On 27 December 2015 at 22:08, Owen DeLong <owen@delong.com> wrote:
This is a bit of a tangent, really. The discussion was about authentication factor counts and Baldur tried to use PCI-DSS acceptance of password-encrypted private key authentication as two-factor to bolster his claim that it was, in fact two-factor, when it clearly isn’t actually two-factor as has been stated previously.
I wanted to stay out of this, but Owen you are full of shit here. I am pointing out that your homemade definition does not match up with what others think two factor means. PCI DSS might be utter crap, but they are still more than "Owen DeLong and his personal opinion". You are utterly confused about the meaning about two factor. You apparently believe the magic words "two factor" is a statement about the security of a system, while it is in fact just a simple property. A property that even an inherently insecure and weak system can have. It is not, as you have said, about strengthen the search space of a crypto key (just double the key length if you need that). In fact, many two factor systems do not use crypto keys at all. An example of such a non crypto based system is a credit card with magnetic strip plus pin. The magnetic strip contains just the card number, which can also be read directly from the card and even memorized by the owner. We need two factor because if you have just one factor, say the password, the hacker will simply call the user and ask him to tell the password. And the users will happily obligate. Experience shows this. On the other hand, if you give the users a single factor system with a physical token (a key), that gets stolen, misplaced or "borrowed" far too easily. Therefore industry standard is card + pin to enter a building (=two factor). Secure places require three factor (card + pin + biometric). SSH keys are two factor because people do not in general memorize the key file. Because they do not, you can not gain access to the system with only what you know (=in your mind). Unless the user violated protocols and changed the passphrase to null, you can not gain access just by possession of the key file. That is all that is required to name it two factor. That Owen DeLong believes the system stinks does not change that at all. Historically the banks used to depend on a system that is the same as ssh keys: certificate files you have on your computer to access the bank website. That also is a two factor system. The users did not usually memorize the content of the certificates. The system is weak because bad guys used malware to steal the certificate files and install key loggers to also get the other factor, the password. In my country (Denmark) they decided hardware keys are still too expensive, so they developed a two factor system based on paper keys. You will get a piece of paper with a few hundred random numbers. When you log in, you are asked to type one of the numbers in to prove that you are in possession of the key paper. The codes are just 6 digits and infinite weak if you believe them to be part of any crypto scheme. This system has also been broken because now bad guys ask the users to take pictures of the key paper to prove something, and the users happily do just that. Banks are still happy though, because the loss is less than the cost to ship hardware keys to everyone. Only strong two factor systems are really resistant to the users defeating the system by doing stupid things. That does not mean that only strong two factor systems are two factor. That would be silly - Owen what would you then name weak and broken two factor systems? It is a property - nothing more. Regards, Baldur