tag:blogger.com,1999:blog-8609860739720977854.post6315203450407580318..comments2021-09-01T12:26:56.058-07:00Comments on Secure the world: Phonefactor: how secure?Unknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8609860739720977854.post-29681546501759717082009-03-24T14:41:00.000-07:002009-03-24T14:41:00.000-07:00Hi,Thanks for the mention! I always love seeing ot...Hi,<BR/><BR/>Thanks for the mention! I always love seeing other security analysts comment on the system.<BR/><BR/>I do want to point one thing out, though: PhoneFactor doesn't depend on using one-time bypass; if you don't want to use it, don't. In that case, not having your phone means you can't log in, just like if you forget your token or smart card. <BR/><BR/>It's up to each security department to do the risk/reward analysis on the trade-off between usability and security. PhoneFactor provides all of the options, but it's up to the customer to decide what fits with their particular security policy.<BR/><BR/>I'd also point out that, even with the help desk call and the potential human error that can be made, having PhoneFactor is still dramatically better than not having it: it completely prevents large-scale attacks like mass phishing, mass credential harvesting via worms or botnet clients, etc. - because the attacker would have to make a help desk for each user he wants to attack. That doesn't scale, of course, and the help desk will catch on pretty quickly if it does get 100 calls for bypasses in a row.<BR/><BR/>But your point is right - the bad guys will always go for the weakest link in the system, so each security department must carefully weigh the risks against the benefits when deciding how to deploy any kind of strong authentication.<BR/><BR/>Thanks again for the commentary.<BR/><BR/> -Steve Dispensa<BR/>Chief Technology Officer<BR/>PhoneFactorAnonymousnoreply@blogger.com