attack.

Ideally, you want a situation where both parties can mutually authenticate in a way that creates confidence commensurate with the transaction value.

Iszi
  • 26,997
  • 18
  • 98
  • 163
MCW
  • 2,572
  • 1
  • 15
  • 26
  • Thank you very much Mark. That totally cleared my assumption that two-factor and two-way are different things, which is wrong. Thanks very much! – Papple. Oct 16 '13 at 13:24