Sprites mods has an interesting article about hacking the protection of a hardware authentication device:

http://www.spritesmods.com/?art=secustick

What’s interesting about this is that it shows how easy it is to feel like a hardware device is providing a second factor of authentication when in reality all it is doing is giving you single factor authentication twice. And although that still might seem more secure, it actually provides little additional benefit.

It’s like the other day I tried to cash a large check at a bank where I didn’t have an account. They asked me for two forms of picture identification. I thought it was strange that if someone could fool a bank checker with a forged state driver’s license, with all it’s security controls, how much more effective can another form of identification really be? If you can create a convincing fake driver’s license, can’t you just as easily fake just about any other picture ID?

To be a truly different authentication factor, a hardware device must have it’s own processing environment that is separate from the host OS, as typical smart card devices do. It must be impossible to make duplicates of the hardware and any tampering with the physical device should be evident. Oh and physically obtaining the device should not be enough for an attacker to gain any privileged access.

Related posts

• No related posts.