Viewing posts from April, 2017
It always comes to this: why making the right security designs up front matters.
Posted by: root in Two-factor authentication 7 years, 7 months ago
When we started WiKID, we knew we had to be as secure as or more secure than the leading players at the time (RSA, Vasco, mostly, way back then). We decided that using asymmetric keys generated on users' devices was the best way to overcome objections to software-based tokens. After all, R,S & A had developed public key encryption to overcome the weaknesses of shared secret encryption.
Fast-forward and the dominant form of consumer-oriented two-factor authentication is "two-step" authentication using a shared secret-based protocol (even after hackers successfully stole the shared secretsof a major 2FA vendor) or worse, using SMS. Of course, we know the saying that marketing trumps technology. This seemed like a typical case of that. No one much cared about the increased security offered by asymmetric encryption.
But, security is a slightly different beast because: 1. Attackers are always getting better. 2. Regulationsand compliance can force a market to change despite marketing. The #PCI-DSS Council may be in the process of doing that with their most recent guidance on multi-factor authentication, stating that multi-step authentication leaks account information and should not be used. NIST has said that using SMS as an authentication mechanism is deprecated.
In a way, this will be easier for many systems administrators. Most VPNs and remote access services by default support OTP-based 2FA via RADIUS (which also allows authorization in AD/LDAP another recommended practice) and they do not support a multi-step authentication process. There is no way, for example, to do two-step authentication on a Cisco ASA. But, two-factor authentication is easy and can be added to ASA Admin accounts as well, a great idea and soon to be required for PCI's non-console admin access requirements.
PCI DSS disses multi-step authentication
Posted by: root in PCI-DSS 7 years, 8 months ago
The PCI Council has published an "Information Supplement" on multi-factor authentication (pdf). The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)