WebApp Sec mailing list archives
RE: Entrust - Identity Guard - Any experience?
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 24 Aug 2005 08:59:33 -0500
Saqib Ali wrote...
Ned Fleming wrote... Not really. The card is something a person carries around. Besides the cards can be made to be difficult to photocopy. And if stolen, they can be treated the same as a stolen token: invalidated and a new one generated as easy as kiss my hand.hmmm. how do you know when to replace/regenerate the card, if the attacker only duplicated the card, and returned the original to your wallet??? static human-legible information can be duplicated using vaious fotografic techniques.[Ned Fleming] I like the Entrust thingamabob. Think Pareto's Law: It gives 80 percent of the functionality of a secure token for 20 percent of the cost. (Actually, I think it gives 96 percent of the functionality of a secure token for 20 percent of the cost -- Pareto squared.)This maybe true, but i would still like to see some data to support this claim.
I think that one is we are all letting the formal definition of an two-factor authentication make us miss the main point, which is that certainly this is a LOT more secure than just a plain password--even if the users already uses strong passwords. Sure this Entrust Identity Guard is nothing more than an glorified Bingo card with coordinates printed along the Y-axis, but that doesn't mean it can't serve a similar purpose of a "what you have" factor of authentication. The point is that most people KNOW how to secure physical things. They do this all the time with their wallets, their credit cards, small pieces of jewelery, etc. If they are taught that this Identity Guard needs to be protected just like a credit card, most of them will afford it SUFFICIENT (not perfect) protection. So can it be duplicated? Yes. Does it matter? Not as much as you might think, since the risk of duplication is relatively low.
From a risk management perspective, in reality there is little difference
between this Identity Guard vs. somone securing an SSL client-certificate on a removable media such as a floppy or a thumb drive. The removable media can be stolen, copied, and put back as well. So if you don't secure your private keys with a passphrase (and by observation, most people don't), and this happens, you're screwed. And I doubt if most people protect that floppy as well as they protect one of the credit cards. I've seen many cases where all people do is eject the floppy with their certificate, but leave it in the floppy drive bay. (There are probably the same people who don't secure it with a passphrase either.) Rather than arguing semantics of definitions, we ought to acknowledge that this is substantially less risk than a password alone and is likely to be deployed at a fraction of the cost of a smart card, key fob, etc. While it definitely isn't the most secure solution, IMO, it still is a good idea. Just my $.02, -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall () qwest com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit
Current thread:
- RE: Entrust - Identity Guard - Any experience?, (continued)
- RE: Entrust - Identity Guard - Any experience? Ellis, Steven (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Rishi Pande (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Mary Ann Burns (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 19)
- Re: Entrust - Identity Guard - Any experience? Ralf Durkee (Aug 19)
- RE: Entrust - Identity Guard - Any experience? Lyal Collins (Aug 20)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 21)
- RE: Entrust - Identity Guard - Any experience? ken kousky (Aug 21)
- Re: Entrust - Identity Guard - Any experience? Ned Fleming (Aug 22)
- Re: Entrust - Identity Guard - Any experience? Saqib Ali (Aug 23)
- RE: Entrust - Identity Guard - Any experience? Ellis, Steven (Aug 19)