Skip to main content

The WiKID Blog

Viewing posts tagged pci

PCI DSS disses multi-step authentication

The PCI Council has published an "Information Supplement" on multi-factor authentication (pdf).  The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. 

NIST deprecates SMS as an out-of-band authentication method

When we started WiKID, we looked at using SMS to deliver one-time passcodes.  We chose not to for the simple reason that there was no way we could control the encryption and thus demonstrate the security of our solution to customers.  There wasn't any data about the possible risks or probabilities of failures (except for reliability/delivery percentages)   We looked to basic security design principles and best practices when we developed WiKID.  Could we control the encryption?  Could we generate the keys on the devices instead of using shared-secrets?  

Non-Console Administrative Access

Now that PCI-DSS 3.2 is live, we have been pondering how hard it will be to implement the new multi-factor authentication requirements.  First some definitions from the PCI Glossary:

Scalability notes for the WiKID Strong Authentication server

Large two-factor authentication deployments are becoming more and more common these days as  enterprises deploy it to more and more employees .  We're also seeing more SaaS providers needing to meet regulations such as HIPAA and PCI.   These enterprises have large user bases and need scalable, reliable, affordable two-factor authentication.   We have the affordable part covered (you can see our pricing online) and we are highly incented to provide reliable software thanks to our annual subscription license.  But how scalable is WiKID?

Why you need a stand-alone two-factor authentication server

We do a fair amount of testing and documentation for commercial and open-source VPNs (Cisco, SonicWall, Sophos, Checkpoint, etc, etc).  Increasingly, we see VPNs embedding some type of two-factor authentication into their product.   The idea is to make it simple to add 2FA to your VPN services, a laudable goal and perhaps sufficient for some small organizations.  So, when should you consider using a stand-alone service instead?

Recent Posts







RSS / Atom