> In any case, if you aren't going to own the client hardware, you > basically are going to have to assume it is vulnerable since nobody > maintains their PCs well. That means keyboard sniffing, cookie > stealing, and so on. If you're web-based a hostile browser could just > open another session in the background after the user authenticates > (2-factor or otherwise) and do whatever it wants to. Granted, I don't > know if anything is out in the wild which actually does this, and it > would probably need to be somewhat targeted to work (unless somebody > has a rootkit that just lets them interactively fire up another > browser on a VNC display or something using the same browser session).
If that's the case then it sounds like 2FA doesn't really provide any extra assurance. It's another layer but if the machine is hacked then it sounds like it becomes a very thin layer. I'd most like to allow the remote employee to use their own computer, but is there any way to have reasonable assurance that a remote attacker can't log into my web stuff if the employee's computer is compromised? With a Chromebook, how can I be assured that the employee is only able to log into my web stuff with the Chromebook? - Grant
