Skip to Content.
Sympa Menu

assurance - RE: [Assurance] silver and two-factor ...

Subject: Assurance

List archive

RE: [Assurance] silver and two-factor ...


Chronological Thread 
  • From: "Jones, Mark B" <>
  • To: "" <>
  • Subject: RE: [Assurance] silver and two-factor ...
  • Date: Tue, 13 Mar 2012 13:11:42 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

I'm not sure what you mean by an 'affiliation' requiring Silver assurance?

If auditors are pushing for multi-factor then to me that translates to
auditors pushing for an assurance level higher than Silver.

Silver is a defined assurance level. If that level of assurance is not
sufficient then you should be pushing for Gold assurance, IMHO.

-----Original Message-----
From:


[mailto:]
On Behalf Of Frazier, William S [ITSYS]
Sent: Tuesday, March 13, 2012 1:03 PM
To:

Subject: Re: [Assurance] silver and two-factor ...

Perhaps the two-factor and silver interests are not always related except
by coincidence. Silver assurance is needed because an affiliation
requires it. At the same time, multi-factor is needed because auditors
are pushing for it.

Bill
------------------------------------------------------------------
Bill Frazier

Unix OS, Apps, Evolving Technologies Lead voice: (515) 294-8620
Iowa State University fax: (515) 294-1717
Information Technology Services, 251 Durham, Ames, Iowa 50011-2251






On 3/13/12 12:48 PM, "Jones, Mark B"
<>
wrote:

>By adopting the Silver assurance level my assumption is that password
>based authentication, despite any flaws, is deemed good enough for the
>applications/services leveraging it.
>
>Perhaps the interest in two-factor is actually an indication of the need
>for Gold assurance?
>
>-----Original Message-----
>From:
>
>[mailto:]
> On Behalf Of Caskey, Paul
>Sent: Tuesday, March 13, 2012 11:55 AM
>To:
>
>Subject: RE: [Assurance] silver and two-factor ...
>
>IMHO, and as someone said on a list a week or two ago, there is no such
>thing as a strong password when all an attacker has to do is ask a user
>for their password and, all too often, get it. So, for us, that's why
>we are looking at 2 factor.
>
>That said, I'm sure someone is already working on a new crafty spam mail
>"Please mail me your 2nd factor token and PIN and I will then wire you
>$10 million from this Nigerian prince...". :)
>
>
>
>
>> -----Original Message-----
>> From:
>>
>> [
>> ]
>> On Behalf Of Steven Carmody
>> Sent: Tuesday, March 13, 2012 11:48 AM
>> To:
>>
>> Subject: [Assurance] silver and two-factor ...
>>
>> I'm wondering why so many sites that are interested in Silver are so
>> interested in two-factor....
>>
>> I haven't looked at the Silver profile in a long time. But, my memory
>>is that
>> strong passwords, stored sufficiently securely, and not replicated into
>> uncontrolled environments (eg google), would pass muster with Silver.
>>I'm
>> assuming, of course, that the other Silver criteria (eg around identity
>> proofing, account claiming, etc) would also be met.
>>
>> I can imagine that there may be issues with those passwords passing
>>through
>> a variety of systems (eg systems that are then authenticating users
>>against a
>> central ldap, for instance). But, that's just a guess -- I would be
>>interested in
>> hearing about specific concerns that are driving sites toward
>>two-factor.
>>
>> Thanks for any light you can shine on this!




Archive powered by MHonArc 2.6.16.

Top of Page