WebApp Sec mailing list archives
RE: Entrust - Identity Guard - Any experience?
From: "ken kousky" <kkousky () ip3inc com>
Date: Sat, 20 Aug 2005 16:51:52 -0400
Guess you don't understand what Identity Guard does. It IS a second factor. It's something you have. You use it with a password that, in a valid security environment, is still, something you know. If you have a strong password policy you've probably made the password something you have since your policy assures that it's NOT something you know. That's why it's the weakest and costliest element of our worst security environments. Passwords have been so disastrously implemented by security mangers who close their eyes to the "naked emperor" that even leading industry gurus, including MS folk suggest that a password is something you HAVE because you have to write it down to know it if you follow an idiotic strong password model. The Post-it-notes have finally won! With Entrust, you use a simply password that is truly something you KNOW and the Identity Guard provides a testable but low cost check for something you have - doesn't require a card reader or scanner either. Any IT Security pro that supports strong passwords owes it to their organization to look at intelligent alternatives to the naked emperor syndrome. See IP3's "Strong Passwords are an Oxymoron" - first drafted in '01 to get a better understanding but kill your strong passwords. Even DHS Presidential Directive 12 implies the need for intelligent multi-factor solutions throughout the Federal government. A cheap solution for industry is long overdue. If you have more money to spend there are even better options. KWK IP3 Strategies to Reality -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Friday, August 19, 2005 2:27 PM To: Dwayne Taylor Cc: SB; webappsec () securityfocus org Subject: Re: Entrust - Identity Guard - Any experience? Maybe I am missing something, but I don't think Entrust - Identity Guard provides 2-factor authentication. It is a more like twice-the-effort (twice-the-trouble) authentication. :)
I am looking for insights from you security professionals into implementing a two factor option that does not require shipping a token. Something similar to http://www.entrust.com/identityguard/index.htm
-- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Entrust - Identity Guard - Any experience? SB (Aug 19)
- <Possible follow-ups>
- RE: Entrust - Identity Guard - Any experience? Dwayne Taylor (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 20)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Ellis, Steven (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Rishi Pande (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Mary Ann Burns (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Ralf Durkee (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Lyal Collins (Aug 20)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 21)
- RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 21)
- Re: Entrust - Identity Guard - Any experience? Ned Fleming (Aug 22)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 23)