@@ -657,14 +657,18 @@ and forms the basis for authentication of web sites using Transport
657657Layer Security, its adoption for authentication of end-users has
658658generally proven challenging. PGP was an early effort to allow
659659end-users to authenticate themselves with public key cryptography, but
660- if you need to authenticate yourself to, say, your bank, it's
661- overwhelmingly the case today that you will use some combination of
662- user name (maybe an account number or an email address) and a
663- password. Perhaps another factor, such as a one-time code sent to your
660+ its deployment remains limited. If you need to authenticate yourself
661+ to, say, your bank, it's overwhelmingly the case today that you will
662+ use some combination of user name (maybe an account number or an email
663+ address) and a password. Perhaps another factor, such as a one-time
664+ code generated locally by an app (referred to as a timed one-time
665+ password or TOTP) or a code sent over the cellular network to your
664666phone, will also be used. Encryption (using TLS) prevents your
665- password from being seen by eavesdroppers when it is sent to the
666- bank's site, but currently there is little deployment of public key
667- cryptography for the authentication of users. SSH, as noted in a
667+ password (and one-time code) from being seen by eavesdroppers when it
668+ is sent to the bank's site, but there are plenty of weaknesses to this
669+ form of authentication as we discuss below. Public key cryptography
670+ would generally be a better solution for the authentication of users
671+ but its deployment has been sparse historically. SSH, as noted in a
668672previous section, supports the use of public keys for user
669673authentication, but it's hardly in mainstream use by consumers on the
670674Internet.
@@ -678,11 +682,14 @@ are relatively short or simple, and has become easier over time with
678682increased computing power. Because many people re-use passwords across
679683multiple sites, if a password is obtained from a breach of one site,
680684it can often be used on other sites. And a range of *phishing attacks *
681- entail somehow tricking a user into putting his login credentials
682- into a fraudulent web site. This might be initiated with an email
683- leading the user to input his credentials to a domain name similar
684- to the expected one, on a site that mimics the visual style of the
685- legitimate web site.
685+ entail somehow tricking a user into putting his login credentials into
686+ a fraudulent web site or divulging them over the phone. Phishing
687+ attacks are often initiated with an email leading the user to input
688+ his credentials to a domain name similar to the expected one, on a
689+ site that mimics the visual style of the legitimate web
690+ site. Multi-factor authentication raises the bar somewhat for the
691+ attacker, but even one-time codes can often be obtained via phishing
692+ attacks.
686693
687694A range of efforts have been under way for many years to reduce the
688695reliance on passwords and to drive adoption of public key cryptography
0 commit comments