Like
running to a bank/post office and getting a
certificate?
Certs
are just a password verification tool, where user password verification occurs
locally intead of at the server. This is NOT two-factor byt any
definition, just a password verificaiton displacement tool.
At a
very quick look at the documentation, Australian banks have had similar
guidelines for some months.
The
key requirement seems to be "do a risk assessment, and act based on the
outcome". Everything else is optional, based on the risk assessment,
however that is performed, and whatever that internal
document recommends.
On
this model, its easy to justify not doing anything, since the fraud dollar
losses don't seems to be even a few percent of the costs to implement and
support two factor hardware devices based on the anecdotal evidence and reviews
I''ve seen.
Lyal
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casey DeBerry
Sent: Thursday, 13 October 2005 7:30 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] NEW USA FFIES GuidanceFor those that fall under US FFIEC governance, what are you doing to satisfy these requirements? I'd like to think I have more options than running to the store to pick up my RSA keyfobs... What about PKI? Are there other options for web based apps?C. DeBerry
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
