I find your analysis to be correct. Multiple shared secrets seems
marginally more secure than a single shared secret. You are correct
in identifying this solution as "not two-factor" as two-factor is by
definition something you have, and something you know. Ie: token and
password/passphrase.
The viable solutions I can think of off the top of my head are:
smart cards
tokens
a type of PKI using digital certs
Since smart cards would require the user to have a smartcard reader,
that is likely not an option. Tokens are pretty popular and they're a
great way of doing two-factor, also not as expensive as you might
imagine. There are lots of articles on why PKI isn't as great as
everyone chalks it up to be, but nevertheless if you can find a
product that works well for you, you can sign a cert and give it to
your clients, and they will be able to authenticate based on
"something they have, and something they know" (digital
cert/password).
I do not know names of PKI products off the top of my head
unfortunately as we deal mostly with token-based two-factor.
Hope this helps,
Pete
--
Peter J. Morgan
Information Security Analyst
Exceed Security
Appleton, Wisconsin
On 6/28/06, RSD <rsd@sdf.lonestar.org> wrote:
My company does online loan applications. Various agencies and customers have
demanded we comply with FFIEC
guidelines[0] regarding two-factor authentication. Now the guidance describes
many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.
Now the specs I've received from our analysts indicate they have chosen the
'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment
the existing username and password.
Here's the problem -- a password is also one considered a shared secret -- so
this isn't really two-factor, more like 2
one-factors. Since the factors have identical characteristics, if one is
compromised, the other will surely follow.
Now the guidance doesn't see that as a problem: "The use of multiple shared
secrets also provides increased security
because more than one secret must be known to authenticate." Seems to me if an
attacker found a password written on a
post-it note, they'd find "cookies" as well.
Now I can see why this route was chosen -- most of the other factors require
some hardware -- and distributing any sort
of physical device is not an option.
My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!
[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
--
rsd@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
