Symantec Access Management

We try CA Advance Auth a.k.a Arcot 2-3 years back.  

During that time we notice ARCOTID contains user LOGIN ID.  Is that still the case with latest version of this software?  Or this security issue now address?

Does product support multiple USER stores?  

Thanks,

Chandrashekhar Rane

Hi,

Even today AuthID contains userid. In my opinion, this is not a security issue. The reason being, any web application (Banking, Investment and other) that is out there, that just accepts the userid on one screen and password on the next screen, it is easy to guess the user name. Username is not meant to be secure. Can you help me to understand why that was deemed as a security concern?

Multiple user stores are supported with the caveat being the user store as LDAP.

Thanks,

Lakshmi.

Hi Lakshmi,

Thanks for confirming the current state.

There is a difference in somebody guessing USER ID Vs making it available on a device for misuse.

Thanks again for responding to my query.

Thanks,

Chandrashekhar Rane

Hi Lakshmi,

Organizations generally follow a pattern when handing out userIDs like in CA we have <First_3_LettersOfTheLastName><First_2_LettersOfTheFirstName><numbers like 01,02 etc> and same userID is mostly used as login IDs, so if someone is able to crack down even a few such userIDs, they can identify the pattern and profile organizations user store pattern which then can be enumerated by several means for illicit purposes. This is probably why many customers (specially banking and finance) have reported this as a security vulnerability.

Thanks

Abhishek   

Hi Abhishek,

This discussion thread is specifically on storing the userid in AuthID is not a secure way. The point I was trying to make is there are other ways to get to the userid not even touching user's machine. One of it is, what you just outlined. This can be done remotely, no need to be on the user's device but to get to the userid in AuthID, someone need to gain access to user's machine.

Thanks..

In the other scenario, guessing userid can be done remotely where as to get to the AuthID, someone need to be on the user's device. If someone gains access to the user's device there is more to worry than just the AuthID.They can simply install a malware or a bot and capture all the information starting from that point of time.

Now, why we have the userid in the AuthID is.. when a user enters the userid, application needs to check if there is a corresponding AuthID for that userid. There are multiple ways to achieve that instead of storing the userid in AuthID. Few options are..

1. encrypt the userid in AuthID but the fact that anything you do on the client can easily be undone by a program.
2. The other option is to have a reference id in AuthID and map that referenceid to the userid in the backend. This requires a network call.

Having said that, we can raise the difficulty level bar in getting the userid but we can not completely prevent them. Again, what we are trying to achieve is to secure a non-sensitive information.

Thanks,

Lakshmi.

CA SSO allows multiple User Stores, however, how would be this the integration of CA SSO + CA AA, considering that the AuthID is readable only by Strong Auth?