Re: [WEB SECURITY] thoughts on two-factor web authentication?

[John Kinsella <jlk@xxxxxxxxxxxxxx>]

--Apple-Mail-24-753232230
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

I've been looking at Usable Security (http://www.usable.com) recently  
- product isn't released yet, but the video from Demo'08 is  
interesting to watch.  Basically, idea is a 2 factor cert-based auth  
system with centralized management - so store the cert on your  
computer, but if you go on vacation you can login to Usable's system  
and invalidate the cert untl you return. Seems interesting, and it's a  
SAS model so no appliance to drop into your environment...I guess  
we'll see if it lives up to the fanfare when they release.

John

On Nov 6, 2008, at 1:46 PM, Nick Owen wrote:

> Joe White wrote:
>> Any thoughts on vendor solutions for two-factor web application
>> authentication?
>>
>> Has anyone done a bake-off on the vendor solutions out there that  
>> they
>> can share?
>>
>> I am hearing this come up more and more with customers and am curious
>> if others are sensing a change in customer perception here as well.
>>
> Joe:
>
> Some thoughts from a vendor, if that helps...consider the source, as
> they say...
>
> The vast majority of our commercial business is straight VPN, PCI  
> driven
> or folks switching to a lower cost solution.  However, we're seeing  
> some
> web application interest and not just on the banking front, but also  
> for
> cross-company extranets.  This could be because web-app devs are using
> the open source version and we don't know about it, but I doubt it b/ 
> c I
> like to think I have a pulse on the community.
>
> IMO, the sector needs more in-depth analysis from a security
> perspective.  Otherwise, showing a picture will be considered "mutual
> authentication".
>
> Sincerely,
>
> nick
>
> -- 
> Nick Owen
> WiKID Systems, Inc.
> 404-962-8983 (desk)
> http://www.wikidsystems.com
> Commercial/Open-source two-factor authentication
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>


--Apple-Mail-24-753232230
Content-Type: text/html;
	charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div>I've been looking at =
Usable Security (<a =
href=3D"http://www.usable.com";>http://www.usable.com</a>) recently - =
product isn't released yet, but the video from Demo'08 is interesting to =
watch. &nbsp;Basically, idea is a 2 factor cert-based auth system with =
centralized management - so store the cert on your computer, but if you =
go on vacation you can login to Usable's system and invalidate the cert =
untl you return. Seems interesting, and it's a SAS model so no appliance =
to drop into your environment...I guess we'll see if it lives up to the =
fanfare when they =
release.</div><div><br></div><div>John</div><br><div><div>On Nov 6, =
2008, at 1:46 PM, Nick Owen wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div>Joe =
White wrote:<br><blockquote type=3D"cite">Any thoughts on vendor =
solutions for two-factor web application<br></blockquote><blockquote =
type=3D"cite">authentication?<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote type=3D"cite">Has anyone done =
a bake-off on the vendor solutions out there that =
they<br></blockquote><blockquote type=3D"cite">can =
share?<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote type=3D"cite">I am hearing =
this come up more and more with customers and am =
curious<br></blockquote><blockquote type=3D"cite">if others are sensing =
a change in customer perception here as =
well.<br></blockquote><blockquote =
type=3D"cite"><br></blockquote>Joe:<br><br>Some thoughts from a vendor, =
if that helps...consider the source, as<br>they say...<br><br>The vast =
majority of our commercial business is straight VPN, PCI driven<br>or =
folks switching to a lower cost solution. &nbsp;However, we're seeing =
some<br>web application interest and not just on the banking front, but =
also for<br>cross-company extranets. &nbsp;This could be because web-app =
devs are using<br>the open source version and we don't know about it, =
but I doubt it b/c I<br>like to think I have a pulse on the =
community.<br><br>IMO, the sector needs more in-depth analysis from a =
security<br>perspective. &nbsp;Otherwise, showing a picture will be =
considered =
"mutual<br>authentication".<br><br>Sincerely,<br><br>nick<br><br>-- =
<br>Nick Owen<br>WiKID Systems, Inc.<br>404-962-8983 (desk)<br><a =
href=3D"http://www.wikidsystems.com";>http://www.wikidsystems.com</a><br>Co=
mmercial/Open-source two-factor =
authentication<br><br><br>------------------------------------------------=
----------------------------<br>Join us on IRC: irc.freenode.net =
#webappsec<br><br>Have a question? Search The Web Security Mailing List =
Archives: <br><a =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.we=
bappsec.org/lists/websecurity/archive/</a><br><br>Subscribe via RSS: =
<br>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]<br><br>Join =
WASC on =
LinkedIn<br>http://www.linkedin.com/e/gis/83336/4B20E4374DBA<br><br></div>=
</blockquote></div><br></body></html>=

--Apple-Mail-24-753232230--