RE: Two-Factor Authentication on the Web

["Popowycz, Alex" <Alex.Popowycz () fmr com>]

In reading this thread, one thing that strikes me is that there is an
inconsistent merging of the various aspects of the problem.  First,
IMHO, we need to recognize that each of us as carbon based life forms
have various identities, not just one.  I may have an identity as an
employee, a customer, etc.  That should remain unique and distinct from
the way that I can prove and re-prove that I am the "owner" of a given
identity consistently and with an appropriate level of integrity within
the context of what I'm trying to do.

So, given this is a two-factor authentication on the web thread, the
discussion is really based on increasing the integrity of the
authentication as compared to traditional single factor (e.g. static
password) methods.  Let's not confuse the notion that I may want to be
daffyduck () yahoo com, strongly authentication (or stronly anonymous as
the case may be) vs. Joe Smith, credit card holder.  

Having stated that, there is a progression of means to increase the
integrity of the reuse and reverification of an established identity.
The combination of the two is what provides me the baseline of my
security decision.  But the answers of which security method is better
than another is relative for the purpose in which it's being used.  To
respond more specifically to the notion that biometrics "prove" or don't
prove who you are, they really only establish a verification to the
bound underlying identity in a fairly secure manner (when properly
implemented, see legal disclaimer below, your results may vary, not
available in every state so the exclusions may not apply to you)

-----Original Message-----
From: Gaydosh, Adam [mailto:GaydoshA () ctc com] 
Sent: Sunday, July 02, 2006 6:10 PM
To: Webappsec Mail List
Subject: RE: Two-Factor Authentication on the Web


> "But even when biometric authentication "works", it still does 
> not prove my _identity_, it just proves that I am who *I said* 
> I am, which is another thing entirely;"
> Umm... I don't follow. How could your DNA (I would waver on 
> this one since I heard somewhere that twins could have the 
> same DNA), fingerprint, retinal scan, etc, not be unique to 
> you and only you? 

I think the idea is that the concept of 'identity' which we are
attempting to authenticate is not an inherent characteristic of our
bodies, but something that has been officially associated with a given
biometric by the issuing authority, e.g. my SSN, Account Name, etc...are
not in my DNA.  

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically

comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------