[WEB SECURITY] Single Sign-On with Images

Lyal Collins lyal.collins at key2it.com.au
Fri May 27 20:21:33 EDT 2005 

I agree - this 'site image' authentication  approach merely means a change
of tactics by phishers, 'pharmers' and attacks on bank accounts.  In the
same way two-factor authenticaiton is flawed against new tactics, this will
only provide a short term benefit, and maybe a small confidence boost to
consumers.

Lyal


-----Original Message-----
From: Bill Pennington [mailto:bill at whitehatsec.com] 
Sent: Saturday, 28 May 2005 2:07 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Single Sign-On with Images


Not to be a downer or anything, but our good friend cross site  
scripting pretty much makes all these solutions useless. Useless  
might be a bit strong but it makes it trivial to circumvent.



On May 27, 2005, at 8:48 AM, Chris.Hammond- 
Thrasher at consulting.fujitsu.com wrote:

>
> Not only do we need new and better ways to handle user
> authentication, but it is great that there are multiple options for  
> vendors.
>
> -CHT
>
> ......................................................................
> ..........
> Chris Hammond-Thrasher  MLIS, CISSP
> FUJITSU CONSULTING
> Principal Management Consultant
> Library Technology / Security, Privacy and Technical Risk
> email: chris.hammond-thrasher at consulting.fujitsu.com
> Web: http://www.fujitsu.com/ca/
>
>
> Bill Pennington <bill at whitehatsec.com>
> 05/26/2005 05:18 PM
>
>
>         To:        websecurity at webappsec.org
>         cc:        (bcc: Chris Hammond-Thrasher/EDM/DMR/CA)
>         Subject:        Re: [WEB SECURITY] Single Sign-On with Images
>
>
>
> BofA today rolled out passmark
>
> http://baltimore.bizjournals.com/baltimore/stories/2005/05/23/
> daily23.html
>
> On May 26, 2005, at 11:50 AM, Gavin, Michael wrote:
>
> > Interesting.
> >
> > There is also a company called Real User that has a few products: 
> > "Passface Toolkit," "Passfaces for Windows," and "Passfaces for IIS" 
> > that also uses recognition of photographic images as the 
> > authentication credential. With Passface you don't need a password 
> > and an image; rather
> > you select "your" image (assigned to you from their large  
> database of
> > human faces when you register in their system) from the 9 or 16 that 
> > are presented when authentication is required.
> >
> > -----Original Message-----
> > From: Bob Auger [mailto:bauger at spidynamics.com]
> > Sent: Thursday, May 26, 2005 2:16 PM
> > To: websecurity at webappsec.org
> > Subject: [WEB SECURITY] Single Sign-On with Images
> >
> > "Berkeley researchers propose a Mozilla extension to stop phishing 
> > <http://www.sims.berkeley.edu/%7Erachna/papers/securityskins.pdf>.
> > They
> > claim that users only need to remember one password and one image
> for
> > their lifetime to securely log in to any number of sites. They also 
> > use uniquely generated visual hashes to "skin" trusted windows and
> > webpages,
> > which is harder to spoof than the SSL lock icon. To verify that the
> > skin
> > is legit, the user has to compare two images, which is easier for
> > novices than verifying a certificate
> > " - http://slashdot.org/
> >
> >
> > Robert Auger
> > SPI Labs
> > rauger at spidynamics.com
> > Start Secure. Stay Secure.
> > Security Assurance Throughout the Application Lifecycle
> >
> >
> >  
> ---------------------------------------------------------------------
> > The Web Security Mailing List 
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives 
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
> >  
> ---------------------------------------------------------------------
> > The Web Security Mailing List 
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives 
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
>
>
> ---
> Bill Pennington, CISSP, CCNA
> VP Services
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives 
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list