Another option might be to do transaction authentication. But whatever the option, you are right that just doing strong session authentication will not be enough. However, it will be a requirement – part of the foundation.

Another option might be to do transaction authentication. But whatever the option, you are right that just doing strong session authentication will not be enough. However, it will be a requirement – part of the foundation.

Hmmm, that’s awfully close to advertising your product there, but you make a relevant point so I’ll let it go this time around

Mutual authentication is great, I agree, though I think it’s a bit of an overstatement to say that you need cryptographic principals to “have a chance.” In particular, it seems that your solution requires an additional token, or an additional software install, and in some cases that’s a deal breaker for ubiquitous web access. I’m not saying that’s bad, but it’s a different category of system that’s not purely web-based.

Hmmm, that’s awfully close to advertising your product there, but you make a relevant point so I’ll let it go this time around

Mutual authentication is great, I agree, though I think it’s a bit of an overstatement to say that you need cryptographic principals to “have a chance.” In particular, it seems that your solution requires an additional token, or an additional software install, and in some cases that’s a deal breaker for ubiquitous web access. I’m not saying that’s bad, but it’s a different category of system that’s not purely web-based.

Hi Mr. Nair,

Thanks for responding to my blog posting.

I appreciate the offer for more information about your security product. I believe the best way to review the security of a system is in a public setting. If you have a publication, or a draft of a publication, or a technical white paper, I would be happy to take a closer look assuming that it is publicly available and that I can comment on it freely in public.

I don’t know your technology, so I cannot say definitively whether or not it provides a significant improvement in web authentication security. However, I agree with David Wagner that your response did not address my concerns regarding whether some of these authentication factors are easily phishable. In particular, bringing up obfuscated JavaScript indicates that you may not be considering the correct Web thread model.

I hope you’ll consider providing more in-depth technical information about your system, as the best security systems tend to be those that are openly vetted.

-Ben

Hi Mr. Nair,

Thanks for responding to my blog posting.

I appreciate the offer for more information about your security product. I believe the best way to review the security of a system is in a public setting. If you have a publication, or a draft of a publication, or a technical white paper, I would be happy to take a closer look assuming that it is publicly available and that I can comment on it freely in public.

I don’t know your technology, so I cannot say definitively whether or not it provides a significant improvement in web authentication security. However, I agree with David Wagner that your response did not address my concerns regarding whether some of these authentication factors are easily phishable. In particular, bringing up obfuscated JavaScript indicates that you may not be considering the correct Web thread model.

I hope you’ll consider providing more in-depth technical information about your system, as the best security systems tend to be those that are openly vetted.

-Ben

I found your 4 arguments completely unconvincing:

1. “Scrambling” the Javascript isn’t going to defeat any kind of serious attack. It’s a speedbump, not a serious defense.

2. Irrelevant. If a man-in-the-middle can capture and replay the inputs to your “segmentation algorithm”, the details of your algorithm are irrelevant.

3. Gibberish.

4. Content-free.

Given the inability to post a coherent technical defense of the Delfigo system, it sounds to me like it would be prudent to assume that Ben’s criticisms are valid and that the Delfigo system is flawed.

I found your 4 arguments completely unconvincing:

1. “Scrambling” the Javascript isn’t going to defeat any kind of serious attack. It’s a speedbump, not a serious defense.

2. Irrelevant. If a man-in-the-middle can capture and replay the inputs to your “segmentation algorithm”, the details of your algorithm are irrelevant.

3. Gibberish.

4. Content-free.

Given the inability to post a coherent technical defense of the Delfigo system, it sounds to me like it would be prudent to assume that Ben’s criticisms are valid and that the Delfigo system is flawed.