top | item 35859773

(no title)

mstolpm | 2 years ago

A physical key to your front door is a physical object and something you own - but you can still make copies of it. Someone else can even make a copy from a photo of the key. Google authenticator was (until recently) the only app I know that made it very hard to copy the OAuth secret to another device, lots of other OAuth apps made it a feature to sync/backup your keys.

I can't think of a lot of security factors (besides perhaps biometrics) where copying is really impossible. Its just not economic.

discuss

growse|2 years ago

Very little is "impossible". The point of developing a good second factor is to have a design that makes it economically infeasible to copy. Like a good HSM.

charcircuit|2 years ago

A physical key is something you know too if it can be copied. It's just now the thing you know is the bitting of the key.

saltcured|2 years ago

This seems like a pretty significant semantic shift from what multi-factor originally meant. I think the real problem here is that the original idea of factors came from an environment where a person is being authorized for physical access to a controlled facility and the factors are being checked by a trusted deputy of the relying party. The different factors really mean something when you are being checked at a facility gate.

What you "know" is held in your mind and up to your will whether to divulge or not. You might not have a choice if put under duress.

What you "have" is possessed on your person and you may choose to present it but you may be forced to reveal it in a search. You may have had a choice as to which possessions to carry with you to the facility or which to hide and disavow.

What you "are" are passively observable characteristics of yourself that the facility may choose to measure and which may be difficult for an imposter to replicate. You would probably be unable to withhold these characteristics.

Once we water this down into a remote access to a website, these factors become vague analogies. In the end, the website is only able to observe information from the local user agent. How much can the website deputize end-user equipment and trust it to make any of these distinctions on its behalf?

What you know and what you have start to blur together as different grades of information. There may be no real way for the website to distinguish whether it came from your mind or from some storage or communication device in your possession.

What you are and what you have start to blur together as well. There may be no way for the website to distinguish how you protected your possessions (i.e. via biometrics or PIN), or whether you involved other parties who helped with this.