If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Kim Cameron’s Identity Weblog » Weaknesses of Strong Authentication?
I think there are a few elements of this that are worth exploring - most specifically, in security design the idea of layers counts for a great deal and the analogy of the castle is a particularly good one. Strength in depth, but with each layer designed so that when (not if) a breach occurs there’s always another layer of protection. One other facet of security where a castle analogy is used is in discussion of “single sign-on” (SSO, or more correctly “reduced sign-on”) - we use the term “keys to the castle” to refer to a breach in the initial authentication; once that takes place an attacker has free reign throughout the bailey of the user’s environment and the effect of that single breach can be much more devastating - the isolation of components is removed.
As a result, it’s generally advisable that when implementing SSO that a stronger authentication mechanism is used - the increased threat from the lack of isolation can be partially offset by reducing the risk that the initial authentication is compromised. In this sense the strong authentication isn’t the weak element; the reason we need authentication is because when we build the castle the walls need to have holes in them (often a drawbridge). Someone needs to be in a position to open the door, often following the challenge “friend or foe” and that is where the authentication is required. Where Cardspace will provide benefit is in providing a stronger authentication mechanism than the traditional username / password combination - both for individual resources and to a whole domain fronting a protocol such as OpenID or SAML.
Loading ...