WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: Tim <pand0ra.usa () gmail com>
Date: Wed, 28 Jun 2006 23:41:15 -0600
Risk Based Authentication is a good idea as it goes back to 'why spend more on security controls then the value of the data'. I got to check out Ira Winkler's speech the other week and he made an interesting comment in that money for security, most of the time, comes out of the IT budget. The problem with that is the cost of securing the data may cost more then what the IT budget can afford. If you are responsible for securing data that could cost tens or hundreds of billions, why would you only use 5% of the IT budget to protect that investment? That said, with all of the risks of personal information being stolen these days it is not unreasonable to demand two-factor authentication for banking web apps. Here is an excerpt from the FFIEC document (keep in mind this whole document is for AUTHENTICATION): Authentication Guidance (2001) Summary of Key Points The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. This was appended not too long ago by the following document, which is what is stirring up the banking community (in the US): FIL-103-2005 http://www.fdic.gov/news/news/financial/2005/fil10305.html Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. Highlights: * Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services. * Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services. * The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. * Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers. * Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information. Here is what I don't get: "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." What other controls, other then multifactor authentication, can mitigate that risk? On 6/28/06, Harper.Matthew <Matthew.Harper () suntrust com> wrote:
Risk based authentication is the way to go. Many company's offer this. Similar to the way credit card companies monitor transactions for "odd ball" stuff. Matthew -----Original Message----- From: RSD [mailto:rsd () sdf lonestar org] Sent: Wednesday, June 28, 2006 9:31 AM To: webappsec () securityfocus com Subject: Two-Factor Authentication on the Web My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that could be used, such as Tokens/Biometric/Out-of-Band/etc. Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a secret question like 'What is your favorite food?' that is supposed to augment the existing username and password. Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2 one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow. Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a post-it note, they'd find "cookies" as well. Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort of physical device is not an option. My questions: -Is my analysis correct? -Are multiple shared secrets any more secure? -What viable solutions are there? Thanks! [0] http://www.ffiec.gov/pdf/authentication_guidance.pdf -- rsd () sdf lonestar org SDF Public Access UNIX System - http://sdf.lonestar.org ------------------------------------------------------------------------ - Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ ------------------------------------------------------------------------ -- LEGAL DISCLAIMER The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer. Seeing Beyond Money is a service mark of SunTrust Banks, Inc. [ST:XCL] ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
-- Tim Van Cleave, CISSP, NSA IAM, CXE AIM - pand0rausa MSN - m0rt15 Yahoo - pand0ra_usa ------------------------------------------------------------------------- Sponsored by: WatchfireAs web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- <Possible follow-ups>
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 28)