« Return to Thread: Two-Factor Authentication on the Web
Two-Factor Authentication on the Web
by RSD-2
::
Rate this Message:
My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.
Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.
Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.
Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a
post-it note, they'd find "cookies" as well.
Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
of physical device is not an option.
My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!
[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.
Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.
Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow.
Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a
post-it note, they'd find "cookies" as well.
Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
of physical device is not an option.
My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!
[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
« Return to Thread: Two-Factor Authentication on the Web
| Free embeddable forum powered by Nabble | Forum Help |
