WebApp Sec mailing list archives

Re: Two-Factor Authentication on the Web

From: Nick Owen <nowen () wikidsystems com>
Date: Thu, 29 Jun 2006 08:35:54 -0400

Harper.Matthew wrote:

Risk based authentication is the way to go.  Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff. 

Matthew 

-----Original Message-----
From: RSD [mailto:rsd () sdf lonestar org] 
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec () securityfocus com
Subject: Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication.  Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.


Seems to me that transaction analysis would be tough to do on a credit
application.  Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing?  If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Current thread:

Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
  - Re: Two-Factor Authentication on the Web Tim (Jun 29)
    - Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
    - RE: Two-Factor Authentication on the Web LM (Jun 30)
  - Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
    - Re: Two-Factor Authentication on the Web Tim (Jun 30)
    - RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
    - Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
    - Re: Two-Factor Authentication on the Web Tim (Jun 30)
    - RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
    - Re: Two-Factor Authentication on the Web Tim (Jun 30)
- <Possible follow-ups>
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 28)
- RE: Two-Factor Authentication on the Web King, Stuart (REHQ-LON) (Jun 29)