OpenAuth, OpenID, Two Factor Authentication

[GWestphal]

Would having one online username+one password+service unique two factor auth code be safe?

Is that what things are moving towards with OpenID, OpenAuth and two factor auth like with google authenticator and similar services?

Is it possible to reverse engineer the user unique two factor auth from the pseudo random auth codes? The sequence is deterministic, right? How many consecutive samples would you need to reverse engineer the hash key?

What are the worst case scenarios involved here?

 

[Savatar]

If I'm understanding the question correctly, you are asking if existing services like OpenID/OAuth + a two factor solution is secure and whether it is a trend in the industry? I know that OpenID and OAuth is pretty popular, and I've seen more and more sites use it - but I very rarely encounter two-factor authentication yet. I don't think two-factor authentication will be too widespread in the next 5 years, even (at least outside of big companies).

While single-sign on solutions like OpenID and OAuth largely depend on implementation to be secure, in general they are not 'safe' by themselves. There are some possible exploits, for example http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html and http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html. However, I think at least one of the examples in at least the first link is not correct... I don't think you can man-in-the-middle OAuth just by using an IFRAME to let the user authenticate - that's not how an IFRAME works - it's still the user's browser communicating directly with what's in the IFRAME (as an IFRAME doesn't make the traffic go through the original page that has the IFRAME tag in it)... but maybe I'm reading it wrong.

Using two-factor authentication does increase the security, but it's still not perfect (RSA tokens had problems with being able to be predicted in the past, for example, so it is - or at least was - likely possible to figure out the sequence). That would be beyond my current skill set, though.

For most practical purposes I would say that it would be secure 'enough' (and even more secure than relying on password alone).

As far as the other question, I can't speak to that (don't know).