WebApp Sec mailing list archives
RE: Two-Factor Authentication on the Web
From: "Popowycz, Alex" <Alex.Popowycz () fmr com>
Date: Mon, 3 Jul 2006 09:35:25 -0400
In reading this thread, one thing that strikes me is that there is an inconsistent merging of the various aspects of the problem. First, IMHO, we need to recognize that each of us as carbon based life forms have various identities, not just one. I may have an identity as an employee, a customer, etc. That should remain unique and distinct from the way that I can prove and re-prove that I am the "owner" of a given identity consistently and with an appropriate level of integrity within the context of what I'm trying to do. So, given this is a two-factor authentication on the web thread, the discussion is really based on increasing the integrity of the authentication as compared to traditional single factor (e.g. static password) methods. Let's not confuse the notion that I may want to be daffyduck () yahoo com, strongly authentication (or stronly anonymous as the case may be) vs. Joe Smith, credit card holder. Having stated that, there is a progression of means to increase the integrity of the reuse and reverification of an established identity. The combination of the two is what provides me the baseline of my security decision. But the answers of which security method is better than another is relative for the purpose in which it's being used. To respond more specifically to the notion that biometrics "prove" or don't prove who you are, they really only establish a verification to the bound underlying identity in a fairly secure manner (when properly implemented, see legal disclaimer below, your results may vary, not available in every state so the exclusions may not apply to you) -----Original Message----- From: Gaydosh, Adam [mailto:GaydoshA () ctc com] Sent: Sunday, July 02, 2006 6:10 PM To: Webappsec Mail List Subject: RE: Two-Factor Authentication on the Web
"But even when biometric authentication "works", it still does not prove my _identity_, it just proves that I am who *I said* I am, which is another thing entirely;" Umm... I don't follow. How could your DNA (I would waver on this one since I heard somewhere that twins could have the same DNA), fingerprint, retinal scan, etc, not be unique to you and only you?
I think the idea is that the concept of 'identity' which we are attempting to authenticate is not an inherent characteristic of our bodies, but something that has been officially associated with a given biometric by the issuing authority, e.g. my SSN, Account Name, etc...are not in my DNA. ------------------------------------------------------------------------ - Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- RE: Two-Factor Authentication on the Web Gaydosh, Adam (Jul 02)
- <Possible follow-ups>
- RE: Two-Factor Authentication on the Web Glenn.Everhart (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 05)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 05)
- RE: Two-Factor Authentication on the Web James Pujals (Jul 05)
- RE: Two-Factor Authentication on the Web PPowenski (Jul 06)
- Re: Two-Factor Authentication on the Web mikeiscool (Jul 07)
- Re: Two-Factor Authentication on the Web Devdas Bhagat (Jul 17)