Skip to main content

Security Missteps Made in the Name of Compliance

(0 comments)

In the Five Security Missteps made in the Name of Compliance, Bill Brenner lists "How to Botch Multi-factor Authentication" first.  The point is that if you open holes for users that have forgotten their hardware tokens, you have circumvented your own security, eliminating the value of two-factor authentication.

WiKID helps prevent the need for this type of circumvention in two ways. First, using the wireless tokens means that the user has to forget their Blackberry, iPhone, or Android smartphone which is much less likely because they actually like those things and/or need to have them for non-work related things.  Secondly, unlike most software tokens, WiKID is based on seat licensing and not on a per-license basis.  With shared-secret tokens, you get a list of seeds you can use.  You can only have extra by paying for them. With WiKID, each unique username is a seat license and each user can have more than one token.  A user with a forgotten token can be issued a new one, perhaps on a USB drive.  Obviously, you still have to properly validate the user is who they say they are, but you do not have to open a door for single-factor authentication.

Hopefully, managers worried about quickly meeting compliance goals will find this post, helping them to now make the second mistake: Failing to do enough research. 

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom