WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Wed, 28 Jun 2006 06:56:46 -0700
Multiple shared secrets are not any more secure. Infact they inconveneince the user. If you don't want to distribute hardware tokens, take a look at https://www.entrust.com/eval/demoguard/ Identity Guard by entrust or Software Tokens by RSA The Identity Guard is a real 2-factor authentication solution, but instead of a hardware token it uses a paper card with numbers on it. Each banking customer will have a unique card. However, unlike the hardware token, the attacker can xerox the identity guard, without the knowledge of the user. But this is still far better solution then using "2 shared secret" scheme. Software Tokens by RSA merely protect against password replay attacks. - Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- ------------------------------------------------------------------------- Sponsored by: WatchfireAs web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ --------------------------------------------------------------------------
Current thread:
- Two-Factor Authentication on the Web RSD (Jun 28)
- Re: Two-Factor Authentication on the Web Peter Morgan (Jun 28)
- Re: Two-Factor Authentication on the Web Saqib Ali (Jun 28)
- RE: Two-Factor Authentication on the Web Harper.Matthew (Jun 28)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Pete Herzog (Jun 30)
- RE: Two-Factor Authentication on the Web LM (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 29)
- Re: Two-Factor Authentication on the Web Nick Owen (Jun 29)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web Christian Kanakis (Jun 30)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jun 30)
- Re: Two-Factor Authentication on the Web Tim (Jun 30)
- RE: Two-Factor Authentication on the Web James Pujals (Jun 30)