how can you verify that the site you get is not a fake?

[Scot L. Harris]

On Mon, 2005-06-06 at 11:50, bruce wrote:
> so...
> 
> the obvious solution (at least to me...) is to get rid of the need for a
> user to use the keyboard for entering the password....
> 
> so if i have a solution that allows the user to more or less know that the
> site that he/she is on is the correct site, as well as a process that allows
> the user to access/authenticate that he/she is indeed the actual user, then
> we might have something...
> 
> if you're dealing with a browser/internet system, i'm of the opoinion that
> it's time we start thinking about geting rid of text based passwords...
> they're too cumbersome to be secure, and once you start dealing with more
> than a few sites.. who really goes through the trouble to generate and
> remember really secure passwords...
> 
> -bruce

You want multi factor authentication if possible for really secure
things.  In most cases a simple password is sufficient, assuming a
"good" password has been selected and proper care is taken to prevent or
limit the possible disclosure of that password.

As stated before it all depends on the risk level you are willing to
accept vs. usability for the users.  In most cases a password is more
than sufficient, in other cases biometrics may be the minimum acceptable
security required to secure the particular systems being accessed.  

Standard consultant response, it depends.  :)


-- 
Scot L. Harris
webid at cfl.rr.com

Of course you have a purpose -- to find a purpose.