« Return to Thread: Two-Factor Authentication on the Web
Re: Two-Factor Authentication on the Web
by Peter Morgan-3
::
Rate this Message:
I find your analysis to be correct. Multiple shared secrets seems
marginally more secure than a single shared secret. You are correct
in identifying this solution as "not two-factor" as two-factor is by
definition something you have, and something you know. Ie: token and
password/passphrase.
The viable solutions I can think of off the top of my head are:
smart cards
tokens
a type of PKI using digital certs
Since smart cards would require the user to have a smartcard reader,
that is likely not an option. Tokens are pretty popular and they're a
great way of doing two-factor, also not as expensive as you might
imagine. There are lots of articles on why PKI isn't as great as
everyone chalks it up to be, but nevertheless if you can find a
product that works well for you, you can sign a cert and give it to
your clients, and they will be able to authenticate based on
"something they have, and something they know" (digital
cert/password).
I do not know names of PKI products off the top of my head
unfortunately as we deal mostly with token-based two-factor.
Hope this helps,
Pete
--
Peter J. Morgan
Information Security Analyst
Exceed Security
Appleton, Wisconsin
On 6/28/06, RSD <rsd@...> wrote:
> My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
> guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that
> could be used, such as Tokens/Biometric/Out-of-Band/etc.
>
> Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
> secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.
>
> Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
> one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.
>
> Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
> because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a
> post-it note, they'd find "cookies" as well.
>
> Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
> of physical device is not an option.
>
> My questions:
> -Is my analysis correct?
> -Are multiple shared secrets any more secure?
> -What viable solutions are there?
> Thanks!
>
> [0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
>
> --
> rsd@...
> SDF Public Access UNIX System - http://sdf.lonestar.org
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> As web applications become increasingly complex, tremendous amounts of
> sensitive data - personal, medical and financial - are exchanged, and
> stored. Consumers expect and demand security for this information. This
> whitepaper examines a few vulnerability detection methods - specifically
> comparing and contrasting manual penetration testing with automated
> scanning tools. Download "Automated Scanning or Manual Penetration
> Testing?" today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
> --------------------------------------------------------------------------
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
marginally more secure than a single shared secret. You are correct
in identifying this solution as "not two-factor" as two-factor is by
definition something you have, and something you know. Ie: token and
password/passphrase.
The viable solutions I can think of off the top of my head are:
smart cards
tokens
a type of PKI using digital certs
Since smart cards would require the user to have a smartcard reader,
that is likely not an option. Tokens are pretty popular and they're a
great way of doing two-factor, also not as expensive as you might
imagine. There are lots of articles on why PKI isn't as great as
everyone chalks it up to be, but nevertheless if you can find a
product that works well for you, you can sign a cert and give it to
your clients, and they will be able to authenticate based on
"something they have, and something they know" (digital
cert/password).
I do not know names of PKI products off the top of my head
unfortunately as we deal mostly with token-based two-factor.
Hope this helps,
Pete
--
Peter J. Morgan
Information Security Analyst
Exceed Security
Appleton, Wisconsin
On 6/28/06, RSD <rsd@...> wrote:
> My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
> guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that
> could be used, such as Tokens/Biometric/Out-of-Band/etc.
>
> Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
> secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.
>
> Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
> one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.
>
> Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
> because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a
> post-it note, they'd find "cookies" as well.
>
> Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
> of physical device is not an option.
>
> My questions:
> -Is my analysis correct?
> -Are multiple shared secrets any more secure?
> -What viable solutions are there?
> Thanks!
>
> [0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
>
> --
> rsd@...
> SDF Public Access UNIX System - http://sdf.lonestar.org
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> As web applications become increasingly complex, tremendous amounts of
> sensitive data - personal, medical and financial - are exchanged, and
> stored. Consumers expect and demand security for this information. This
> whitepaper examines a few vulnerability detection methods - specifically
> comparing and contrasting manual penetration testing with automated
> scanning tools. Download "Automated Scanning or Manual Penetration
> Testing?" today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
> --------------------------------------------------------------------------
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
« Return to Thread: Two-Factor Authentication on the Web
| Free embeddable forum powered by Nabble | Forum Help |
