Risk based authentication is the way to go. Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff.
Matthew
-----Original Message-----
From: RSD [mailto:rsd@sdf.lonestar.org]
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec@securityfocus.com
Subject: Two-Factor Authentication on the Web
My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication. Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.
Now the specs I've received from our analysts indicate they have chosen
the 'shared secret' as a second factor. It's a secret question like
'What is your favorite food?' that is supposed to augment the existing
username and password.
Here's the problem -- a password is also one considered a shared secret
-- so this isn't really two-factor, more like 2 one-factors. Since the
factors have identical characteristics, if one is compromised, the other
will surely follow.
Now the guidance doesn't see that as a problem: "The use of multiple
shared secrets also provides increased security because more than one
secret must be known to authenticate." Seems to me if an attacker found
a password written on a post-it note, they'd find "cookies" as well.
Now I can see why this route was chosen -- most of the other factors
require some hardware -- and distributing any sort of physical device is
not an option.
My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!
[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf
--
rsd@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
------------------------------------------------------------------------
-
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
------------------------------------------------------------------------
--
LEGAL DISCLAIMER
The information transmitted is intended solely for the individual or entity to
which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of or taking action in
reliance upon this information by persons or entities other than the intended
recipient is prohibited. If you have received this email in error please
contact the sender and delete the material from any computer.
Seeing Beyond Money is a service mark of SunTrust Banks, Inc.
[ST:XCL]
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
