WebApp Sec mailing list archives

RE: Entrust - Identity Guard - Any experience?

From: "ken kousky" <kkousky () ip3inc com>
Date: Sat, 20 Aug 2005 16:51:52 -0400

Guess you don't understand what Identity Guard does. It IS a second factor.
It's something you have. You use it with a password that, in a valid
security environment, is still, something you know.

If you have a strong password policy you've probably made the password
something you have since your policy assures that it's NOT something you
know. That's why it's the weakest and costliest element of our worst
security environments.

Passwords have been so disastrously implemented by security mangers who
close their eyes to the "naked emperor" that even leading industry gurus,
including MS folk suggest that a password is something you HAVE because you
have to write it down to know it if you follow an idiotic strong password
model. The Post-it-notes have finally won!

With Entrust, you use a simply password that is truly something you KNOW and
the Identity Guard provides a testable but low cost check for something you
have - doesn't require a card reader or scanner either.
 
Any IT Security pro that supports strong passwords owes it to their
organization to look at intelligent alternatives to the naked emperor
syndrome.

See IP3's "Strong Passwords are an Oxymoron" - first drafted in '01 to get a
better understanding but kill your strong passwords. Even DHS Presidential
Directive 12 implies the need for intelligent multi-factor solutions
throughout the Federal government. A cheap solution for industry is long
overdue. If you have more money to spend there are even better options.
  
KWK
IP3 
Strategies to Reality


-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Friday, August 19, 2005 2:27 PM
To: Dwayne Taylor
Cc: SB; webappsec () securityfocus org
Subject: Re: Entrust - Identity Guard - Any experience?

Maybe I am missing something, but I don't think Entrust - Identity
Guard provides 2-factor authentication.

It is a more like twice-the-effort (twice-the-trouble) authentication. :)

I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm


-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.

Current thread:

Entrust - Identity Guard - Any experience? SB (Aug 19)
- <Possible follow-ups>
- RE: Entrust - Identity Guard - Any experience? Dwayne Taylor (Aug 19)
  - Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
    - RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 20)
- RE: Entrust - Identity Guard - Any experience? Ellis, Steven (Aug 19)
  - RE: Entrust - Identity Guard - Any experience? Rishi Pande (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Mary Ann Burns (Aug 19)
  - Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
  - Re: Entrust - Identity Guard - Any experience? Ralf Durkee (Aug 19)
  - RE: Entrust - Identity Guard - Any experience? Lyal Collins (Aug 20)
    - Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 21)
    - RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 21)
    - Re: Entrust - Identity Guard - Any experience? Ned Fleming (Aug 22)
    - Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 23)

(Thread continues...)