3

Additionally, is two-factor authentication in general less secure, and if so, why?

blunders
  • 793
  • 6
  • 13
  • 29

1 Answers1

3

Yes, it appears that RSA SecureIDs were compromised. RSA hasn't clearly stated that the algorithm or other critical data is safe, and not saying so outright is pretty revealing.

No, this doesn't make other forms of two-factor authentication any less secure.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • +1 @ceejayoz: So is there even the remote chance that the recent exploits were a response to RSA's reported breach in security, but only in the sense that a party not related to the breach at RSA had already broken the encryption or key generation algorithm, and were concerned the window of opportunity to exploit it might close due to an unexpected response by RSA; such as the release of even stronger algorithm and/or modified seed. Meaning the breaches that have been reported to be related to RSA's breach are only indirectly related, and this was not a chained-exploit; no pun intended. – blunders Jun 04 '11 at 01:48
  • @ceejayoz: Also, I'm wondering if the concept of attacking the server hosting the two-factor authentication or server algorithms/data enabling it as an exploit some how makes it less secure in general, simple by the awareness of it as an attack vector, and the level of trust such an authentication method might be given. – blunders Jun 04 '11 at 01:53
  • 1
    I think everyone using SecureIDs and similar tech has been aware of the potential danger of a breach of the algorithms. These authentication methods are supplemental to strong passwords, as well. RSA appears to be reissuing new SecureIDs to the affected customers. – ceejayoz Jun 04 '11 at 02:26
  • +1 @ceejayoz: Thanks for the clarification, my take is that there has been an exponentially increase in the awareness of this threat. Also, don't believe security in general has exponentially improved in the recent past. So, my claim is that two-factor authentication is now in fact less secure due to greater awareness of these exploits. Passwords provide very limited level of security; meaning the security provided by passwords is really related to IDS and physical security, passwords alone are of little value; that said, keys, not passwords are the my main focus of my question. – blunders Jun 04 '11 at 03:07
  • 1
    Why would awareness of potential exploits make it *less* secure? If companies know about the exploits, they are more likely to take measures to prevent attacks using these venues. – ceejayoz Jun 04 '11 at 03:19
  • +1 @ceejayoz: Awareness of potential exploits increases threat that some will try; more people trying, greater chance a weak link in the system supporting the two-factor authentication will fail. Additional, measures to prevent attacks means two-factor authentication has become less secure, and likely will become less and less so going forward; in my opinion. – blunders Jun 04 '11 at 03:41
  • Awareness of exploits means you can take measures to prevent them, and in this case, everyone was already aware that compromising the SecureID algorithm would be something that'd cause a security concern. Bottom line: two-factor authentication is still better than one-factor authentication, and always will be. – ceejayoz Jun 04 '11 at 03:47
  • @ceejay My understanding of this issue is that some SecureID accounts have been stolen. I have not seen any mention of a weakness of the algorithms and/or exploit of them. Is that not the case? – Keith Jun 04 '11 at 04:34
  • @ceejayoz: If two-factor-auth is still better than one-factor-auth isn't a question. "Everyone" was not already aware of the issue, in fact, even after the RSA breach, which more that likely is directly related to the breaches that followed, systems were accessed using those keys; if they knew it was an issue, then all I can guess is that the US was baiting the attacker, which I also don't think is the case. Just don't understand how having to add additional counter-measures equals two-factor authentication is just as secure as it was 6-months ago, or more threats have no effect on risk. – blunders Jun 04 '11 at 04:45
  • @Keith: RSA's response to if intruders gained the ability to clone SecurID keyfobs per RSA spokeswoman Helen Stefen, “That’s not something we had commented on and probably never will.” RSA has been privately briefing its customers about its intrusion, but only after placing them under nondisclosure agreements, and the company has shared few details with the public. SOURCE: http://www.wired.com/threatlevel/2011/05/l-3/ – blunders Jun 04 '11 at 04:59