SSO on the web, 2-factor security

15 pts.
Tags:
Security software
Web security
Looking for a secure authentication and authorization process on WWW - to include federated logon to multiple pages (single sign on behavior) with more security than uid/pwd access - but without issuing a physical device ("something you have")? Some websites are copperating partners - others are owned by the customer.

Software/Hardware used:
sharepoint but connect to many technologies

Answer Wiki

Thanks. We'll let you know when a new response is added.

The three factors are:
– something you know (password)
– something you are (biometrics)
– something you have

You want two factors and one cannot be “something you have.” So you’re looking at passwords and biometrics. I suppose a fingerprint scanner is out of the question, for the same reason as “something you have.” Iris scanner, too, I suppose.

Typing pattern recognition? There are many products that can be used to implement this as your second factor.

I’m unclear why you’re ruling out “something you have”. Consider DeepNet Security; the something you have could me a cell phone.

I’m unclear why you’re focusing on” two factor authentication,” either. Many people look at the problem of web application insecurity as a client authentication problem: “Can I trust that this person is who they say they are?” Then increase their confidence with two-factor authentication. Actually, security breeches are often better prevented with two way authentication (mutual authentication). This is typically done business to business (“Can I trust you?” “Yes, but can I trust you?”). There is no reason a business shouldn’t recognize that it has an obligation to its customers. “Can I trust that the customer is actually connecting to my web application, not some man in the middle or impostor?” Extended validation of certificates (qualifying for the green bar in the URL box) is a partial measure. However, it relies upon the customer to enforce authentication, and that is not a reliable approach.

Two way authentication can be implemented using SSL Entrust  Mutual Authentication for Web Services: A Live Example. At a minimum, be prepared to explain why you have chosen to not do mutual authentication.

Or if you want two way, two factor authentication in a more exotic way, see DeepNet or products of its ilk. Just as an example, not an endorsement.

Oh, right. Sharepoint and multiple login requests should be mentioned.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following