[WEB SECURITY] New two-stage login procedure

Brian Eaton eaton.lists at gmail.com
Wed Dec 13 15:13:45 EST 2006


On 12/13/06, Martin O'Neal <martin.oneal at corsaire.com> wrote:
> IMHO OTP and web applications is a bit of red-herring anyway.  The
> client-side threats that they are pitched as a protection against imply
> a level of control over the HTTP client that by definition makes them
> useless at protecting the web application session.  For example, to
> install a key logger you have more than enough control over the client
> to be able to also get at the web session.  If you can get at the
> session, then you don't need the authentication.

Agreed, OTP isn't going to protect the session.  The main goal with
2FA is to cut the amount of time during which the account is
compromised from days or weeks to hours or minutes.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list