Blog Stats
  • Posts - 31
  • Articles - 0
  • Comments - 1
  • Trackbacks - 680

 

Tuesday, March 15, 2005

Strong Authentication

 Nick Owen commented on “Strong Authentication” and points out his viewpoint. Nick makes some great point, keeping in mind that he apparently works for “WikiD” that is billed as; “a Two-Factor authentication without the hassle factor”.

From thier technology page:

Architecture Overview

Fundamentally, WiKID works this way: A user selects the domain they wish to use and enters the PIN into their WiKID client. It is encrypted with the WiKID Server's public key - assuring that only that server can decrypt it with its private key. If the server can decrypt the PIN and it is correct and the account is active, it generates the one-time passcode (OTP) and encrypts it with the client's public key. The user then enters their username and the OTP into whatever service they are using, a VPN e.g., which forwards it to the WiKID Server for validation.

That’s is a new twist on “token” usage. So we have a “PIN”, a “Username”. Is that “Strong” authentication ?

As point out by Dave Kerns “A password should be sufficient to protect a printer from misuse. A bank vault will require controls that are more stringent. But what about the launch sequence of a nuclear missile?”

So, how would we rate WiKID for usage:

  • Printer;Sure
  • Bank Account:; Probably
  • Nuclear Missile; Probably Not.

Is the WiKID Client:

  1. An authentication method must be strong, no it must offer a virtually undeniable method of Authentication.
  2. Strong authentication must be able to be used by onsite employees, but also to remote employees, business partners and customers.
  3. Easy for the users remembering The Law of Human Integration. This is vital as if it is difficult, users will do "cheat sheets" to get around the difficulty.

-jim

 

 

Copyright © jeemster