WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cookies as the second factor

From: Nick Owen <nowen () wikidsystems com>
Date: Tue, 18 Jul 2006 11:00:28 -0400
Jeff Robertson wrote:

It seems like it's been mentioned on here before, that a number of "two
factor" or "multi factor" authentication schemes actually use a cookie
as the second factor.

Anyone here have specific experience with such solutions, or opinions
about how much security they add to a system?


Cookies rely on DNS which is weak.  Not saying you shouldn't do them as
part of a number of risk management techniques, but that is just because
they are so easy to do, just like grabbing the ip address, but it
doesn't really add to security.

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: