Hi, I do not see any checklist being used so far on this 2FA
evaluation. However, I would rather workout my own checklist from the
2FA exploration/areas as given below:
1) Understand and Evaluate Authentication Factors specifically wrt 2FA:
>> the ownership factors: Something the user has (e.g., wrist band, ID card,
>> security token, software token, phone, or cell phone)
>> the knowledge factors: Something the user knows (e.g., a password, pass
>> phrase, or personal identification number (PIN), challenge response (the
>> user must answer a question))
Here, we also would need to understand the market segments where these
mechanisms will be implemented. Such as Enterprise (Secure remote
access, Enterprise authentication, B2B transactions), Consumer (Online
banking, Electronic commerce, ISPs), Government (Common
authentication, Biometrics ). This will help you to assume yourself as
one of such user and think of possibilities of breaking the algorithm
or application/software using this 2FA algorithm.
2) Gather and Evaluate using various exploiting techniques of Identity
theft / online fraud wrt to your application/product
Generally speaking 2FA approaches are vulnerable to a) trojan
controlled websites, b) man in the middle attacks and c) Global Spying
using spyware, shoulder sniffing, social engineering, etc
3) Appropriate Compliance wrt Local/Global Regulatory requirements
4) Proliferation Evaluation: {below text copied from internet}
Many 2FA products require users to deploy client software to make 2FA
systems work. Some vendors have created separate installation packages
for network login, Web access credentials and VPN connection
credentials. For such products, there may be four or five different
software packages to push down to the client PC in order to make use
of the token or smart card. This translates to four or five packages
on which version control has to be performed, and four or five
packages to check for conflicts with business applications. If access
can be operated using web pages, it is possible to limit the overheads
outlined above to a single application. With other 2FA solutions, such
as virtual tokens and some hardware token products, no software must
be installed by end users.
5) User password management
6) Interoperability of authentication mechanisms
7) Software Security and Password policies evaluation (this differs
from 2 nd step)
8) ______________ {You can add more steps here, the relevant areas to
be evaluated}
Hope this will give you some idea if not expert advice. Thanks
Few references on Two Factor Authentication for beginers who wish to
understand this 2FA and its evaluation:
http://www.informit.com/guides/content.aspx?g=security&seqNum=349
http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html
http://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
