decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Secure the Human! It's actually a website... | 381 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Secure the Human! It's actually a website...
Authored by: Anonymous on Saturday, May 25 2013 @ 03:24 PM EDT
The issue is not that the SMS goes to your phone, but that the
hacker can replace your phone number with their phone
number, without you knowing anything about it, until it is too late.

I can't find anything about two-step authentication on the Twitter
account I just logged into. :(

>doesn't Twitter or whoever use SSH logins, encrypted, with a
password? Wouldn't that work.

In theory, yes. The issue here is that social engineering is so
common, that it has become trivial for third parties to determine
your password, and pass themselves off as you.

With two-factor authentication, a token is sent out of band, and
received by a device that is under the exclusive control of the user
that wants to sign in.

The problem with this approach, is when the device is not under
the control of the user, but under the control of a third party.
Translating that to Twitter, and most other sites, if a third party can
login into the account, they can configure two-step
authentication, and use that to lock the legitimate user out of the
account.

Google has an interesting twist on minimising that possibility. If the
user logs in from a place that is, for the specific user "unusual",
the
screen asks the user where they usually login from. If you usually
login from Decatur, GA, writing Atlanta, GA, is usually treated as
a wrong answer. You get one or two tries to write the correct
answer, before the connection is closed. On subsequent attempts
to login, even more questions are asked, whose answers are, in
theory, something that only the legitimate user would know. (Two
of the questions are "who sends you the most email?" and "Who
do you send the most email to?" How fuzzy the answer is allowed
to be, appears to depend upon how much email one sends, and
receives. Regardless, if you provide the wrong answer to both
questions, you will be denied access to your account.)

[ Reply to This | Parent | # ]

See my post below
Authored by: Anonymous on Saturday, May 25 2013 @ 04:20 PM EDT
Twitter 2FA broken by design

The PCMag article also links to a video by the boss of Toopher

[ Reply to This | Parent | # ]
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.04 seconds