|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Two-Factor Authentication on the Web
From: Pete Herzog (lists
isecom.org)
Date: Fri Jun 30 2006 - 10:35:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
> What other controls, other then multifactor authentication, can
> mitigate that risk?
I was hoping to see a good answer to this question.
While there are quite a few ways one can "authenticate" the root
problem, to me, is Identification and Authorization which make up
Authentication. If the same source for Identification is used and the
same Authorization means is granted then any additional authentication
factor really is kind of the same thing over the net. Sure, a token,
dongle, fingerprint, timezone, location, software, etc. make things more
difficult to make the attack, if the attacker can usurp the identity and
the client, then the attack success is very high. Meaning, if you break
into the house and use the banking info on that computer to make the
attack your success chances will be much higher.
An additional channel whether it be SMS or telephone call-back can
improve the chances authentication, this is still not even close to the
type of authentication one can get in person.
Further discussion however, will show that physical presence is often
over-rated because the people who do the identification and grant
authorization can also be easily fooled. Risk of getting caught is not
much higher for those people but the speed to repercussion is. Over the
net, there is much less repercussion if denied: the difference between
"Access Denied" on-line and "Hey, wait a minute while I get my manager"
(as guard approaches).
I've been doing a lot of researching into Trusted Computing for the
OpenTC project and it's clear that TC may not have the answer either,
but it's not as bad. At least it closes the link between person and
computer a bit better for the sake of identification.
I am interested in hearing from others though on replacement or
enhancement security for authentication where identification and
authorization are not weak links or the speed or level of repercussion
is up there with the physical world.
-pete.
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]