RE: Entrust - Identity Guard - Any experience?

["Dwayne Taylor" <DTaylor () rdacorp com>]

The product link below shows something that focuses more on using a combination of direct authentication and 
challenge/response rather than two factor authentication.  True two factor authentication based both on what a user 
knows and what a user has (such as an X.509 cert/private key or device that produces one-time passwords) "black boxes" 
the "what a user has" element, so that the user requires the device to satisfy the requirement of something they have 
for the second authentication factor.   This product's form of "what a user has" is risky because the 
challenge/response values can be easily obtained and used by an attacker without actually possessing the object 
required to satisfy the requirement.  Understandably, it looks like this company is trying to get into the market niche 
of those who want something stronger than username/password but something more cost effective than the smartcard/key 
fob type solutions that require more $$$$. 
 
My $.02

________________________________

From: SB [mailto:vidyabalaji () gmail com]
Sent: Fri 2005-08-19 08:21
To: webappsec () securityfocus org
Subject: Entrust - Identity Guard - Any experience?



Hi!

I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm

has anyone had experience with this? Any known security issues with
this approach. This will be in addition to the person's user name and
password.

Thanks very much for your help.

Sri Balaji.