WebApp Sec mailing list archives

Two-Factor Authentication on the Web

From: RSD <rsd () sdf lonestar org>
Date: Wed, 28 Jun 2006 13:31:08 +0000

My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.

Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a
post-it note, they'd find "cookies" as well.

Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
of physical device is not an option.

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd () sdf lonestar org
SDF Public Access UNIX System - http://sdf.lonestar.org

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Current thread:

Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
  - Re: Two-Factor Authentication on the Web Tim (Jun 29)
    - Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
    - RE: Two-Factor Authentication on the Web LM (Jun 30)
  - Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
    - Re: Two-Factor Authentication on the Web Tim (Jun 30)
    - RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
    - Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)

(Thread continues...)