WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: Nick Owen <nowen () wikidsystems com>
Date: Thu, 29 Jun 2006 08:35:54 -0400
Harper.Matthew wrote:
Risk based authentication is the way to go. Many company's offer this. Similar to the way credit card companies monitor transactions for "odd ball" stuff. Matthew -----Original Message----- From: RSD [mailto:rsd () sdf lonestar org] Sent: Wednesday, June 28, 2006 9:31 AM To: webappsec () securityfocus com Subject: Two-Factor Authentication on the Web My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.
Seems to me that transaction analysis would be tough to do on a credit application. Where is the history? (I assume your company only does online credit apps.) Any 2FA system might also be problematic: how do you do the initial validation & credentialing? If you can do the initial validation securely, why not use that as the risk mitigation method? Seems to me this is a good opportunity for a credit bureau to partner with an authentication vendor to offer initial validation/credentialing and 2FA. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- <Possible follow-ups>
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 28)
- RE: Two-Factor Authentication on the Web King, Stuart (REHQ-LON) (Jun 29)