RE: Two-Factor Authentication on the Web

["Harper.Matthew" <Matthew.Harper () SunTrust com>]

Risk based authentication is the way to go.  Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff. 

Matthew 

-----Original Message-----
From: RSD [mailto:rsd () sdf lonestar org] 
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec () securityfocus com
Subject: Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication.  Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen
the 'shared secret' as a second factor. It's a secret question like
'What is your favorite food?' that is supposed to augment the existing
username and password.

Here's the problem -- a password is also one considered a shared secret
-- so this isn't really two-factor, more like 2 one-factors.  Since the
factors have identical characteristics, if one is compromised, the other
will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple
shared secrets also provides increased security because more than one
secret must be known to authenticate."  Seems to me if an attacker found
a password written on a post-it note, they'd  find "cookies" as well. 

Now I can see why this route was chosen -- most of the other factors
require some hardware -- and distributing any sort of physical device is
not an option. 

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd () sdf lonestar org
SDF Public Access UNIX System - http://sdf.lonestar.org

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
------------------------------------------------------------------------
-- 
  
  
  
LEGAL DISCLAIMER 
The information transmitted is intended solely for the individual or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in 
reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have 
received this email in error please contact the sender and delete the material from any computer. 
  
Seeing Beyond Money is a service mark of SunTrust Banks, Inc. 
[ST:XCL] 
 
 
 
 

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------