Posted by:
admin
15 years, 11 months ago
There is a great post on DigitalID World by Eric Nolan about the recent FFIEC guidelines regarding two-factor authentication being a driver for the strong authentication market, much as other compliance rules have boosted the identity management marketplace. It is a very inciteful article and worth the read. I have some comments though:1. I'd imagine that strong auth will become a primary driver for federated identity technologies. As mulitple means of authenticating emerge, linking identities into small "circles of trust" will grow in importance -- and, for the first time, the end-user convenience factor will exist as a real motivation.
There is a problem with the federated model, however: it deals only with session authentication. Most strong authentication systems are susceptible to man-in-the-middle attacks. To thwart MITM attacks, you need cryptographically secure mutual authentication. To thwart session hijacking trojans, you will need transaction authentication or digital signing that is cryptographically distinct from the session authentication mechanism (lest the attacker generate a phony "connection lost, please re-authenticate" message).
2. I'd imagine that strong auth will become a primary driver in the acquistion cycle. The identity management "suite" won't stop at its current state. In the wake of the Oracle acquistions, RSA Security is already positioning its smart card and token platforms as a differentiator in the identity marketplace. Strong authentication will become a hot ticket for consolidation into the identity management stack.W00t!
3. I'd imagine that the flip side of "risk management" is "competitive differentiator" - with strong auth as the driver. How long is it until I begin to see commercials on CNBC praising the ease of use and secure nature of insert-online-bank's strong authentication tools? How long is it until some marketing type makes the risk management controls around identity theft a competitive differentiator for an online banking transaction? I'd bet not that long.
I worry that the first bank to do an ad featuring their strong authentication solution as a differentiator will become a target and will have an "Oracle: Unbreakable" type of PR mess, even if it is a cross-site scripting attack. Security is hard to do and the attackers are not going to stop until the profit is driven out of the business. I would be careful here. Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)