Re: Two-Factor Authentication on the Web

[Tim <pand0ra.usa () gmail com>]

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.



> Seems to me that transaction analysis would be tough to do on a credit
> application.  Where is the history? (I assume your company only does
> online credit apps.) Any 2FA system might also be problematic: how do
> you do the initial validation & credentialing?  If you can do the
> initial validation securely, why not use that as the risk mitigation
> method? Seems to me this is a good opportunity for a credit bureau to
> partner with an authentication vendor to offer initial
> validation/credentialing and 2FA.
>
> nick
>
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> https://www.linkedin.com/in/nickowen
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> As web applications become increasingly complex, tremendous amounts of
> sensitive data - personal, medical and financial - are exchanged, and
> stored. Consumers expect and demand security for this information. This
> whitepaper examines a few vulnerability detection methods - specifically
> comparing and contrasting manual penetration testing with automated
> scanning tools. Download "Automated Scanning or Manual Penetration
> Testing?" today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------