TriCipher's been in the news a lot lately, and that's good for them and for the whole multifactor movement. We like to see pickup on this technology, no matter whose it is.
http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/7666-tricipher-takes-identity-theft-prevention-mobile.htm
This article discussed the fact that they've released a USB-based solution, something near and dear to our hearts, because we also use a USB-driven system at Enterprise-in-a-Flash (http://www.enterpriseinaflash.com).
I'm concerned about the fact that they're allowing for customer self-provisioning. I'm not sure a bank would let you self-provision your ATM card onto any blank card you could get your hands on, and I'm not sure it makes sense to trust a user-provisioned authentication factor that they've put onto any unknown USB drive. But I'll have to see more about this before making a final judgment.
Subscribe to:
Post Comments (Atom)
1 comment:
Hello, this is Tim Renshaw, VP Field Applications at TriCipher. I just wanted to clarify a bit on the self-provisioning angle of the ID Tool To Go offering.
It is important to separate the provisioning of the device as a second factor from the provisioning of the credential, of which the second factor is only a part. In referring to self-provisioning, think of a use case where a user would be able to merely acquire a readily, commercially available USB device or even use one they already have. For ID Tool To Go today, any ol' U3 device will work. The user is then in a position to merely load standard interface software onto the device (again, U3 for now) and use that device to activate their credential via whatever credential activation (or provisioning in the more traditional parlance) policy or preference mechanism they wish. These processes could take the form of anything ranging from 1) simply authenticating to the web site with their existing single factor password, indicate they are "upgrading" their credential and walk through a self-serve activation process to; 2) a phone call procedure to authenticate themselves and activate their new 2-factor credential to; 3) something as robust as visiting their local branch... or anything in between.
Of course, credential issuers such as banks, brokerages or even retail may well wish to issue branded devices with the associated software already installed. What we believe is important is that the devices do not need to be managed and assigned. The devices are made the "what you have" 2nd factor in the credential. Consequently, the devices can be kept sitting loose on a shelf and any device can be given to any user to activate and use. This shelf can be in an "issuing location" or in the aisle of any Best Buy, Circuit City, Wal-Mart, etc.
Additionally, the loss or theft of the 2nd factor does not provide the possessor any attack vector to work backwards to the user's password, the first factor. Since loss of the 2nd factor doesn't equate to a compromise of the credential, the user can again self-provision the device and recover their credential simply, securely and compared to alternate 2nd factor options, cheaply.
Whoops, I'm beginning to slip into sales speak beyond clarifying on the question at hand, so I'll leave it at that. Feel free to contact me directly at tim@tricipher.com or on my own blog at EYEdentityOnline.com.
Post a Comment