Comment Re:Time for 2FA authentication to be rolled out ov (Score 1) 642
Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.
If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.
Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.
If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.
Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.