WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Entrust - Identity Guard - Any experience?

From: Ralf Durkee <rd () rd1 net>
Date: Fri, 19 Aug 2005 20:38:56 -0400

Mary Ann Burns wrote:

two-factor authentication is (1) something physical (USB key) with
(2)something you know (pin) There is no such thing as 2-Factor
authentication without a physical device. 
>
I would like to whole heartedly agree that 2 factor authentication *should be* something you have and something unique to the individual and something difficult to duplicate. However I've found in most situations other "security professionals" are classifying the following as 2nd-factor authentication (when combined with a password).
1. Electronic certificates, X.509, SSL client certificates, SSH keys, pgg keys whatever. 2. Software version of RSA secure-id, other software generated tokens or on-time-passwords.
My own opinion is that these are certainly better than 1 factor, but higher risk than the have it your hand 2-factor authentication. Maybe they should be called 1.5 factor! However I have generally found myself in the minority. What do people think? 

-- Ralf Durkee, CISSP, GSEC, GCIH
http://rd1.net
Previous By Date Next
Previous By Thread Next

Current thread: