US researchers find flaws in single sign-on - UK experts says this highlights the need for 2FA

Berkshire (UK), (PresseBox) - Commenting on weekend reports that US security researchers have discovered a number of flaws in single sign-on (SSO) services operated by a number of portals - including Google and PayPal - SecurEnvoy says this highlights the clear need for two-factor authentication (2FA) where financial/personal logins are concerned.

According to Steve Watts, co-founder of SecurEnvoy - the tokenless two-factor authentication specialist(TM) , the fact that the security flaws also include social networking sites/services such as Facebook and Twitter - both of which have been repeatedly shown to have their security shortcomings - is enough to set the alarm bells ringing.

"The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and - in particular - wireless Internet connections, there is clearly a need for 2FA technology," he said.

"The problem for most users is that existing 2FA technologies require they truck an authentication device - typically a hardware token - around with them, making access when away from your regular desktop computer a cumbersome process. But since most Internet users have a mobile phone in their purse or pocket, they can turn to tokenless 2FA methodology to simplify matters," he added.

The SecurEnvoy co-founder explained that the security flaws identified by the Indiana University/Microsoft researchers - which involve poor integration by Web site developers of the application programming interfaces (API) and a lack of end-to-end security checks - mean that many Web portals are affected by one or more of the eight "serious" problems revealed.

It will, he says, be interesting to hear how the researcher's paper is received later this year when they present their findings at the IEEE Symposium on Security and Privacy on May 20-23 in San Francisco.

At that stage, he adds, the shortcomings in security methodologies that the Indiana University and Microsoft researchers have discovered during their lengthy project will be exposed to the world's security experts, giving the researcher's peers a chance to review and comment on the issues revealed.

Watts went on to say that using a smartphone as a tokenless authentication channel makes a lot of sense, as it allows the mobile owner to authenticate him or herself at almost any time - including during the online session when private credentials or financial transactions are involved.

"Putting it simply, this means that users can log into an online banking service - for example, authenticating themselves using tokenless 2FA on their mobile phone - and then when they want to pay a bill, they can authenticate themselves once again," he said.

"If you look at PayPal, for example, whenever you do anything unusual - such as making a withdrawal to an unverified bank account, for example, - the PayPal computers will call the account holder on one of their nominated phone numbers, which could be a mobile, to authenticate the user. Extending the security envelope to include tokenless 2FA in these situations - as well as to the initial login process - makes a lot of sense," he added.

For more on SecurEnvoy:

For more on the Indiana University SSO security research:

SecurEnvoy Ltd

SecurEnvoy is the trusted global leader of Tokenless® two-factor authentication. SecurEnvoy lead the way as pioneers of mobile phone based Tokenless® authentication.

Their innovative approach to the Tokenless® market now sees thousands of users benefitting from their solutions all over the world. With users deployed across five continents, their customers benefit from significant reduced time to deploy and a zero footprint approach means there is no remote software deployment and administrators enjoy the management tools allowing them to rapidly deploy up to 20,000 users per hour.

With its channel centric approach, SecurEnvoy continues to expand its revenue and profitability year on year with customers in Banking, Finance, Insurance, Government, Manufacturing, Marketing, Retail, Telecommunications, Charity, Legal, Construction. Their partners include, Juniper, Citrix, Fortinet, Sonic Aventail, Cisco, Checkpoint, Microsoft, F5 and others.

Press releases you might also be interested in

Weitere Informationen zum Thema "Sicherheit":

Warum Abschottung keine Lösung ist

Weil in­du­s­tri­el­le Netz­wer­ke im­mer wei­ter wach­sen und sich ver­net­zen, müs­sen In­stand­hal­ter im­mer mehr zu IT-Ex­per­ten wer­den. Doch die aus der IT be­kann­ten Schutz­maß­nah­men müs­sen für die In­du­s­trie neu über­dacht wer­den.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.