Timeline for Safe way to authenticate (multi-factor authentication?) while being monitored?
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 15, 2011 at 1:25 | comment | added | Isaac | @Jeff: I don't know any details of the platform. In practice, I'm not particularly worried about direct risks from the owners of the computer, but rather risks coming from not properly securing the collected data, so that a theft of that information would compromised my personal accounts. | |
| Aug 15, 2011 at 0:34 | comment | added | Jeff | @Isaac: yes (assuming the site you're logging into does session management properly). But if they're watching you like a hawk, chances are they can see that you access mail.google.com (either from tls host info or dns) and might have some "malicious" service that then scrapes your cookies. This is a well know issue of "is it possible to create a trusted platform on top of an untrusted one?" so in this case (they control everything on the machine), there really isn't much you can do. This also applies to multi factor auth. Besides, do you even know if the browser is using an intercepting proxy? | |
| Aug 14, 2011 at 22:41 | comment | added | Isaac | @Jeff: That would only allow them access at the same time as me, but not after I'd logged out, right? | |
| Aug 14, 2011 at 22:37 | comment | added | Jeff | But if they have such control over the machine, they can just rip the session id out of memory. | |
| Aug 14, 2011 at 22:27 | history | answered | Douglas Leeder | CC BY-SA 3.0 |