This is a site designed to make it easier to take the core of large published reports and allow anyone to comment on them.


protect Authentication IL3 material and are recommended. Where this is not possible and an overwhelming business benefit can be demonstrated, use of commercial best practice equivalent to Authentication IL2 may be accepted in conjunction with limited lifespan authentication tokens and thorough Confidentiality/Integrity IL3 Accounting and Audit measures. This measure is deprecated, owing to the significant degradation of the security provided and is only acceptable where no reasonable alternative procedure is available. 100 For example, ensuring that client information is not transmitted en bloc in clear. This might involve asking the client to provide only a subset of a shared secret such as a password or using dynamic information relating to a recent transaction. Other threats to be protected against should include, as a minimum, Trojans, disk scavenging, keystroke loggers and network sniffing. 101 For example, a credential such as a digital certificate might be protected by a PIN, password or other access control mechanism, and measures should be in place to encourage protection of client machines and networks against malware. 102 For example, a credential might be stored on a token and not exposed to the client machine. Alternatively, on presentation of a credential to a central authentication server, an out-of-band method such as text messaging may be used to transmit a unique one-time password to the client which can then be used to initiate the session. A variation on this theme would be to issue the client with a password generator; this approach is currently favoured by banks and other financial institutions. 103 Requirements for assurance of product, service and system assurance, configuration testing (commercial best practice, penetration testing, etc) and the compliance process are set out at Table 2

Email this to a friend.
Previous itemNext item.


(You must give a valid email address, but it will not be displayed to the public.)

We only allow the following html tags em strong blockquote p br. After posting, there may be a short delay before your comment appears on the site