undefined | Better HN

0 pointsswiftcoder2mo ago0 comments

> In this case the device is just your brain

And that makes it a password (i.e. the primary factor, not a second factor). The whole point of a second factor is that it's not trivially cloneable (hence why, for example, SMS is a poor form of 2FA in the presence of widespread SIM cloning attacks).

0 comments

ulrikrasmussen2mo ago

No, the defining characteristic of a password is also how it is used: it is communicated in the clear to the verifier, thus revealing it to eavesdroppers. It is highly non-trivial to clone the knowledge in someone's brain if they never openly communicate the mTOTP secret but only do the computations in their head.

swiftcoderOP2mo ago

> No, the defining characteristic of a password is also how it is used: it is communicated in the clear to the verifier

This is only true if the verifier lives on your local terminal - otherwise we use an encrypted channel to transmit to the verifier, or do the exactly same type of timed-salted-hash scheme used here to transmit without revealing the password.

ulrikrasmussen2mo ago

The thing is that you are sometimes tricked into giving the password to someone who is posing as the verifier.

crote2mo ago

Not true. There are lots of authentication schemes where the plaintext password is never communicated. This becomes rather crucial when the client doesn't know for sure yet what the identity of the other side is. See for example wifi encryption.

Cloning the knowledge in someone's brain is fairly easy. You just need a wrench.

ulrikrasmussen2mo ago

Yes, but that is not how passwords work since the protocol for proving knowledge is that you enter it into the HTML form served by the party claiming to be the verifier.

If we are talking rubber-hose cryptography then a physical hardware token is just an insecure as a brain. Most people are not hacked via wrenches.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ulrikrasmussen2mo ago

swiftcoderOP2mo ago

> No, the defining characteristic of a password is also how it is used: it is communicated in the clear to the verifier

ulrikrasmussen2mo ago

The thing is that you are sometimes tricked into giving the password to someone who is posing as the verifier.

crote2mo ago

Cloning the knowledge in someone's brain is fairly easy. You just need a wrench.

ulrikrasmussen2mo ago

Yes, but that is not how passwords work since the protocol for proving knowledge is that you enter it into the HTML form served by the party claiming to be the verifier.

If we are talking rubber-hose cryptography then a physical hardware token is just an insecure as a brain. Most people are not hacked via wrenches.

1 more reply

j / k navigate · click thread line to collapse