Harper.Matthew wrote:
Risk based authentication is the way to go. Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff.
Matthew
-----Original Message-----
From: RSD [mailto:rsd@sdf.lonestar.org]
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec@securityfocus.com
Subject: Two-Factor Authentication on the Web
My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication. Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.
Seems to me that transaction analysis would be tough to do on a credit
application. Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing? If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
-------------------------------------------------------------------------
Sponsored by: Watchfire
As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------
