Re: Evaluating Two Factor Authentication

[Meenal Mukadam <meenal.mukadam () niiconsulting com>]

Dear Mufambisi,

You can use the following procedure to generate your own:
1) Understand the mechanism of 2-factor authentication
2) Understand the limitations, risks and threat environment of the
2-factor authentication mechanism/s
3) Develop specific cases or an assessment checklist (it can cover
points like technological risks assessment, assessment of
configuration or deployment, load/stress handling capability, etc.)
4) Execute your assessment based on the cases you developed

A generic reference material:

Testing Multiple Factors Authentication (OWASP-AT-009)
http://www2.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)


Thanks and Regards,

Meenal A. Mukadam




On Sat, Oct 2, 2010 at 4:14 AM, M.D.Mufambisi <mufambisi () gmail com> wrote:
> i realise i did not ask my question properly. Im sorry. What i need is
> a primer on the two factor authentication inherent risks or the two
> factor authentication threat model to the service, processes (user
> registration, token issuance etc) and infrastructure (HSM etc). Assume
> the two factor is implemented on online banking.
>
> On 10/1/10, TAS <p0wnsauc3 () gmail com> wrote:
> > If you want to understand the concepts then Wikipedia should be a good start
> >
> > TAS
> >
> > On 1 October 2010 06:19, M.D.Mufambisi <mufambisi () gmail com> wrote:
> > > Hi,
> > >
> > > I will be evaluating 2 factor authentication scheme in the next coming
> > > days.
> > > Is there anyone who can point me to some good resources on this?
> > > Whitepapers..documents...anything?
> > >
> > > Regards
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs an SSL
> > > certificate.  We look at how SSL works, how it benefits your company and
> > > how your customers can tell if a site is secure. You will find out how to
> > > test, purchase, install and use a thawte Digital Certificate on your
> > > Apache web server. Throughout, best practices for set-up are highlighted
> > > to help you ensure efficient ongoing management of your encryption keys
> > > and digital certificates.
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------