Why isn’t two way authentication with SSL implemented more often?

1,250 pts.
Tags:
Authentication
SSL
SSL Certificates
We hear about SSL vulnernabilities, how SSL is "broken." One complaint I don't hear often enough is the lack of attention to Certificate Revocation Lists. For example, Verisign could revoke a certificate and Firefox users would continue to think they were making a trustworthy connection. That's a client confidence headline waiting to happen. But suppose you are an eCommerce site who is trying their best to provide a secure transaction enviironment. You've paid for extended validation. You recognize that the green bar should give the customer more confidence in your site's security, but you also recognize that security relies upon the customer watching for the green bar. That manual task of watching the URL bar change colors must be performed consistently. Why would you choose to NOT implement two way authentication using SSL? Why is this common with business to business commerce, but otherwise rare?
ASKED: September 7, 2009  9:23 PM
UPDATED: September 8, 2009  10:27 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

It’s that 4-letter word <b>COST</b>. It would cost something additional for each user using the 2-factor method. The costs would not be just for the token or other authentication factor but also for the support required to handle the additional user questions and issues. 2-factor authentication adds complexity. So a business has to decide if that is worth the costs to manage the risks.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Rklanke
    Labnuke99, you're thinking of two factor authentication. Two way or mutual authentication requires no additional device. Cost could still be the answer.
    1,250 pointsBadges:
    report
  • Labnuke99
    I apparently misunderstood the question - Well, then 2-way authentication would still require some mechanism of "trust" for the client side - whether that be a client certificate or a dongle of some type. Somebody would have to pay for the client certificate and manage it or pay for the hardware costs. How else would you "trust" the device/user/network authenticating to the host/service requesting credentials?
    32,960 pointsBadges:
    report
  • Rklanke
    Cost could be the answer. Deploying the certificate may or may not be the significant barrier. I suspect customers would willingly install a certificate; they willingly install almost anything. This time, it would be for their own good. Barriers, however, would include devices that don't support installing certificates (but have web browsers and we really want their business) or shared devices (again, commerce wants to be available from anywhere). "Mutual authentication is a great idea in theory, but assumes static clients." Some answer like that. I'm only guessing. Could be cost; could be certificate management ... could be another consideration that hasn't occurred to me.
    1,250 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following