WebApp Sec mailing list archives
Re: Token authentication with web applications
From: Ivan Krstic <krstic () fas harvard edu>
Date: Fri, 02 Jul 2004 21:45:32 +0100
Graham Howe wrote:
The only real solutions we can see are software based.
I disagree strongly. In my experience, software-only solutions that are any more complicated than a password entry are either snakeoil or highly complicated for end users, as is generally the case with OTPs (in the case where nothing is printed). Think for a second why passwords enjoy their wild popularity:
1. They have no learning curve2. They require no setup on client machines (in other words, a user can just walk up to any public terminal with a web browser and check his mail on Hotmail)
Now, taking a software-only scheme past that usually requires the introduction of client-side keyfiles and the like; this is a solution which offers absolutely no extra protection in an environment whose threat model includes attackers' physical access to workstations, and is simply impossible to implement securely in an environment where there is no strict one-to-one mapping between users and workstations. From a brief glance at dualshield.com, it does not appear that the unfortunately named flagship product addresses these issues (the product, named DSS and marketed as the "new standard in internet security" conflicts unpleasantly with DSS specified in FIPS-186, May 1994, an actual standard), but do correct me if I'm wrong.
Cheers, Ivan.
Current thread:
- Token authentication with web applications Ivan Krstic (Jul 01)
- <Possible follow-ups>
- RE: Token authentication with web applications Michael Silk (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Graham Howe (Jul 02)
- Re: Token authentication with web applications Ivan Krstic (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Levenglick, Jeff (Jul 02)
- RE: Token authentication with web applications Scovetta, Michael V (Jul 04)
- RE: Token authentication with web applications stevenr (Jul 05)