Assurance

["Caskey, Paul" <>]

IMHO, and as someone said on a list a week or two ago, there is no such thing 
as a strong password when all an attacker has to do is ask a user for their 
password and, all too often, get it.   So, for us, that's why we are looking 
at 2 factor.

That said, I'm sure someone is already working on a new crafty spam mail 
"Please mail me your 2nd factor token and PIN and I will then wire you $10 
million from this Nigerian prince...".   :)




> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of Steven Carmody
> Sent: Tuesday, March 13, 2012 11:48 AM
> To: 
> 
> Subject: [Assurance] silver and two-factor ...
> 
> I'm wondering why so many sites that are interested in Silver are so
> interested in two-factor....
> 
> I haven't looked at the Silver profile in a long time. But, my memory is 
> that
> strong passwords, stored sufficiently securely, and not replicated into
> uncontrolled environments (eg google), would pass muster with Silver. I'm
> assuming, of course, that the other Silver criteria (eg around identity
> proofing, account claiming, etc) would also be met.
> 
> I can imagine that there may be issues with those passwords passing through
> a variety of systems (eg systems that are then authenticating users against 
> a
> central ldap, for instance). But, that's just a guess -- I would be 
> interested in
> hearing about specific concerns that are driving sites toward two-factor.
> 
> Thanks for any light you can shine on this!