WebApp Sec mailing list archives
Two-Factor Authentication on the Web
From: RSD <rsd () sdf lonestar org>
Date: Wed, 28 Jun 2006 13:31:08 +0000
My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC guidelines[0] regarding two-factor authentication. Now the guidance describes many different types of factors that could be used, such as Tokens/Biometric/Out-of-Band/etc. Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a secret question like 'What is your favorite food?' that is supposed to augment the existing username and password. Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2 one-factors. Since the factors have identical characteristics, if one is compromised, the other will surely follow. Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate." Seems to me if an attacker found a password written on a post-it note, they'd find "cookies" as well. Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort of physical device is not an option. My questions: -Is my analysis correct? -Are multiple shared secrets any more secure? -What viable solutions are there? Thanks! [0] http://www.ffiec.gov/pdf/authentication_guidance.pdf -- rsd () sdf lonestar org SDF Public Access UNIX System - http://sdf.lonestar.org ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)