Mez, et al,

An alternative to traditional browser cookies is setting a "Flash object" on a computer. This is actually what PassMark/RSA (a.k.a., SiteKey) uses to "tag" a computer as having previously been used by a user who logged in responding to authentication questions. If the Flash object is found, then the computer is "authenticated," and the user's secret image is displayed prior to authenticating the user via their password.

What would be an interesting question is to explore how many other "cookie-like" mechanisms are currently in use, and which of these could be used to support authentication mechanisms.

   Chuck Wade, Principal
   Interisle Consulting Group
   +1  508 435-3050  Office
   +1  508 277-6439  Mobile

Mary Ellen Zurko wrote:

Really nice.

What is "flash" as an object on a computer that can authenticate?

Some of these I didn't realize were deployed methods of (primary) authentication (tagging, risk analysis).


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Chuck Wade <>
Sent by:

03/27/2007 09:38 PM


ACTION-149: FSTC's list of authentication techniques (BMA taxonomy)


I just wanted to confirm to everyone on this list that I did post the
file from FSTC that provides a pretty comprehensive listing of
authentication techniques that are in use today--the "BMA Taxonomy." In
doing so, I also set up a "Document Repository" page on the WSC Wiki
that others may find useful as a place to share documents (when public
links are not available).

Under this Document Repository is a section for FSTC Contributed
Documents at this link:


You'll find a sub-page with a brief description of the BMA Taxonomy, and
an Excel workbook attached. The first section of the Taxonomy sheet in
this workbook is a hierarchical listing of authentication techniques.

  Chuck Wade, Principal
  Interisle Consulting Group
  +1  508 435-3050  Office
  +1  508 277-6439  Mobile