Assurance

[Russell J Yount <>]

One issue with password credentials is the possibility of brute force 
password attacks from the Internet. The password policies in InCommon 
Silver/Bronze mitigate the security risk but leave institutions open to 
possibility of denial of service from the Internet due to lockout or 
temporary suspension rules if the institution has a large number of services 
exposed to the internet. We have seen very high rates of attacks on common 
usernames such as "david". 

Brute force attacks may be less likely or at least a different issue with 
two-factor.

-Russ

Russell J. Yount
Identity Services
Carnegie Mellon University


> -----Original Message-----
> From: 
> 
>  [ 
> ]
>  On Behalf Of Steven Carmody
> Sent: Tuesday, March 13, 2012 11:48 AM
> To: 
> 
> Subject: [Assurance] silver and two-factor ...
> 
> I'm wondering why so many sites that are interested in Silver are so 
> interested in two-factor....
> 
> I haven't looked at the Silver profile in a long time. But, my memory 
> is that strong passwords, stored sufficiently securely, and not 
> replicated into uncontrolled environments (eg google), would pass 
> muster with Silver. I'm assuming, of course, that the other Silver 
> criteria (eg around identity proofing, account claiming, etc) would also be 
> met.
> 
> I can imagine that there may be issues with those passwords passing 
> through a variety of systems (eg systems that are then authenticating 
> users against a central ldap, for instance). But, that's just a guess 
> -- I would be interested in hearing about specific concerns that are 
> driving sites toward two-factor.
> 
> Thanks for any light you can shine on this!