Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
guidelines[0] regarding two-factor authentication.  Now the guidance describes many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.

Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
one-factors.  Since the factors have identical characteristics, if one is compromised, the other will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate."  Seems to me if an attacker found a password written on a
post-it note, they'd  find "cookies" as well.

Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
of physical device is not an option.

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I find your analysis to be correct.  Multiple shared secrets seems
marginally more secure than a single shared secret.  You are correct
in identifying this solution as "not two-factor" as two-factor is by
definition something you have, and something you know.  Ie: token and
password/passphrase.

The viable solutions I can think of off the top of my head are:
smart cards
tokens
a type of PKI using digital certs

Since smart cards would require the user to have a smartcard reader,
that is likely not an option.  Tokens are pretty popular and they're a
great way of doing two-factor, also not as expensive as you might
imagine.  There are lots of articles on why PKI isn't as great as
everyone chalks it up to be, but nevertheless if you can find a
product that works well for you, you can sign a cert and give it to
your clients, and they will be able to authenticate based on
"something they have, and something they know" (digital
cert/password).

I do not know names of PKI products off the top of my head
unfortunately as we deal mostly with token-based two-factor.

Hope this helps,
Pete

--
Peter J. Morgan
Information Security Analyst
Exceed Security
Appleton, Wisconsin



On 6/28/06, RSD <rsd@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Multiple shared secrets are not any more secure. Infact they
inconveneince the user.

If you don't want to distribute hardware tokens, take a look at
https://www.entrust.com/eval/demoguard/ Identity Guard by entrust
or Software Tokens by RSA

The Identity Guard is a real 2-factor authentication solution, but
instead of a hardware token it uses a paper card with numbers on it.
Each banking customer will have a unique card. However, unlike the
hardware token, the attacker can xerox the identity guard, without the
knowledge of the user. But this is still far better solution then
using "2 shared secret" scheme.

Software Tokens by RSA merely protect against password replay attacks.

-
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

The guidelines are about protecting consumers, their identities, and  
the value of the transaction, not generally access to the account  
itself or saving your firm's bottom line. So instead of worrying  
about adopting yet another stale technology which does not solve  
phishing or identity theft, seize the opportunity to move to the next  
step and reduce identity theft and fraud.

Q&A's (shared secrets) are truly appalling. They should not be used  
under any circumstances. Most of the questions are on the public  
record (DMV, voter registration records, births/deaths/marriages,  
etc). Many of the others can be found using Google (what's my pet's  
name... hint you do not have to look hard. For extra points, what's  
the color of my other cat?), and some questions like what's your  
favorite color is usually "red" about 75% of the time, "blue" the  
next 20% of the time, and then a smattering of other colors. Good  
Q&A's are open ended questions which are hard to find out, lots of  
answers, but easy to remember... like where did you take your first  
holiday. Which as a question sucks if you're a famous author like  
Gerrard Durrel (the answer is Corfu). So basically, once you  
eliminate all the well known Q&A's people CANNOT remember the answers  
to them. Strike round one.

Online loan apps are particularly hard to secure - they are prime  
phishing targets. If you know a lot about your customer already (as  
in they already have a relationship with you), do NOT ask for any  
information you already have, and do not show it. This makes it less  
likely that phishers will target you.

IMHO, for online banking, the day of the password has been over for  
about two years now. OTPs alone is rapidly approaching the same end  
zone. However, you *should* be using one time passwords (ie token  
login) with limited time outs for authenticating to your service on  
to deter batched / delayed MITM and replay attacks. However, OTP will  
not prevent phishing attacks logging onto your customer's accounts  
and pharming the details found within.

So:

a) access to information inside the account which is useful in a  
online loan application should be utterly minimized or completely  
eliminated, or at worst only available via transaction  
authentication. This diminishes the phishing information gathering  
surface area for your app and phishers will choose weaker or stupider  
targets

b) value transactions which are hard to reverse, such as pay anyone,  
should be performed via transaction authentication. Your  
institution's taste for risk will determine how often and which  
destinations attract transaction authentication. My preference is do  
'em all. But that might be a PITA. For example, paying a "bill" to a  
Western Union destination is basically asking to be phished, whereas  
paying a bill to a trusted utility which does not offer cash  
reversals once a bill is overpaid is unlikely to be phished and you  
may let that go.

c) Applications for credit should be rare enough that taking a hit  
for a OTP or transaction authentication is a really good idea.

Always think in terms of authenticating the transaction, not the  
person. The person should possess the means of authenticating the  
transaction, such as a transaction signing calculator or mobile  
phone. I am sure phishers will work out a script or scenario for  
these babies eventually, but that day is not today.

Tokens which are capable of OTP and transaction signing are not that  
much more expensive than pure OTP tokens, and they are cheaper than  
USB connected tokens, which are no better than hard certs (ie smart  
cards). Connected tokens are the devil's work, and should be avoided  
as they do not prevent the user pressing "yeah, whatever" whenever  
you ask for a transaction to be signed. That's not transaction  
signing, that's a recipe for phishing, particularly if your app asks  
for trx signing on a regular basis.

Pay Bill 1 - yeah, whatever.
Pay Bill 2 - yeah, whatever.
Pay Phisher - year, whatever.
Pay Bill 3 - yeah, whatever.

It happens in MacOS X, and it'll happen in Vista. It's human nature  
not to read the security prompts. Make the human part of the  
transaction, and not "yeah, whatever."

SMS texting works *really* well... As long as you have a solid way of  
registering the mobile phone and as long as the local carriers have  
phone cloning under control. Phishers think nothing of ringing up a  
bored $4.95/hr help desk jockey, and making several guesses as to  
your pet's name and favorite color (red! no blue!) and changing your  
cell phone number to their own stolen or throw away pre-paid phones.  
Registering or changing the number should be done in person, with a  
strong emphasis on showing lots of photo ID.

thanks,
Andrew

Risk based authentication is the way to go.  Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff.

Matthew

-----Original Message-----
From: RSD [mailto:rsd@...]
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec@...
Subject: Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication.  Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen
the 'shared secret' as a second factor. It's a secret question like
'What is your favorite food?' that is supposed to augment the existing
username and password.

Here's the problem -- a password is also one considered a shared secret
-- so this isn't really two-factor, more like 2 one-factors.  Since the
factors have identical characteristics, if one is compromised, the other
will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple
shared secrets also provides increased security because more than one
secret must be known to authenticate."  Seems to me if an attacker found
a password written on a post-it note, they'd  find "cookies" as well.

Now I can see why this route was chosen -- most of the other factors
require some hardware -- and distributing any sort of physical device is
not an option.

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
------------------------------------------------------------------------
--
 
 
 
LEGAL DISCLAIMER
The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.
 
Seeing Beyond Money is a service mark of SunTrust Banks, Inc.
[ST:XCL]
 
 
 
 

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Risk Based Authentication is a good idea as it goes back to 'why spend
more on security controls then the value of the data'. I got to check
out Ira Winkler's speech the other week and he made an interesting
comment in that money for security, most of the time, comes out of the
IT budget. The problem with that is the cost of securing the data may
cost more then what the IT budget can afford. If you are responsible
for securing data that could cost tens or hundreds of billions, why
would you only use 5% of the IT budget to protect that investment?

That said, with all of the risks of personal information being stolen
these days it is not unreasonable to demand two-factor authentication
for banking web apps. Here is an excerpt from the FFIEC document (keep
in mind this whole document is for AUTHENTICATION):

Authentication Guidance (2001)
Summary of Key Points
The agencies consider single-factor authentication, as the only
control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of funds to
other parties. Financial institutions offering Internet-based products
and services to their customers should use effective methods to
authenticate the identity of customers using those products and
services. The authentication techniques employed by the financial
institution should be appropriate to the risks associated with those
products and services. Account fraud and identity theft are frequently
the result of single-factor (e.g., ID/password) authentication
exploitation. Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions
should implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks.

This was appended not too long ago by the following document, which is
what is stirring up the banking community (in the US):
FIL-103-2005
http://www.fdic.gov/news/news/financial/2005/fil10305.html

Summary:   The Federal Financial Institutions Examination Council
(FFIEC) has issued the attached guidance, "Authentication in an
Internet Banking Environment." For banks offering Internet-based
financial services, the guidance describes enhanced authentication
methods that regulators expect banks to use when authenticating the
identity of customers using the on-line products and services.
Examiners will review this area to determine a financial institution's
progress in complying with this guidance during upcoming examinations.
Financial Institutions will be expected to achieve compliance with the
guidance no later than year-end 2006.

Highlights:

    * Financial institutions offering Internet-based products and
services should use effective methods to authenticate the identity of
customers using those products and services.
    * Single-factor authentication methodologies may not provide
sufficient protection for Internet-based financial services.
    * The FFIEC agencies consider single-factor authentication, when
used as the only control mechanism, to be inadequate for high-risk
transactions involving access to customer information or the movement
of funds to other parties.
    * Risk assessments should provide the basis for determining an
effective authentication strategy according to the risks associated
with the various products and services available to on-line customers.
    * Customer awareness and education should continue to be
emphasized because they are effective deterrents to the on-line theft
of assets and sensitive information.

Here is what I don't get:
"Where risk assessments indicate that the use of single-factor
authentication is inadequate, financial institutions should implement
multifactor authentication, layered security, or other controls
reasonably calculated to mitigate those risks."

What other controls, other then multifactor authentication, can
mitigate that risk?



On 6/28/06, Harper.Matthew <Matthew.Harper@...> wrote:

--
Tim Van Cleave, CISSP, NSA IAM, CXE
AIM - pand0rausa
MSN - m0rt15
Yahoo - pand0ra_usa

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I concur with Andrew - shared secrets are not 2FA. I think some OWASP
guidance on implementing 2FA for web applications, and information about
some of the available options would be very valuable.

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj@...]
Sent: 28 June 2006 15:19
To: rsd@...
Cc: Webappsec Mail List
Subject: Re: Two-Factor Authentication on the Web

The guidelines are about protecting consumers, their identities, and  
the value of the transaction, not generally access to the account  
itself or saving your firm's bottom line. So instead of worrying  
about adopting yet another stale technology which does not solve  
phishing or identity theft, seize the opportunity to move to the next  
step and reduce identity theft and fraud.

Q&A's (shared secrets) are truly appalling. They should not be used  
under any circumstances. Most of the questions are on the public  
record (DMV, voter registration records, births/deaths/marriages,  
etc). Many of the others can be found using Google (what's my pet's  
name... hint you do not have to look hard. For extra points, what's  
the color of my other cat?), and some questions like what's your  
favorite color is usually "red" about 75% of the time, "blue" the  
next 20% of the time, and then a smattering of other colors. Good  
Q&A's are open ended questions which are hard to find out, lots of  
answers, but easy to remember... like where did you take your first  
holiday. Which as a question sucks if you're a famous author like  
Gerrard Durrel (the answer is Corfu). So basically, once you  
eliminate all the well known Q&A's people CANNOT remember the answers  
to them. Strike round one.

Online loan apps are particularly hard to secure - they are prime  
phishing targets. If you know a lot about your customer already (as  
in they already have a relationship with you), do NOT ask for any  
information you already have, and do not show it. This makes it less  
likely that phishers will target you.

IMHO, for online banking, the day of the password has been over for  
about two years now. OTPs alone is rapidly approaching the same end  
zone. However, you *should* be using one time passwords (ie token  
login) with limited time outs for authenticating to your service on  
to deter batched / delayed MITM and replay attacks. However, OTP will  
not prevent phishing attacks logging onto your customer's accounts  
and pharming the details found within.

So:

a) access to information inside the account which is useful in a  
online loan application should be utterly minimized or completely  
eliminated, or at worst only available via transaction  
authentication. This diminishes the phishing information gathering  
surface area for your app and phishers will choose weaker or stupider  
targets

b) value transactions which are hard to reverse, such as pay anyone,  
should be performed via transaction authentication. Your  
institution's taste for risk will determine how often and which  
destinations attract transaction authentication. My preference is do  
'em all. But that might be a PITA. For example, paying a "bill" to a  
Western Union destination is basically asking to be phished, whereas  
paying a bill to a trusted utility which does not offer cash  
reversals once a bill is overpaid is unlikely to be phished and you  
may let that go.

c) Applications for credit should be rare enough that taking a hit  
for a OTP or transaction authentication is a really good idea.

Always think in terms of authenticating the transaction, not the  
person. The person should possess the means of authenticating the  
transaction, such as a transaction signing calculator or mobile  
phone. I am sure phishers will work out a script or scenario for  
these babies eventually, but that day is not today.

Tokens which are capable of OTP and transaction signing are not that  
much more expensive than pure OTP tokens, and they are cheaper than  
USB connected tokens, which are no better than hard certs (ie smart  
cards). Connected tokens are the devil's work, and should be avoided  
as they do not prevent the user pressing "yeah, whatever" whenever  
you ask for a transaction to be signed. That's not transaction  
signing, that's a recipe for phishing, particularly if your app asks  
for trx signing on a regular basis.

Pay Bill 1 - yeah, whatever.
Pay Bill 2 - yeah, whatever.
Pay Phisher - year, whatever.
Pay Bill 3 - yeah, whatever.

It happens in MacOS X, and it'll happen in Vista. It's human nature  
not to read the security prompts. Make the human part of the  
transaction, and not "yeah, whatever."

SMS texting works *really* well... As long as you have a solid way of  
registering the mobile phone and as long as the local carriers have  
phone cloning under control. Phishers think nothing of ringing up a  
bored $4.95/hr help desk jockey, and making several guesses as to  
your pet's name and favorite color (red! no blue!) and changing your  
cell phone number to their own stolen or throw away pre-paid phones.  
Registering or changing the number should be done in person, with a  
strong emphasis on showing lots of photo ID.

thanks,
Andrew

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Harper.Matthew wrote:
Seems to me that transaction analysis would be tough to do on a credit
application.  Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing?  If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.

nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

Wouldn’t biometrics be intercept-able as data transmission packets and faked when used over a civilian network?

-----Original Message-----
From: Tim [mailto:pand0ra.usa@...]
Sent: Friday, 30 June 2006 9:04 AM
To: Nick Owen
Cc: Harper. Matthew; RSD; webappsec@...
Subject: Re: Two-Factor Authentication on the Web

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

On 30/06/2006, at 4:03 PM, Tim wrote:

>  the only way I see that you can accurately validate
> someone would be through biometrics (something you are)

This is not possible, as:

All devices in general are tamperable and not trustworthy when in the  
hands of the attacker

Biometric devices have a long history of being little more than snake  
oil or toys. The good ones are significantly more expensive than ANY  
other form of actual 2FA authentication device

Many attacks against existing biometric devices are so trivial as to  
be a complete joke. Check out this page:

http://www.heise.de/ct/english/02/11/114/

Lastly, trustworthy biometric registration requires an in-person  
visit, thus negating any possibility of remote authentication.

No matter what 2FA device you use, evidence of identity is only as  
strong as the registration process. I'd prefer to see the initial  
registration (and recovery of registration) done only in-person.  
Otherwise the process is open to abuse by definition.

thanks,
Andrew

Hi,

> What other controls, other then multifactor authentication, can
> mitigate that risk?

I was hoping to see a good answer to this question.

While there are quite a few ways one can "authenticate" the root
problem, to me, is Identification and Authorization which make up
Authentication.  If the same source for Identification is used and the
same Authorization means is granted then any additional authentication
factor really is kind of the same thing over the net.  Sure, a token,
dongle, fingerprint, timezone, location, software, etc. make things more
difficult to make the attack, if the attacker can usurp the identity and
the client, then the attack success is very high.  Meaning, if you break
into the house and use the banking info on that computer to make the
attack your success chances will be much higher.

An additional channel whether it be SMS or telephone call-back can
improve the chances authentication, this is still not even close to the
type of authentication one can get in person.

Further discussion however, will show that physical presence is often
over-rated because the people who do the identification and grant
authorization can also be easily fooled.  Risk of getting caught is not
much higher for those people but the speed to repercussion is. Over the
net, there is much less repercussion if denied: the difference between
"Access Denied" on-line and "Hey, wait a minute while I get my manager"
(as guard approaches).

I've been doing a lot of researching into Trusted Computing for the
OpenTC project and it's clear that TC may not have the answer either,
but it's not as bad.  At least it closes the link between person and
computer a bit better for the sake of identification.

I am interested in hearing from others though on replacement or
enhancement security for authentication where identification and
authorization are not weak links or the speed or level of repercussion
is up there with the physical world.

-pete.

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

What I was trying to say is that you can only authenticate someone
through biometrics because it is something that they are. I do not
dispute that technology can be subverted or that people can be
manipulated. What I am trying to say is that a label (name, ssn)
cannot be trusted, especially nowadays. I feel the same in that
regristration would have to be done in person but again that is
impractical. Again, I am not saying that the current biometrics
technology is an adequate solution. Just that the concept of
biometrics is the only way to validate someone's identity.

You seem to be very familiar with biometrics, can you provide some
examples of products that you have experience with that you would
consider to be a scam and what ones (regardless of expense) are
adequate?

On 6/30/06, Andrew van der Stock <