Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 31.03.24 um 21:19 schrieb Simon de Vlieger:

I don't quite agree with you. Two factor authentication whether an actual second
factor device or not does prevent credential stuffing which is a common attack
method that is easy to perform. It is when people take databases of previously leaked
passwords and try them on other accounts that belong to the same person. Since two
factors are generally unique per login situation they can't be stuffed in the same way.

Of course there are many things two factor does not protect against.



2FA in a lot of cases is just access to a different account (e.g. email
or even SMS) and these normally aren't unique. Sure, there are other
ways like FIDO2, but these are not necessarily used (or liked, quite
frankly I know a lot of people who would loose them on a monthly basis,
but still are quite smart about other stuff).

This can also lead to a pretty interesting "circle" of 2FA where for
example email a is the 2FA address for email b and email b is the 2FA
address for email a. If it's the only option it can also lead to a
chicken and egg problem for young people who want to create e.g. their
first email account. But this paragraph is besides the point.

So, sure, 2FA would prevent people from just trying out leaked
passwords. But an attack like this would not be a "spray and pray"
attack, but it would be a targeted one. This means that the acceptable
effort from the attacker would be quite a bit higher.

2FA would prevent script kiddies and "spray and pray"-style attacks from
being successful. But more? Doubtful.


Regards

Kilian Hanich
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux