Posted by:
admin
15 years, 3 months ago
Ok, I slagged the concept of 'layered' authentication as a marketing neologism in my response to Eric Nolan's identity predictions for 2006. I was overcome by prediction hysteria. I've got to calm down...Here's the problem with most of the pitches I have seen for "layered authentication". Let's start with an actual pitch:
"Moving beyond the two-factor or multifactor authentication solutions available in the market today, the multi-layered approach provides a stronger form of authentication without compromising the online banking experience for end users. In addition to a user name and password, Intelligent Authentication leverages multiple patterns of online banking behavior and attributes of the online banking user to determine when it is necessary to block or challenge suspicious visitors."
I have a few problems with this:
1. "Moving beyond..." Let's judge the strength of the solution based on it's relative security. To break this security, all you need to do is a MITM replay attack, use a session hijacking trojan and/or know the user's challenge information. This really hasn't moved beyond.
2. What value is here? It's easy to log IP address, plant cookies, etc. I hope this is a free service. It's also easy to know which transactions are suspicious - the ones where money leaves an account.
3. A large number of users will absolutely hate this. They delete cookies, use WiFi in weird places and use multiple computers. They also have lots of money.
To me, layered authentication means session, host/mutual and transaction authentication. I think authentication needs to be consistent and involve the user. Using tools like cookies, which rely on DNS and are hidden from the user, aren't optimal solutions.
Share on Twitter Share on Facebook
Recent Posts
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
Archive
2024
- January (1)
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)