[foaf-protocols] foaf+ssl & two factor authentication
slawek.grzonkowski at deri.org
Fri Sep 3 18:12:25 CEST 2010
The idea of two-factor authentication is based on the fact that there
are three factors in general:
-Something you know - for example a password or PIN
-Something you have - for example an usb key or a swipe card
-Something you are - for example a retina pattern or a fingerprint
The initial claim was that the possession of two factor of different
types is necessary to ensure secure authentication of a given user.
There are, however, claims that this is not enough any longer.
Schneier  says basically that the main problem for authentication
are phishing attempts and trojan horses
(Schneier also wrote a continuation of this essay to highlighting
advantages of two-factor authentication).
In the case of WebID, a password to protect the private key can be
considered as something you know.
Then during our recent discussion in Galway, I mentioned that in WebID
a user has a domain.
During the protocol execution, the user proves that a given domain is
under his control. Thus, this could be considered as an additional
Thinking a bit more about it, the private key (matching to the self-
signed certificate) is also something the user has: in practical
realizations it's to long to say that it's also something you know.
The idea that something like a domain could be considered as an
authentication factor may not be intuitive,
but for example in this paper , the author claims that a bookmark
can be considered as one of the factors.
 was published at CCS, which is considered a very top security
 Adida, B. 2007. Beamauth: two-factor web authentication with a
bookmark. In Proceedings of the 14th ACM Conference on Computer and
Communications Security (Alexandria, Virginia, USA, October 28 - 31,
2007). CCS '07. ACM, New York, NY, 48-57. DOI= http://doi.acm.org/10.1145/1315245.1315253
 Schneier, B. 2005. Two-factor authentication: too little, too
late. Commun. ACM 48, 4 (Apr. 2005), 136. DOI= http://doi.acm.org/10.1145/1053291.1053327
On 1 Sep 2010, at 16:19, Henry Story wrote:
> I was talking to Slawomir here in Galway about foaf+ssl, and he
> pointed out that this was a twp factor authentication protocol.
> Perhaps Slawomir can explain his thinking here. If we can make the
> case that it is, then that could be useful.
> Social Web Architect
DERI, NUI Galway, Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the foaf-protocols