[WEB SECURITY] Password Reset

Nick Owen nowen at wikidsystems.com
Thu May 27 10:30:18 EDT 2010


Paul:

First, WiKID vs certs:  Unlike certs, WiKID is a flat public key
architecture.  The token encrypts a PIN and send it to the server for
validation. Thus, unlike certs, WiKID is not vulnerable to an
offline-brute force attack of the key store.  The server returns an OTP,
so you can use WiKID wherever you might use a password.  This means that
unlike certs, you can use WiKID for both a website and SSH, e.g. And of
course, there are no white/black lists to maintain, etc.

Re Openid: There's nothing to stop you from adding openid to WiKID. We
actually had a demo site that offered free openid with WiKID for
two-factor auth, but when we had to move servers, we decided to drop it
due to lack of interest. If there is interest, we can release the code
as open source or set it up again.  WiKID includes the Google SAML/SSO
code already, so SAML is an option too.

HTH,

Nick

On 05/27/2010 05:46 AM, Paul Johnston wrote:
> Hi,
> 
> Does this provide any benefits over an OpenID provider that uses SSL
> client certificates to authenticate users?
> 
> Paul
> 
> 
> On 26/05/2010 18:38, Nick Owen wrote:
>> Instead of developing an in-house OTP solution, you could utilize and
>> contribute to our open-source two-factor auth solution:
>>
>> http://www.wikidsystems.com/community-version
> 
> 

-- 
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication
http://twitter.com/wikidsystems
#wikid on irc.freenode.net

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list