|
Posted by AnthonyM on October 24, 2007, 12:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I'm looking for input on authentication mechanisms for a financial
> service.
>
> We don't think that username+password login across a https connection
> sounds secure enough by itself, and are looking for ways to increase
> security.
>
> One-time passwords over e.g. SMS as a second step after successful
> login sounds very good, but we have concerns about the associated
> costs.
>
> Client side certificates were brought up as a cheaper option. It's one
> more technical hurdle for our users, but if they make up for it in
> security, and we save more than our support cost goes up, I guess they
> could be worth it.
>
> A client cert does prevent brute-forcing random accounts; you'd have
> to gain access to the certificate first. And if you do gain access to
> a certificate, intercepting a one-time password as it's being
> submitted probably isn't a lot harder..
>
> Thoughts? Any suggestions appreciated,
> Isak
We've come up with an interesting new approach for 2-factor that is
cheap/free and is not as easily man-in-the-middle attackable as
"token" solutions. It's called PhoneFactor and it is different than
the SMS solutions you mentioned before. Basically, it includes a call
to a phone and a verification either using # or a PIN number for a
little bit more security. You should at least take a look, at
www.phonefactor.net.
Anthony Maughan
Systems Engineer, MSCE + Security
Positive Networks
| 
XML site map