Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Entrust - Identity Guard - Any experience?

from [ken kousky] Network Security [Permanent Link]
Subject: RE: Entrust - Identity Guard - Any experience?
Date: Sat, 20 Aug 2005 16:51:52 -0400 
Guess you don't understand what Identity Guard does. It IS a second factor.
It's something you have. You use it with a password that, in a valid
security environment, is still, something you know.

If you have a strong password policy you've probably made the password
something you have since your policy assures that it's NOT something you
know. That's why it's the weakest and costliest element of our worst
security environments.

Passwords have been so disastrously implemented by security mangers who
close their eyes to the "naked emperor" that even leading industry gurus,
including MS folk suggest that a password is something you HAVE because you
have to write it down to know it if you follow an idiotic strong password
model. The Post-it-notes have finally won!

With Entrust, you use a simply password that is truly something you KNOW and
the Identity Guard provides a testable but low cost check for something you
have - doesn't require a card reader or scanner either.
 
Any IT Security pro that supports strong passwords owes it to their
organization to look at intelligent alternatives to the naked emperor
syndrome.

See IP3's "Strong Passwords are an Oxymoron" - first drafted in '01 to get a
better understanding but kill your strong passwords. Even DHS Presidential
Directive 12 implies the need for intelligent multi-factor solutions
throughout the Federal government. A cheap solution for industry is long
overdue. If you have more money to spend there are even better options.
  
KWK
IP3 
Strategies to Reality


-----Original Message-----
From: Saqib Ali [mailto:docbook.xml@gmail.com] 
Sent: Friday, August 19, 2005 2:27 PM
To: Dwayne Taylor
Cc: SB; webappsec@securityfocus.org
Subject: Re: Entrust - Identity Guard - Any experience?

Maybe I am missing something, but I don't think Entrust - Identity
Guard provides 2-factor authentication.

It is a more like twice-the-effort (twice-the-trouble) authentication. :)



I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm


-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: anti-phishing implementation, Lyal Collins
Next by Date:  Re: anti-phishing implementation, Bjorn Borg
Previous by Thread:  Re: Entrust - Identity Guard - Any experience?, Saqib Ali
Next by Thread:  RE: Entrust - Identity Guard - Any experience?, Ellis, Steven
Indexes:  [Date] [Thread] [Top] [All Lists]