[Owasp-mobile-security-project] device identity as authentication factor
gagan bhatia
gdsbhatia1981 at gmail.com
Mon Aug 15 06:08:53 EDT 2011
hi
IMHO secure hardware is not something widely available as of today and
have its own probs of distribution and branding (pls correct if my
understanding is incorrect)
how about usage of crypto ( or may be pki) techniques along with
available device ID's. It shall act as strong authentication, though
it will also have problems like management across different
platforms, certificate lifecycle management. But it shall be useful
for banking/payment applications.
regards
gagan
On 8/13/11, Dirk Sigurdson <dirk at mobilisafe.com> wrote:
> In order to have high confidence in the ID that a device is reporting you
> pretty much require there to be secure hardware. Without a hardware root of
> trust on the device there will always be a way to spoof the reported
> identity. Typically the secure hardware would contain an key that can be
> used to sign the message that is sent as part of your authentication scheme.
> In addition you'd need to ensure that the device is in a known
> good/authorized state. Without those two things, it's very unlikely that
> you'll be able to prevent spoofing.
>
> Dirk
>
>
> On Aug 12, 2011, at 5:35 AM, gagan bhatia wrote:
>
>> Hi all
>> In the world be spoofing, it is really a challenge to uniquely
>> identify the device for secure communication. Considering for the end
>> user comfort shall one consider of making the device identity as one
>> form of authentication. What are your opinions?
>>
>> regards
>> gagan
>> _______________________________________________
>> Owasp-mobile-security-project mailing list
>> Owasp-mobile-security-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project
>
>
More information about the Owasp-mobile-security-project
mailing list