Assurance

["Jones, Mark B" <>]

By adopting the Silver assurance level my assumption is that password based 
authentication, despite any flaws, is deemed good enough for the 
applications/services leveraging it.

Perhaps the interest in two-factor is actually an indication of the need for 
Gold assurance?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Caskey, Paul
Sent: Tuesday, March 13, 2012 11:55 AM
To: 

Subject: RE: [Assurance] silver and two-factor ...

IMHO, and as someone said on a list a week or two ago, there is no such thing 
as a strong password when all an attacker has to do is ask a user for their 
password and, all too often, get it.   So, for us, that's why we are looking 
at 2 factor.

That said, I'm sure someone is already working on a new crafty spam mail 
"Please mail me your 2nd factor token and PIN and I will then wire you $10 
million from this Nigerian prince...".   :)




> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of Steven Carmody
> Sent: Tuesday, March 13, 2012 11:48 AM
> To: 
> 
> Subject: [Assurance] silver and two-factor ...
> 
> I'm wondering why so many sites that are interested in Silver are so
> interested in two-factor....
> 
> I haven't looked at the Silver profile in a long time. But, my memory is 
> that
> strong passwords, stored sufficiently securely, and not replicated into
> uncontrolled environments (eg google), would pass muster with Silver. I'm
> assuming, of course, that the other Silver criteria (eg around identity
> proofing, account claiming, etc) would also be met.
> 
> I can imagine that there may be issues with those passwords passing through
> a variety of systems (eg systems that are then authenticating users against 
> a
> central ldap, for instance). But, that's just a guess -- I would be 
> interested in
> hearing about specific concerns that are driving sites toward two-factor.
> 
> Thanks for any light you can shine on this!