Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Two-Factor Auth: Can we just Google the response? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Two-Factor Auth: Can we just Google the response?
What really bothers me is that WoW has stronger authentication than any of the banks I deal with. Something's wrong with that.
No Love.

37 Posts
The banking industry is getting ready for a 2nd round of 'authentication strengthening' to likely establish a strong 2nd factor (as opposed to the current 'multiple factors beyond memorized pass phrases' - most banks now have 'risk factors' that are the true multiple factor, but even those are typically only evaluated at login, and often have 'trust this device' overrides [think a botted machine]). Don't be surprised if the FFIEC will require by 2012 a need to make sure that a 'single use' authenticator be required (1 time pad, token/fob/soft-fob, call-back, or USB dongle).

To that end, my guess is you'll see the need for alliances/federations. I don't want 20 fobs. I'd prefer to log into Google (single factor), and when I go to my bank, it queries google for my ID (low trust), and asks for my strong authenticator (Call back/1TP). I call back, and i'm authenticated to the site. Leave that site and go to my 401K site... same scenario.

Where we have DNSSEC, we will eventually need a AuthSEC, where every domain authenticates it's users and a 'supplier' provides a strong authenticator for that ID (Google, Verisign, RSA, Entrust, heck, even the USPostOffice, or your local PTT). As for fees, Yes, I think that would be determined by the vendors. Google could be free (but you get an ad impression during the authentication transaction), or it should be passed on to the site provider, and they decide how to cost it out. From my Cust Svc, side, forgotten passwords/resets are the major cost... and it would likely pay for itself if you drive that to a Google/Verisign, and as the siteowner you just eat the cost as part of doing business (just like card processing fees).

GeoffB

3 Posts
For (quite) cheap two factor authentication, Yubikey is a nice and simple way:
http://www.yubico.com/yubikey
GeoffB
1 Posts

Sign Up for Free or Log In to start participating in the conversation!