Two Factor Authentication is not the only part of the problem
Two Factor Authenticationis not the only part of the problem. It does helps a lot
for strong authentication of the client. Some other important parts of the
problem are:
Mutual Authentication. Short
term, need to have the FI
display something unique which helps the user tell for sure they are
connected to who they think they are connected to. Longer term, need
changes to Firefox and IE6 (which for me means
95% of my customers) so that the PKI credentials for the FI are displayed.
Need to be able to ask the
client if I can query their computers status, and make sure that they have
a current patch level and decent AV and Spyware
protection. So, need to ask Linux and Windows (or other products installed
on Windows and Linux) to provide capabilities, because I do not
want to download code. After all, not my business. Could request this function with a special
HTTP header.
Mid term to long term, I love
the idea of a second factor (USB attachment) which supports PKCS#11 / PKCS#15.
This, along with #1, prevents MITM attack.
Everywhere in the world, except
maybe theU.S., we are
rapidly rolling out EMV
and VIS.
So, we are going to have Smartcards in everyone's wallet,
that will be a key part of the 2FA problem. Just need a small portable USB
device to support a USB interface to the card. So far, I am having trouble with this,
need something small enough to hang on your keychain. Wait a year or so,
someone will build it.
On the server side, need to make some changes as well.
Proper support for tiered
authentication. So, you can access less dangerous functionality with less authentication
Base the entire thing on a
decent RBAC approach, so I can
administer and keep track of what is going on. Note,
DSD gives me a
decent way to model tiered authentication.
Need to build a proper authorization
framework so that the requirements for both a proper authentication tier
and even a signature (OTP,
Digitial Signature) on specific transactions can be enforced.
The bottom
line:
The stronger the authentication
of the client, the better. As we move towards 2FA, lets be careful
to not make any stupid biometric decisions. Biometrics should only be used
to gain access to the hardware second factor, for instance via a
thumbprint. Then, it the second factor gets stolen, we just revoke the token;
we do not need to cut off your thumb!
Mutual authentication. Not only
does the client need to prove who they are, the FI needs to prove who it
is. Some cool stop-gate things with GIFs and
stuff are possible, but in the middle and longer term, changes to the
browsers (the two that dominate my customer base are Firefox and IE)
Assurance the PC is protected.
If you will excuse me the vanity, I will riff on "Clarke&'s Third
Law", name it "Cameron's Law&", and state that "Any
sufficiently infested PC cannot be protected from
allowing the customer to be scammed". Frankly, I was really hoping
that the Fed would step up to that in its
To the best of my knowledge, z?OS (and it's ancesters) has never been hacked. And, again to the best of my knowlege, it has more critical data and more installed MIPS than any other. This study is worthless IHMO.
A truly great read. Very insightful character development combined with great hard science about what Mars is like. Mind you, some of the science he uses to get folks to Mars, and have them live basically forever is questionable. If you are a SiFi fan, this has to go on to your must read list.
BTW - KSR has writen a __LOT_ of other great stuff. Make sure to also try 'Escape from Kathmandu". Have a look at http://www.sfsite.com/lists/ksr.htm for a complete list
I am pretty sure that it is in an old Roger Zelazny (RIP) neovel, where he describes a Prof who each year spread a clean sheet over the pile of s**t on his desk, and wrote the date on the sheet. That way, when he went looking for something, when he found it, he could tell when it came from! Talk about "ls -t" before writers even used much in the way of computers! I love it!
Slashdot Mirror
Therefore, geocentric view makes sense. Ask anyone in Canada
Two Factor Authenticationis not the only part of the problem. It does helps a lot for strong authentication of the client. Some other important parts of the problem are:
On the server side, need to make some changes as well.
The bottom line:
Its not math you are talking about - its arithmetic
Well done! Clearly a bug! Or, as we like to say in the biz, "an undocumented feature".
To the best of my knowledge, z?OS (and it's ancesters) has never been hacked. And, again to the best of my knowlege, it has more critical data and more installed MIPS than any other. This study is worthless IHMO.
A truly great read. Very insightful character development combined with great hard science about what Mars is like. Mind you, some of the science he uses to get folks to Mars, and have them live basically forever is questionable. If you are a SiFi fan, this has to go on to your must read list. BTW - KSR has writen a __LOT_ of other great stuff. Make sure to also try 'Escape from Kathmandu". Have a look at http://www.sfsite.com/lists/ksr.htm for a complete list
I am pretty sure that it is in an old Roger Zelazny (RIP) neovel, where he describes a Prof who each year spread a clean sheet over the pile of s**t on his desk, and wrote the date on the sheet. That way, when he went looking for something, when he found it, he could tell when it came from! Talk about "ls -t" before writers even used much in the way of computers! I love it!
Have you thought about giving this a shot? Once you get as big as you, this has gotta make sense!