WebApp Sec mailing list archives

Re: 2-factor auth for all

From: Nick Owen <nowen () wikidsystems com>
Date: Tue, 24 Oct 2006 11:55:37 -0400

Saqib Ali wrote:

2. Without mutual authentication, phishing attacks will still occur.


Excellent point! I totally agree with this. In fact I covered this
topic in my blog in September with reference to a study done by a TPM
manufacturer. See:
http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243


I don't really consider machine authentication to be mutual
authentication. I'd say that the host needs to be authenticated to the
user, based on some cryptographically secure mechanism.

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have 
seen, and outlines a guideline for developing secure web applications. 
Download our The Twelve Most Common Application-level Hack Attacks 
whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008YTi
--------------------------------------------------------------------------

Current thread:

2-factor auth for all Saqib Ali (Oct 23)
- RE: 2-factor auth for all Benjamin Tomhave (Oct 27)
- Re: 2-factor auth for all David Kierznowski (Oct 27)
  - Re: 2-factor auth for all Saqib Ali (Oct 27)
- RE: 2-factor auth for all Nick Owen (Oct 27)
  - Re: 2-factor auth for all Saqib Ali (Oct 27)
    - Re: 2-factor auth for all Nick Owen (Oct 27)