Security Basics mailing list archives
RE: Strong Authentication
From: "Jason Mafera" <jmafera () IMPRIVATA com>
Date: Tue, 13 May 2008 14:34:37 -0400
This is mutual authentication, not multi factor. In this scenario the you auth to the bank with the certificate, and the bank proves it is who you expect with it's certificate. Very similar to Sitekey technology (RSA, formerly Cyota and Passmark) where the bank will post back a picture that you had selected during enrollment to prove you are at the correct website. For this to be a multi factor authentication, the private key of the certificate would need to be protected (ideally on a smartcard) with a user pin that is needed to decrypt the key before passing it for authentication. -Jason Jason Mafera, CISSP -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mark Dy-Ragos Sent: Tuesday, May 13, 2008 1:17 PM To: security-basics () securityfocus com Subject: Strong Authentication Dear All, On most of the references I've read, strong authentication is defined as having 2 or more of the following: Something you know Something you have Something you are (or do) However, after reading some vendor websites, I'm a little more confused as to the exact interpretation of this. For example, Comodo touts their digital signature solution as a form of 2 factor authentication [1] ================= Comodo Two Factor Authentication Solution 1) Client Digital Certificates to authenticate the user to the bank (Part 1 of the two factor authentication) 2) Content Verification Certificates (CVC) to authenticate the FI website to the user (Part 2 of the two factor authentication) ================= However, to me, this doesn't seem to fit 2 out of the 3 criteria listed above. To be honest, I'm not sure which category a digital signature would fall under. Can anyone share their feedback on this? A different vendor that we plan on using is telling us that through the use of digital signatures, we will be implementing strong authentication, but I'm not too clear on how this accomplishes it. Thanks, Mark [1] http://www.comodo.com/banking/twofactor.html "Level 3- Level 3 provides multi-factor remote network authentication. At this level, identity proofing procedures require verification of identifying materials and information. Level 3 authentication is based on proof of possession of a key or a one-time password through a cryptographic protocol. Level 3 authentication requires cryptographic strength mechanisms that protect the primary authentication token (secret key, private key or one-time password) against compromise by the protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks. A minimum of two authentication factors is required. Three kinds of tokens may be used: "soft" cryptographic tokens, "hard" cryptographic tokens and "one-time password" device tokens." [2] http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Current thread:
- Strong Authentication Mark Dy-Ragos (May 13)
- Re: Strong Authentication Nick Owen (May 13)
- RE: Strong Authentication Jason Mafera (May 13)