From: Jeffory Atkinson (jatkinson@zelvin.com)
Date: Tue Jul 03 2007 - 14:35:48 EDT
Good day all,
I was wondering if anyone has come up for a solution for mitigating =
account harvesting via multifactor authentication. It seems to combat
phishing, = more and more sites are moving to multifactor authentication
but, there is an inherent security flaw in the logic that in my mind out
weighs potential phishing risk. In most instances that I have seen,
multifactor authentication requires a user to supply their user ID on one
page and = if the user is valid it will return a password page with an image
= accompanied with a user set phrase or request additional security
questions. This = logic allows anyone to attempt to harvest valid accounts.
Due to the fact if = it is not a valid account the application will not
return an image with a = phrase or the additional security questions. Any
thoughts or possible solutions welcomed.
Thanks for your time.
JA
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT