#Symantec two factor authentication full
Specifically, Duo Push utilizes the native push notifications (APNS, C2DM, etc) to provide real-time notification of transaction and login requests to a user’s smartphone, a secure out-of-band (OOB) communications protocol to display the full verified details of the request to the user, and simple one-touch responses to allow the user to approve or deny the request on the smartphone itself. Just a couple weeks ago, we launched our Duo Push authentication:ĭuo Push leverages the capabilities of modern smartphones to create a more secure and user-friendly two-factor authentication experience. Unfortunately, the use of shared secrets is a necessity for OTP-based authentication, so any and all vendors (RSA, Google, Verisign/Symantec, etc) offering OTP two-factor (whether OATH's HOTP/ TOTP or some other proprietary algorithm) are vulnerable to RSA-style breaches. The other issue that is important to protect against is RSA-style breaches, where the shared secrets used as the seed for OTP-based authentication may be leaked out of a database by an attacker. In the event of a compromise, the integrity of your users' primary credentials remains intact. That is, instead of delivering an on-site hardware/virtual appliance that proxies usernames and passwords, your users' primary credentials are never touched by Duo-controlled code. We already limit our risk and differentiate ourselves from our competitors by maintaining complete independence (none of this pin+passcode garbage) from your primary authentication for our native integrations (eg. The topic of trust is something near and dear to us at Duo, as we've designed our platform from the ground-up to place as minimal trust in our service as necessary and are continually working to further host-proof our service.
In RSA's case, they did a lot wrong, which they undoubtedly realize as they churn millions of new SecurID tokens off the assembly lines.
The design decisions and mechanisms that help mitigate the risk of a breach, limit its impact, and rapidly recover from it are the most important things to consider. Second, to butcher a Fight Club quote: "On a long enough timeline, everyone gets owned." Even RSA. While RSA's implementation of two-factor may be suboptimal, the event bolsters the argument for deploying two-factor rather than undermining it. The attackers targeting Lockheed Martin and company had to plan an entirely separate operation to compromise RSA's internal secrets to even get their foot in the door of the defense contractors. However, I think there are a couple interesting points that can be drawn from the RSA breach:įirst, the RSA breach has shown that two-factor technology is incredibly effective.
We haven't commented much on the RSA breach, primarily because, instead of ambulance chasing, we've been busy working on some technology to prevent RSA-style attacks from impacting our Duo Push authentication, which is the subject of today's post. Product & Engineering JJon Oberheide RSA-Proofing Our Duo Push Two-Factor Authentication
0 kommentar(er)
