Multiple shared secrets are not any more secure. Infact they
inconveneince the user.
If you don't want to distribute hardware tokens, take a look at
https://www.entrust.com/eval/demoguard/ Identity Guard by entrust
or Software Tokens by RSA
The Identity Guard is a real 2-factor authentication solution, but
instead of a hardware token it uses a paper card with numbers on it.
Each banking customer will have a unique card. However, unlike the
hardware token, the attacker can xerox the identity guard, without the
knowledge of the user. But this is still far better solution then
using "2 shared secret" scheme.
Software Tokens by RSA merely protect against password replay attacks.
-
Saqib Ali, CISSP, ISSAP
Support
http://www.capital-punishment.net-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ--------------------------------------------------------------------------
