Grand Claims Require Solid Evidence
Getting online identity systems correct is difficult. Getting them secure is even more so, and it appears to be a problem that has not been reliably solved up to this point in time (secure in a lab is not being considered at this time). A new service that is seeking to provide something analogous to a single-sign on system (like Microsoft's PassPort before it), appears to be drawing on similar technology to that used by Bank of America in their SiteKey authentication system.
While comparable technology already exists, the company behind the service are making claims that have caught the attention of security researchers.
Claiming to protect the user against four of the most prevalent means of compromising authentication (Phishing, Keystroke logging, Man-In-The-Middle-Attacks (MITM), Brute Force), the service has already been demonstrated to fail on at least one of those areas. An independent researcher has already demonstrated the ability to perform an effective MITM attack against the service (though it does rely upon the user not noticing the lack of an https address, but this can easily be overcome).
Unfortunately for end users, and for those who have invested funds into this concept, false claims of security are more harmful in the long run than no security mechanisms at all.
11 May 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.