Re: Two-Factor Authentication on the Web

["Saqib Ali" <docbook.xml () gmail com>]

Multiple shared secrets are not any more secure. Infact they
inconveneince the user.

If you don't want to distribute hardware tokens, take a look at
https://www.entrust.com/eval/demoguard/ Identity Guard by entrust
or Software Tokens by RSA

The Identity Guard is a real 2-factor authentication solution, but
instead of a hardware token it uses a paper card with numbers on it.
Each banking customer will have a unique card. However, unlike the
hardware token, the attacker can xerox the identity guard, without the
knowledge of the user. But this is still far better solution then
using "2 shared secret" scheme.

Software Tokens by RSA merely protect against password replay attacks.

-
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------