Why isn’t two way authentication with SSL implemented more often?
Home > IT Answers > Security > Why isn't two way authentication with SSL imp...
Rklanke
750 pts.
0
Q:
Why isn't two way authentication with SSL implemented more often?
SSL, SSL Certificates, Authentication
We hear about SSL vulnernabilities, how SSL is "broken." One complaint I don't hear often enough is the lack of attention to Certificate Revocation Lists. For example, Verisign could revoke a certificate and Firefox users would continue to think they were making a trustworthy connection. That's a client confidence headline waiting to happen.

But suppose you are an eCommerce site who is trying their best to provide a secure transaction enviironment. You've paid for extended validation. You recognize that the green bar should give the customer more confidence in your site's security, but you also recognize that security relies upon the customer watching for the green bar. That manual task of watching the URL bar change colors must be performed consistently.

Why would you choose to NOT implement two way authentication using SSL? Why is this common with business to business commerce, but otherwise rare?
ASKED: Sep 7 2009  9:23 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26245 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
It's that 4-letter word COST. It would cost something additional for each user using the 2-factor method. The costs would not be just for the token or other authentication factor but also for the support required to handle the additional user questions and issues. 2-factor authentication adds complexity. So a business has to decide if that is worth the costs to manage the risks.
Last Answered: Sep 8 2009  1:53 PM GMT by Labnuke99   26245 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Rklanke   750 pts.  |   Sep 8 2009  2:03PM GMT

Labnuke99, you’re thinking of two factor authentication. Two way or mutual authentication requires no additional device.

Cost could still be the answer.

 

Labnuke99   26245 pts.  |   Sep 8 2009  2:57PM GMT

I apparently misunderstood the question - Well, then 2-way authentication would still require some mechanism of “trust” for the client side - whether that be a client certificate or a dongle of some type. Somebody would have to pay for the client certificate and manage it or pay for the hardware costs. How else would you “trust” the device/user/network authenticating to the host/service requesting credentials?

 

Rklanke   750 pts.  |   Sep 8 2009  10:27PM GMT

Cost could be the answer.

Deploying the certificate may or may not be the significant barrier. I suspect customers would willingly install a certificate; they willingly install almost anything. This time, it would be for their own good. Barriers, however, would include devices that don’t support installing certificates (but have web browsers and we really want their business) or shared devices (again, commerce wants to be available from anywhere). “Mutual authentication is a great idea in theory, but assumes static clients.” Some answer like that.

I’m only guessing. Could be cost; could be certificate management … could be another consideration that hasn’t occurred to me.

 
0