WebApp Sec mailing list archives
RE: Two-Factor Authentication on the Web
From: "Harper.Matthew" <Matthew.Harper () SunTrust com>
Date: Wed, 28 Jun 2006 13:15:47 -0400
Risk based authentication is the way to go. Many company's offer this. Similar to the way credit card companies monitor transactions for "odd ball" stuff. Matthew -----Original Message----- From: RSD [mailto:rsd () sdf lonestar org] Sent: Wednesday, June 28, 2006 9:31 AM To: webappsec () securityfocus com Subject: Two-Factor Authentication on the Web My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that could be used, such as Tokens/Biometric/Out-of-Band/etc. Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a secret question like 'What is your favorite food?' that is supposed to augment the existing username and password. Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2 one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow. Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a post-it note, they'd find "cookies" as well. Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort of physical device is not an option. My questions: -Is my analysis correct? -Are multiple shared secrets any more secure? -What viable solutions are there? Thanks! [0] http://www.ffiec.gov/pdf/authentication_guidance.pdf -- rsd () sdf lonestar org SDF Public Access UNIX System - http://sdf.lonestar.org ------------------------------------------------------------------------ - Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ ------------------------------------------------------------------------ -- LEGAL DISCLAIMER The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer. Seeing Beyond Money is a service mark of SunTrust Banks, Inc. [ST:XCL] ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)