I beg to differ slightly.
Two-factor means, to many of us, that there is something in addition to
something-you-know. A hardware token, a printed OTP list, biometric, or a
secured terminal with unique identifying keys/tools.
Digital certs only act as a two-factor tool in the case of 'secured
terminal' models, in all other cases the digitial signature is a remotely
generated flag that a password was verfied at once. Even digital-certs and
smartcards fall into the remote password verification category in many
implementations.
Lyal
-----Original Message-----
From: Mary Ann Burns [mailto:maburns@safenet-inc.com]
Sent: Saturday, 20 August 2005 8:10 AM
To: Saqib Ali; Dwayne Taylor
Cc: SB; webappsec@securityfocus.org
Subject: RE: Entrust - Identity Guard - Any experience?
two-factor authentication is (1) something physical (USB key) with
(2)something you know (pin) There is no such thing as 2-Factor
authentication without a physical device. Plus a USB key is easy to use and
deploy and it works vs trying a cheap short ends up being twice the trouble
because it takes twice the effort since it can take allot of time, wastes
allot of money and does not work in the end. Know what I mean.......
-----Original Message-----
From: Saqib Ali [mailto:docbook.xml@gmail.com]
Sent: Friday, August 19, 2005 11:27 AM
To: Dwayne Taylor
Cc: SB; webappsec@securityfocus.org
Subject: Re: Entrust - Identity Guard - Any experience?
Maybe I am missing something, but I don't think Entrust - Identity Guard
provides 2-factor authentication.
It is a more like twice-the-effort (twice-the-trouble) authentication. :)
I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
