[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] thoughts on two-factor web authentication?

From: "Tomas Boman" <boman@xxxxxxxxxxxx>
Subject: [WEB SECURITY] thoughts on two-factor web authentication?
Date: Fri, 7 Nov 2008 10:39:52 -0800

A friend forwarded this post to me, as he knew I could probably add
some useful info to the discussion.  I would suggest looking into
http://www.myOneLogin.com, which is a service offered by TriCipher
("TACS", "ID Vault", "TriCipher Authentication Gateway" ring any
bells?).  When first glancing at the offering, you might think that
you have to surrender all your user management to this online service,
but for your web applications, you could still keep your user database
in-house and use myOneLogin for managing your second factors in the
form of a cookie or SSL client cert (you can also manage/revoke your
2nd factors remotely).  You can even use the stronger authentication
from TriCipher with hardware and software tokens as your second
factor.  All very flexible and configurable with a web service API to
help out if you need more control.

With that said, the added value of the myOneLogin is really in the
ability to federate.  Not only can it consume SAML to authenticate
your without login, but you could use myOneLogin as a SAML producer,
to get seamless SSO into federated applications.  This of course
includes various VPN vendors, and you can probably see where I am
going with this.  As a web developer, I just need to enable my web
site as a SAML consumer, and let myOneLogin handle all the
authentication and user management.

Just some food for thought if you are looking around for a really
flexible solution that can offer strong authentication.

/Tomas


From: John Kinsella [mailto:jlk@xxxxxxxxxxxxxx]
Sent: Thursday, November 06, 2008 5:24 PM
To: WASC Forum
Subject: Re: [WEB SECURITY] thoughts on two-factor web authentication?

I've been looking at Usable Security (http://www.usable.com) recently
- product isn't released yet, but the video from Demo'08 is
interesting to watch.  Basically, idea is a 2 factor cert-based auth
system with centralized management - so store the cert on your
computer, but if you go on vacation you can login to Usable's system
and invalidate the cert untl you return. Seems interesting, and it's a
SAS model so no appliance to drop into your environment...I guess
we'll see if it lives up to the fanfare when they release.

John

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Next by Date: [WEB SECURITY] Re: countermeasure against attacks through HTML shared files
Previous by thread: Re: [WEB SECURITY] thoughts on two-factor web authentication?
Next by thread: [WEB SECURITY] countermeasure against attacks through HTML shared files
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site