WebApp Sec mailing list archives
RE: Two-Factor Authentication on the Web
From: "Popowycz, Alex" <Alex.Popowycz () fmr com>
Date: Wed, 5 Jul 2006 07:41:41 -0400
Lyal, Would you elaborate as to why SSL is not a reasonable means for transporting authentication credentials? Properly implemented, SSL provides a fair degree of security to the overall authentication transaction, especially if invoked in a mutual fashion (i.e. 2 way SSL). Additionally, the option of staying with passwords isn't viable with various laws and regulations around the world, especially in the financial services sector. Alex -----Original Message----- From: "Lyal Collins" <lyal.collins () key2it com au> To: "Webappsec Mail List" <webappsec () securityfocus com> Sent: 7/3/06 6:25 PM Subject: RE: Two-Factor Authentication on the Web There has been some excellent discussion on this topic. However, I think a couple of important factors have been overlooked given the risk models that are included or assumed in the discussion. 1. Most of the methods assume that the authentications factors (password, biometric etc) are verified at the host, requiring re-usable authentication data to be transported across a network. 2. SSL is considered the 'obvious choice' for this transport. This model is fundamentally flawed - SSL is simply not good enough for this purpose when used en-masse. SSH is hardly better, given the key estabishment method boils down to "do you trusted these 16 hex characters". PKI and client-side certs are merely client-side password cerification in untrusted devices/environments. Since the early nineties, it has been apparent that the better authentication option is to use client side authentication (i.e data capture, verification, etc) using a trustable, tamper-evident device, which them communicates the auth state (i.e. "I am device abc and I have verified this is entity xyz according to method 123") to the host in a trusted fashion. If we are serious about OTP, biometrics, etc we should really be pushing for either significantly better mechanisms to transport authentication data, or deploy cheap client-side authentication with trustable carriage of the authentication data/state and ideally transaction data. Otherwise, the ethical thing is to tell our employers to stick with passwords and accept there is a modestly higher risk at a significant cost saving, or invest in doing it better. Microsoft's trusted computing platform is a start, but tries to be all things to all communities of interest, leading to compromises and difficulties for all. For strong authentication, the MS model is basically flawed. Just my 2-cents worth. Lyal ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- RE: Two-Factor Authentication on the Web Gaydosh, Adam (Jul 02)
- <Possible follow-ups>
- RE: Two-Factor Authentication on the Web Glenn.Everhart (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 05)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 05)
- RE: Two-Factor Authentication on the Web James Pujals (Jul 05)
- RE: Two-Factor Authentication on the Web PPowenski (Jul 06)
- Re: Two-Factor Authentication on the Web mikeiscool (Jul 07)
- Re: Two-Factor Authentication on the Web Devdas Bhagat (Jul 17)