Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Single Sign-on Flaws Drives Need For 2FA

SecurEnvoy : 20 March, 2012  (Technical Article)
Two-Factor Authentication or 2FA falls under the spotlight as US researchers discover pitfalls in single sign-on services
Single Sign-on Flaws Drives Need For 2FA

Commenting on weekend reports that US security researchers have discovered a number of flaws in single sign-on (SSO) services operated by a number of portals – including Google and PayPal – SecurEnvoy says this highlights the clear need for two-factor authentication ((2FA)) where financial/personal logins are concerned.

According to Steve Watts, co-founder of SecurEnvoy - the tokenless two-factor authentication specialist, the fact that the security flaws also include social networking sites/services such as Facebook and Twitter – both of which have been repeatedly shown to have their security shortcomings – is enough to set the alarm bells ringing.

“The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular - wireless Internet connections, there is clearly a need for (2FA) technology,” he said.

“The problem for most users is that existing (2FA) technologies require they truck an authentication device – typically a hardware token – around with them, making access when away from your regular desktop computer a cumbersome process. But since most Internet users have a mobile phone in their purse or pocket, they can turn to tokenless (2FA) methodology to simplify matters,” he added.

The SecurEnvoy co-founder explained that the security flaws identified by the Indiana University/Microsoft researchers – which involve poor integration by Web site developers of the application programming interfaces (API) and a lack of end-to-end security checks – mean that many Web portals are affected by one or more of the eight “serious” problems revealed.

It will, he says, be interesting to hear how the researcher’s paper is received later this year when they present their findings at the IEEE Symposium on Security and Privacy on May 20-23 in San Francisco.

At that stage, he adds, the shortcomings in security methodologies that the Indiana University and Microsoft researchers have discovered during their lengthy project will be exposed to the world’s security experts, giving the researcher’s peers a chance to review and comment on the issues revealed.

Watts went on to say that using a smartphone as a tokenless authentication channel makes a lot of sense, as it allows the mobile owner to authenticate him or herself at almost any time – including during the online session when private credentials or financial transactions are involved.

“Putting it simply, this means that users can log into an online banking service - for example, authenticating themselves using tokenless (2FA) on their mobile phone - and then when they want to pay a bill, they can authenticate themselves once again,” he said.

“If you look at PayPal, for example, whenever you do anything unusual – such as making a withdrawal to an unverified bank account, for example, - the PayPal computers will call the account holder on one of their nominated phone numbers, which could be a mobile, to authenticate the user. Extending the security envelope to include tokenless (2FA) in these situations - as well as to the initial login process - makes a lot of sense,” he added.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo