assurance - RE: [Assurance] silver and two-factor ...
Subject: Assurance
List archive
- From: Russell J Yount <>
- To: "" <>
- Subject: RE: [Assurance] silver and two-factor ...
- Date: Wed, 14 Mar 2012 12:27:19 +0000
- Accept-language: en-US
One issue with password credentials is the possibility of brute force
password attacks from the Internet. The password policies in InCommon
Silver/Bronze mitigate the security risk but leave institutions open to
possibility of denial of service from the Internet due to lockout or
temporary suspension rules if the institution has a large number of services
exposed to the internet. We have seen very high rates of attacks on common
usernames such as "david".
Brute force attacks may be less likely or at least a different issue with
two-factor.
-Russ
Russell J. Yount
Identity Services
Carnegie Mellon University
> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Steven Carmody
> Sent: Tuesday, March 13, 2012 11:48 AM
> To:
>
> Subject: [Assurance] silver and two-factor ...
>
> I'm wondering why so many sites that are interested in Silver are so
> interested in two-factor....
>
> I haven't looked at the Silver profile in a long time. But, my memory
> is that strong passwords, stored sufficiently securely, and not
> replicated into uncontrolled environments (eg google), would pass
> muster with Silver. I'm assuming, of course, that the other Silver
> criteria (eg around identity proofing, account claiming, etc) would also be
> met.
>
> I can imagine that there may be issues with those passwords passing
> through a variety of systems (eg systems that are then authenticating
> users against a central ldap, for instance). But, that's just a guess
> -- I would be interested in hearing about specific concerns that are
> driving sites toward two-factor.
>
> Thanks for any light you can shine on this!
- Re: [Assurance] silver and two-factor ..., (continued)
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Dunker, Mary, 03/16/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/13/2012
- RE: [Assurance] silver and two-factor ..., Russell J Yount, 03/14/2012
Archive powered by MHonArc 2.6.16.