[WEB SECURITY] Single Sign-On with Images

Bill Pennington bill at whitehatsec.com
Fri May 27 12:07:07 EDT 2005


Not to be a downer or anything, but our good friend cross site  
scripting pretty much makes all these solutions useless. Useless  
might be a bit strong but it makes it trivial to circumvent.



On May 27, 2005, at 8:48 AM, Chris.Hammond- 
Thrasher at consulting.fujitsu.com wrote:

>
> Not only do we need new and better ways to handle user  
> authentication, but it is great that there are multiple options for  
> vendors.
>
> -CHT
>
> ...................................................................... 
> ..........
> Chris Hammond-Thrasher  MLIS, CISSP
> FUJITSU CONSULTING
> Principal Management Consultant
> Library Technology / Security, Privacy and Technical Risk
> email: chris.hammond-thrasher at consulting.fujitsu.com
> Web: http://www.fujitsu.com/ca/
>
>
> Bill Pennington <bill at whitehatsec.com>
> 05/26/2005 05:18 PM
>
>
>         To:        websecurity at webappsec.org
>         cc:        (bcc: Chris Hammond-Thrasher/EDM/DMR/CA)
>         Subject:        Re: [WEB SECURITY] Single Sign-On with Images
>
>
>
> BofA today rolled out passmark
>
> http://baltimore.bizjournals.com/baltimore/stories/2005/05/23/
> daily23.html
>
> On May 26, 2005, at 11:50 AM, Gavin, Michael wrote:
>
> > Interesting.
> >
> > There is also a company called Real User that has a few products:
> > "Passface Toolkit," "Passfaces for Windows," and "Passfaces for IIS"
> > that also uses recognition of photographic images as the
> > authentication
> > credential. With Passface you don't need a password and an image;
> > rather
> > you select "your" image (assigned to you from their large  
> database of
> > human faces when you register in their system) from the 9 or 16
> > that are
> > presented when authentication is required.
> >
> > -----Original Message-----
> > From: Bob Auger [mailto:bauger at spidynamics.com]
> > Sent: Thursday, May 26, 2005 2:16 PM
> > To: websecurity at webappsec.org
> > Subject: [WEB SECURITY] Single Sign-On with Images
> >
> > "Berkeley researchers propose a Mozilla extension to stop phishing
> > <http://www.sims.berkeley.edu/%7Erachna/papers/securityskins.pdf>.
> > They
> > claim that users only need to remember one password and one image  
> for
> > their lifetime to securely log in to any number of sites. They also
> > use
> > uniquely generated visual hashes to "skin" trusted windows and
> > webpages,
> > which is harder to spoof than the SSL lock icon. To verify that the
> > skin
> > is legit, the user has to compare two images, which is easier for
> > novices than verifying a certificate
> > " - http://slashdot.org/
> >
> >
> > Robert Auger
> > SPI Labs
> > rauger at spidynamics.com
> > Start Secure. Stay Secure.
> > Security Assurance Throughout the Application Lifecycle
> >
> >
> >  
> ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
> >  
> ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
>
>
> ---
> Bill Pennington, CISSP, CCNA
> VP Services
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list