Re: ual Factor/Adaptive Authentication

["Saqib Ali" <docbook.xml () gmail com>]

On 5/3/06, Casey DeBerry <cdeberry () cobizinc com> wrote:
> If you are in any way governed by FFIEC, this is your MO for 2006.  I
> had an introduction to RSA's offering today which included recently
> purchased Passmark, and Cyota's converged solution.  Initially, I was

BofA uses Passmark (see http://www.bankofamerica.com/privacy/passmark/
). The security concerns of Passmark was dicussed on Full disclosure
see:
http://seclists.org/lists/fulldisclosure/2005/May/0629.html

Passmark technology tries to solve the machine authentication problem
using encrypted cookies. The idea looks good, but I don't know how
safe it is.

I would personally wait till Passmark and similar technologies utilize
TPM (Trusted Platform Module) to perform a mutual authentication
before I can consider replacing physical hardware tokens with
Passmark.

But then again a TPM does NOT replace a USB cryptographic key device /
token. They compliement each other. A USB token/smart card
authenticates the user whereas a TPM authenticates a machine.

I guess use of passmark instead of physical tokens will depend on the
security needs of the system.....

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------