| 1 |
> In any case, if you aren't going to own the client hardware, you |
| 2 |
> basically are going to have to assume it is vulnerable since nobody |
| 3 |
> maintains their PCs well. That means keyboard sniffing, cookie |
| 4 |
> stealing, and so on. If you're web-based a hostile browser could just |
| 5 |
> open another session in the background after the user authenticates |
| 6 |
> (2-factor or otherwise) and do whatever it wants to. Granted, I don't |
| 7 |
> know if anything is out in the wild which actually does this, and it |
| 8 |
> would probably need to be somewhat targeted to work (unless somebody |
| 9 |
> has a rootkit that just lets them interactively fire up another |
| 10 |
> browser on a VNC display or something using the same browser session). |
| 11 |
|
| 12 |
|
| 13 |
If that's the case then it sounds like 2FA doesn't really provide any |
| 14 |
extra assurance. It's another layer but if the machine is hacked then |
| 15 |
it sounds like it becomes a very thin layer. |
| 16 |
|
| 17 |
I'd most like to allow the remote employee to use their own computer, |
| 18 |
but is there any way to have reasonable assurance that a remote |
| 19 |
attacker can't log into my web stuff if the employee's computer is |
| 20 |
compromised? |
| 21 |
|
| 22 |
With a Chromebook, how can I be assured that the employee is only able |
| 23 |
to log into my web stuff with the Chromebook? |
| 24 |
|
| 25 |
- Grant |
Archives