Posted by:
admin
12 years, 6 months ago
You can download the latest [In]Secure Magazine Issue 34 in pdf format here: net-security.org/insecuremag.php.
The article is a proof-of-concept of how to add two-factor authentication to Google Apps for your Domain using our open-source Community Strong Authentication server and our PoC HTML5 token. This particular PoC was chosen to highlight the growing focus on cloud-based services, the need for corporate control and the trade-offs between security and usability.
I think everyone understands the growth of cloud-based services. What I think is less-appreciated is the growing impact that Identity Management has in the cloud world. I am reminded of how the move from Ipsec VPNs to SSL-based VPNs highlighted the need for stronger authentication. The move to cloud is similar, but even more so.
Google Authenticator is an admirable solution for stronger authentication, but it doesn't provide Enterprises with the necessary control or support capabilities. Google strongly advises users to download a list of codes to use in case of an emergency. It's a good idea, but hardly a corporate support solution. I have locked myself out of a Google account and the support was a bit slow, to say the least (luckily it was just a test account).
Finally, we like to talk about usability and security. Security geeks love to poke holes in things. It's what they are paid and trained to do. But we all recognize that security is about trade-offs. I often hear "I want biometrically secured smart-cards on TPM-based hardware so I know my users are who they say they are and attacks are limited to active sessions that I monitor". Well fine, but: 1. Can you afford it? and 2. Will your users accept it? Or will they go around it?
Our HTML5 software token is a step in the opposite direction. It is free and open-source. It's arguably less secure than, say, our locked token or a token on a separate device like our iPhone/Android/Win7 mobile tokens. But think about the number of times a static password is used. What percentage of them require some level of security? Would you implement two-factor authentication if it were easier for the user than static passwords?
It is not ok just to say HTML5 is not secure. You have to compare it to other technologies. And you have to consider usability and expense too.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)