Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Strong Authentication

From: "Mark Dy-Ragos" <bragot () gmail com>
Date: Tue, 13 May 2008 10:16:42 -0700
Dear All,

On most of the references I've read, strong authentication is defined
as having 2 or more of the following:

Something you know
Something you have
Something you are (or do)

However, after reading some vendor websites, I'm a little more
confused as to the exact interpretation of this.

For example, Comodo touts their digital signature solution as a form
of 2 factor authentication [1]

=================
Comodo Two Factor Authentication Solution

1) Client Digital Certificates to authenticate the user to the bank
(Part 1 of the two factor authentication)
2) Content Verification Certificates (CVC) to authenticate the FI
website to the user (Part 2 of the two factor authentication)
=================

However, to me, this doesn't seem to fit 2 out of the 3 criteria
listed above.  To be honest, I'm not sure which category a digital
signature would fall under.

Can anyone share their feedback on this?  A different vendor that we
plan on using is telling us that through the use of digital
signatures, we will be implementing strong authentication, but I'm not
too clear on how this accomplishes it.

Thanks,
Mark

[1] http://www.comodo.com/banking/twofactor.html

"Level 3- Level 3 provides multi-factor remote network authentication.
At this level, identity proofing procedures require verification of
identifying materials and information. Level 3 authentication is based
on proof of possession of a key or a one-time password through a
cryptographic protocol. Level 3 authentication requires cryptographic
strength mechanisms that protect the primary authentication token
(secret key, private key or one-time password) against compromise by
the protocol threats including: eavesdropper, replay, on-line
guessing, verifier impersonation and man-in-the-middle attacks. A
minimum of two authentication factors is required. Three kinds of
tokens may be used: "soft" cryptographic tokens, "hard" cryptographic
tokens and "one-time password" device tokens."
[2] http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Previous By Date Next
Previous By Thread Next

Current thread: