Posted by:
admin
12 years, 10 months ago
Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.
My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor! That's not to say that some organizations might be better off using a service, but that they should be aware of the risks. Just as some organizations will be better off "in the cloud" while some will not.
I dislike all the confusion around two-factor authentication. Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue. Pundits like to say things like "too little, too late"about it. Excessive negativity does nothing to increase security.
There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack). It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities. It is my concern that we are not giving any clear thoughts on the matter.
Share on Twitter Share on FacebookRecent Posts
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
Archive
2024
- January (1)
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)