ViTM - The Vendor in the Middle

Two-factor authentication seems to lack a clear analysis of the risks associated with different architectures.

by Nick Owen posted on Jun 01, 2011 11:14 AM last modified Nov 09, 2011 09:34 AM —

Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.

My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor!  That's not to say that some organizations might be better off using a service, but that they should be aware of the risks.  Just as some organizations will be better off "in the cloud" while some will not.

I dislike all the confusion around two-factor authentication.  Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue.  Pundits like to say things like "too little, too late"

about it.  Excessive negativity does nothing to increase security. 

There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack).  It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities.  It is my concern that we are not giving any clear thoughts on the matter.

Join our email list
How do I add two-factor auth?

Download a registration-free free eGuide on How to Add Two-factor Authentication to Your Network, complete with examples.

    Thanks for responding so fast! Great service.

    INFOSEC PRO
    SAN DIEGO, USA