WebApp Sec mailing list archives
RE: Two-Factor Authentication on the Web
From: "Christian Kanakis" <chris () zyarc com>
Date: Fri, 30 Jun 2006 17:39:26 +0300
Wouldn’t biometrics be intercept-able as data transmission packets and faked when used over a civilian network? -----Original Message----- From: Tim [mailto:pand0ra.usa () gmail com] Sent: Friday, 30 June 2006 9:04 AM To: Nick Owen Cc: Harper. Matthew; RSD; webappsec () securityfocus com Subject: Re: Two-Factor Authentication on the Web I don't see the credit bureau's jumping on that wagon. Currently there is no risk to them and they are making money hand-over-fist because of ID theft. Since there is no risk why would they shell out tons of money to come up with a solution for someone elses problem? I do agree that the initial validation of someones identity is problematic. The document here is talking about authentication, which is related to the initial validation and trying to initially validate every user through a definite means is impractical. Since names and social security numbers and other similar concepts are labels that we apply to ourselves the only way I see that you can accurately validate someone would be through biometrics (something you are) . Granted there can be issues with replay attacks but it could be used for initial identification. There is no way you can really validate someones identity without them being there in person (start the flame war). Sure, you can lie when you go in but the risk of being caught is much higher. I see one of the problems being that a financial institution has to find a balance that is cost effective and can reasonably validate someones identity remotely. Sorry about some of the fragmented sentences, but I have ahd enough fun for one day.
Seems to me that transaction analysis would be tough to do on a credit application. Where is the history? (I assume your company only does online credit apps.) Any 2FA system might also be problematic: how do you do the initial validation & credentialing? If you can do the initial validation securely, why not use that as the risk mitigation method? Seems to me this is a good opportunity for a credit bureau to partner with an authentication vendor to offer initial validation/credentialing and 2FA. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- <Possible follow-ups>
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 28)
- RE: Two-Factor Authentication on the Web King, Stuart (REHQ-LON) (Jun 29)