[foaf-protocols] foaf+ssl & two factor authentication

Slawomir Grzonkowski slawek.grzonkowski at deri.org
Fri Sep 3 18:12:25 CEST 2010 

Hi Henry,
The idea of two-factor authentication is based on the fact that there  
are three factors in general:

-Something you know - for example a password or PIN
-Something you have  - for example an usb key or a swipe card
-Something you are - for example a retina pattern or a fingerprint

The initial claim was that the possession of two factor of different  
types is necessary to ensure secure authentication of a given user.
There are, however, claims that this is not enough any longer.  
Schneier [2] says basically that the main problem for authentication  
are phishing attempts and trojan horses
(Schneier also wrote a continuation of this essay to highlighting  
advantages of two-factor authentication).

In the case of WebID, a password to protect the private key can be  
considered as something you know.
Then during our recent discussion in Galway, I mentioned that in WebID  
a user has a domain.
During the protocol execution, the user proves that a given domain is  
under his control. Thus, this could be considered as an additional  
authentication factor.
Thinking a bit more about it, the private key (matching to the self- 
signed certificate) is also something the user has: in practical  
realizations it's to long to say that it's also something you know.

The idea that something like a domain could be considered as an  
authentication factor may not be intuitive,
but for example in this paper [1], the author claims that a bookmark  
can be considered as one of the factors.
[1] was published at CCS, which is considered a very top security  
conference.

Regards,

Slawek

[1] Adida, B. 2007. Beamauth: two-factor web authentication with a  
bookmark. In Proceedings of the 14th ACM Conference on Computer and  
Communications Security (Alexandria, Virginia, USA, October 28 - 31,  
2007). CCS '07. ACM, New York, NY, 48-57. DOI= http://doi.acm.org/10.1145/1315245.1315253

[2] Schneier, B. 2005. Two-factor authentication: too little, too  
late. Commun. ACM 48, 4 (Apr. 2005), 136. DOI= http://doi.acm.org/10.1145/1053291.1053327


On 1 Sep 2010, at 16:19, Henry Story wrote:

> I was talking to Slawomir here in Galway about foaf+ssl, and he  
> pointed out that this was a twp factor authentication protocol.  
> Perhaps Slawomir can explain his thinking here. If we can make the  
> case that it is, then that could be useful.
>
> Henry
>
>
> Social Web Architect
> http://bblfish.net/
>

-- 
Slawomir Grzonkowski
DERI, NUI Galway, Ireland





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20100903/04695852/attachment-0001.htm

More information about the foaf-protocols mailing list