US researchers find flaws in single sign-on
According to Steve Watts, co-founder of SecurEnvoy - the tokenless two-factor authentication specialist(tm), the fact that the security flaws also include social networking sites/services such as Facebook and Twitter - both of which have been repeatedly shown to have their security shortcomings - is enough to set the alarm bells ringing.
"The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and - in particular - wireless Internet connections, there is clearly a need for 2FA technology," he said.
"The problem for most users is that existing 2FA technologies require they truck an authentication device - typically a hardware token - around with them, making access when away from your regular desktop computer a cumbersome process. But since most Internet users have a mobile phone in their purse or pocket, they can turn to tokenless 2FA methodology to simplify matters," he added.
The SecurEnvoy co-founder explained that the security flaws identified by the Indiana University/Microsoft researchers - which involve poor integration by Web site developers of the application programming interfaces (API) and a lack of end-to-end security checks - mean that many Web portals are affected by one or more of the eight "serious" problems revealed.
It will, he says, be interesting to hear how the researcher's paper is received later this year when they present their findings at the IEEE Symposium on Security and Privacy on May 20-23 in San Francisco.
At that stage, he adds, the shortcomings in security methodologies that the Indiana University and Microsoft researchers have discovered during their lengthy project will be exposed to the world's security experts, giving the researcher's peers a chance to review and comment on the issues revealed.
Watts went on to say that using a smartphone as a tokenless authentication channel makes a lot of sense, as it allows the mobile owner to authenticate him or herself at almost any time - including during the online session when private credentials or financial transactions are involved.
"Putting it simply, this means that users can log into an online banking service - for example, authenticating themselves using tokenless 2FA on their mobile phone - and then when they want to pay a bill, they can authenticate themselves once again," he said.
"If you look at PayPal, for example, whenever you do anything unusual - such as making a withdrawal to an unverified bank account, for example, - the PayPal computers will call the account holder on one of their nominated phone numbers, which could be a mobile, to authenticate the user. Extending the security envelope to include tokenless 2FA in these situations - as well as to the initial login process - makes a lot of sense," he added.
For more on SecurEnvoy: http://www.securenvoy.com/
For more on the Indiana University SSO security research: http://zd.net/w17DIc
SecurEnvoy is the trusted global leader of Tokenless(r) two-factor authentication. SecurEnvoy lead the way as pioneers of mobile phone based Tokenless(r) authentication.
Their innovative approach to the Tokenless(r) market now sees thousands of users benefitting from their solutions all over the world. With users deployed across five continents, their customers benefit from significant reduced time to deploy and a zero footprint approach means there is no remote software deployment and administrators enjoy the management tools allowing them to rapidly deploy up to 20,000 users per hour.
With its channel centric approach, SecurEnvoy continues to expand its revenue and profitability year on year with customers in Banking, Finance, Insurance, Government, Manufacturing, Marketing, Retail, Telecommunications, Charity, Legal, Construction. Their partners include, Juniper, Citrix, Fortinet, Sonic Aventail, Cisco, Checkpoint, Microsoft, F5 and others.
For more information please contact:
For more information please contact: Yvonne Eskenzi on 0207 183 2832 or email Yvonne@eskenzipr.com
((M2 Communications disclaims all liability for information provided within M2 PressWIRE. Data supplied by named party/parties. Further information on M2 PressWIRE can be obtained at http://www.presswire.net on the world wide web. Inquiries to firstname.lastname@example.org.
[ Back To TMCnet.com's Homepage ]