Assurance

["Frazier, William S [ITSYS]" <>]

Perhaps the two-factor and silver interests are not always related except
by coincidence.  Silver assurance is needed because an affiliation
requires it.  At the same time, multi-factor is needed because auditors
are pushing for it.

Bill
------------------------------------------------------------------
Bill Frazier                                 

Unix OS, Apps, Evolving Technologies Lead   voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Information Technology Services, 251 Durham, Ames, Iowa 50011-2251






On 3/13/12 12:48 PM, "Jones, Mark B" 
<>
 wrote:

>By adopting the Silver assurance level my assumption is that password
>based authentication, despite any flaws, is deemed good enough for the
>applications/services leveraging it.
>
>Perhaps the interest in two-factor is actually an indication of the need
>for Gold assurance?
>
>-----Original Message-----
>From: 
>
>[mailto:]
> On Behalf Of Caskey, Paul
>Sent: Tuesday, March 13, 2012 11:55 AM
>To: 
>
>Subject: RE: [Assurance] silver and two-factor ...
>
>IMHO, and as someone said on a list a week or two ago, there is no such
>thing as a strong password when all an attacker has to do is ask a user
>for their password and, all too often, get it.   So, for us, that's why
>we are looking at 2 factor.
>
>That said, I'm sure someone is already working on a new crafty spam mail
>"Please mail me your 2nd factor token and PIN and I will then wire you
>$10 million from this Nigerian prince...".   :)
>
>
>
>
>> -----Original Message-----
>> From: 
>> 
>>  [
>> ]
>>  On Behalf Of Steven Carmody
>> Sent: Tuesday, March 13, 2012 11:48 AM
>> To: 
>> 
>> Subject: [Assurance] silver and two-factor ...
>> 
>> I'm wondering why so many sites that are interested in Silver are so
>> interested in two-factor....
>> 
>> I haven't looked at the Silver profile in a long time. But, my memory
>>is that
>> strong passwords, stored sufficiently securely, and not replicated into
>> uncontrolled environments (eg google), would pass muster with Silver.
>>I'm
>> assuming, of course, that the other Silver criteria (eg around identity
>> proofing, account claiming, etc) would also be met.
>> 
>> I can imagine that there may be issues with those passwords passing
>>through
>> a variety of systems (eg systems that are then authenticating users
>>against a
>> central ldap, for instance). But, that's just a guess -- I would be
>>interested in
>> hearing about specific concerns that are driving sites toward
>>two-factor.
>> 
>> Thanks for any light you can shine on this!