« Return to Thread: Two-Factor Authentication on the Web
Re: Two-Factor Authentication on the Web
by nowen
::
Rate this Message:
Harper.Matthew wrote:
> Risk based authentication is the way to go. Many company's offer this.
> Similar to the way credit card companies monitor transactions for "odd
> ball" stuff.
>
> Matthew
>
> -----Original Message-----
> From: RSD [mailto:rsd@...]
> Sent: Wednesday, June 28, 2006 9:31 AM
> To: webappsec@...
> Subject: Two-Factor Authentication on the Web
>
> My company does online loan applications. Various agencies and customers
> have demanded we comply with FFIEC guidelines[0] regarding two-factor
> authentication. Now the guidance describes many different types of
> factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.
Seems to me that transaction analysis would be tough to do on a credit
application. Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing? If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
> Risk based authentication is the way to go. Many company's offer this.
> Similar to the way credit card companies monitor transactions for "odd
> ball" stuff.
>
> Matthew
>
> -----Original Message-----
> From: RSD [mailto:rsd@...]
> Sent: Wednesday, June 28, 2006 9:31 AM
> To: webappsec@...
> Subject: Two-Factor Authentication on the Web
>
> My company does online loan applications. Various agencies and customers
> have demanded we comply with FFIEC guidelines[0] regarding two-factor
> authentication. Now the guidance describes many different types of
> factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.
Seems to me that transaction analysis would be tough to do on a credit
application. Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing? If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
« Return to Thread: Two-Factor Authentication on the Web
| Free embeddable forum powered by Nabble | Forum Help |
