WebApp Sec mailing list archives
RE: Entrust - Identity Guard - Any experience?
From: "ken kousky" <kkousky () ip3inc com>
Date: Sun, 21 Aug 2005 20:15:56 -0400
I agree completely with the shortcoming but I would suggest that it is far less serve a threat than strong passwords which are not something you can possibly know so they have to be something you have yet lack appropriate awareness or management. I believe that an ID card you manage, knowing it's a security factor, such as ID Guard, along with something you know - a simple password, would be a dramatic improvement over the plague of strong passwords afflicting most systems today ....and it is cost effective in many situations. Stronger tokens might be stronger security but one has to test to know if stronger security is an economically desired state. My issue is still that far too many security professionals tolerating strong passwords when they are the number one source of denial of service by creating false positives on legitimate users. There are cheaper and more powerful solutions. KWK -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Sunday, August 21, 2005 10:49 AM To: Lyal Collins Cc: Mary Ann Burns; Dwayne Taylor; SB; webappsec () securityfocus org Subject: Re: Entrust - Identity Guard - Any experience?
Two-factor means, to many of us, that there is something in addition to something-you-know. A hardware token, a printed OTP list, biometric, or a secured terminal with unique identifying keys/tools.
The problem with a Printed List of OTPs and Entrust Identity Guard is that they give false sense of security in case they are stolen and duplicated. Someone can easily duplicate these without the knowledge of the owner. And the owner still thinks that he/she is the sole owner of Entrust Identity Guard. Whereas a hardware token (e.g. RSA SecureID) is a lot harder to duplicate. It might be easy to steal a hardware token, but NOT without the knowledge of the owner. Once the owner find out that the hardware token is stolen, he/she can get it de-activated. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- RE: Entrust - Identity Guard - Any experience?, (continued)
- RE: Entrust - Identity Guard - Any experience? Dwayne Taylor (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 20)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Ellis, Steven (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Rishi Pande (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Mary Ann Burns (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Ralf Durkee (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Lyal Collins (Aug 20)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 21)
- RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 21)
- Re: Entrust - Identity Guard - Any experience? Ned Fleming (Aug 22)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 23)
- RE: Entrust - Identity Guard - Any experience? Dwayne Taylor (Aug 19)