Assurance

["Dunker, Mary" <>]

One of Virginia Tech's drivers for submitting 2-factor for Silver 
certification is that our hardware token-issuing process  already includes 
rigorous face-to-face identity proofing and verification procedures. In 
contrast, our IDs and passwords are issued via self-service, with 
identity-proofing that would be more difficult to audit. 

Mary
-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327

 
--------------------------------------------------------------------


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Frazier, William S [ITSYS]
Sent: Tuesday, March 13, 2012 2:03 PM
To: 

Subject: Re: [Assurance] silver and two-factor ...

Perhaps the two-factor and silver interests are not always related except by 
coincidence.  Silver assurance is needed because an affiliation requires it.  
At the same time, multi-factor is needed because auditors are pushing for it.

Bill
------------------------------------------------------------------
Bill Frazier                                 

Unix OS, Apps, Evolving Technologies Lead   voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Information Technology Services, 251 Durham, Ames, Iowa 50011-2251






On 3/13/12 12:48 PM, "Jones, Mark B" 
<>
 wrote:

>By adopting the Silver assurance level my assumption is that password 
>based authentication, despite any flaws, is deemed good enough for the 
>applications/services leveraging it.
>
>Perhaps the interest in two-factor is actually an indication of the 
>need for Gold assurance?
>
>-----Original Message-----
>From: 
>
>[mailto:]
> On Behalf Of Caskey, Paul
>Sent: Tuesday, March 13, 2012 11:55 AM
>To: 
>
>Subject: RE: [Assurance] silver and two-factor ...
>
>IMHO, and as someone said on a list a week or two ago, there is no such 
>thing as a strong password when all an attacker has to do is ask a user
>for their password and, all too often, get it.   So, for us, that's why
>we are looking at 2 factor.
>
>That said, I'm sure someone is already working on a new crafty spam 
>mail "Please mail me your 2nd factor token and PIN and I will then wire you
>$10 million from this Nigerian prince...".   :)
>
>
>
>
>> -----Original Message-----
>> From: 
>> 
>>  [ 
>> ]
>>  On Behalf Of Steven Carmody
>> Sent: Tuesday, March 13, 2012 11:48 AM
>> To: 
>> 
>> Subject: [Assurance] silver and two-factor ...
>> 
>> I'm wondering why so many sites that are interested in Silver are so 
>> interested in two-factor....
>> 
>> I haven't looked at the Silver profile in a long time. But, my memory 
>>is that  strong passwords, stored sufficiently securely, and not 
>>replicated into  uncontrolled environments (eg google), would pass 
>>muster with Silver.
>>I'm
>> assuming, of course, that the other Silver criteria (eg around 
>>identity  proofing, account claiming, etc) would also be met.
>> 
>> I can imagine that there may be issues with those passwords passing 
>>through  a variety of systems (eg systems that are then authenticating 
>>users against a  central ldap, for instance). But, that's just a guess 
>>-- I would be interested in  hearing about specific concerns that are 
>>driving sites toward two-factor.
>> 
>> Thanks for any light you can shine on this!