Scorpion Software Blog: Introducing RWWGuard 2011:

I’m a user/owner/buyer of RWWGuard.  It allows me to not only track remote access to the server but to ensure that I have two factor authentication for those that I offer up remote access to.  I used to get pushback from when there was hardware tokens, with softtokens installed on the cell phones I get none.

What I do get is extra peace of mind.  Extra accountability.   Worth every penny.


9 Responses to Scorpion Software Blog: Introducing RWWGuard 2011:

  1. Dean says:

    I don’t understand how the program running on a phone can be as secure as the program running on dedicated hardware that you can’t tamper with. I mean I know the average user isn’t going to pull out a dissasembler and look into the program but it still leaves me wondering. What if a new program loaded on the phone with hidden malware could somehow intercept it or something.

  2. bradley says:

    It’s making sure that passwords can’t be intercepted in transmission – say at a Starbucks wireless. I can be more less paranoid about the means that people use to connect remotely to the server.

  3. Dana Epp says:


    Feel free to use AuthAnvil SoftTokens on a Yubikey if you are concerned with the SoftToken on the phone. Or use our tamper resistant hardware keyfobs. The point is, if you want to provide identity assurance protection when a user accesses Remote Web Access, we have you covered with several different token types. You can check out for more information.

    Remember that with a browser and a password, an adversary can gain complete access to the files through the new file manager, or the direct computers through RD Gateway, impersonating the intended user without recourse. A combination of AuthAnvil and RWWGuard makes that considerably more difficult. The goal is to reduce risk to an acceptable level, and the inexpensive nature of this makes it well worth the investment.

    BTW, if you are using a smartphone that is NOT sandboxed to prevent the attack vector you mentioned with malware accessing private secured storage between applications, I don’t blame you for being concerned. However, we have full coverage for support for Windows Mobile, Blackberry, Android, iPhone and Windows Phone 7. If that doesn’t work, the SoftToken can run on a USB based Yubikey, giving you full coverage however you see it.


  4. Dean says:


    I wasn’t saying you shouldn’t use two factor authentication. I was just wondering if using a PHONE to make it work was safe.

    I don’t think two factor authentication has anything to do with someone not being able to steal your regular password over an Internet connection. It has to do with what it says. Authenticating that who is on the computer is who they are supposed to be.

    Anyone who says that a “sandbox” ( whatever the real meaning of that really is ) is safe and secure is full of crap as anyone who has kept up with security news in the last year will know.

  5. bradley says:

    If someone takes my phone and logs in, how does two factor confirm that the person on the computer logging in is me?
    Two factor on the phone is a changing password. Every 15 minutes it changes. My human brain can’t change a password every 15 minutes.

    But as log as that softtoken and keep track of it and let me know what it is at that precise time, my remote access is a constant moving target.

    If someone grabs my static password from a browsing session somewhere, I don’t have to worry because they can’t get my moving target. The probability that an attacker can a. get my more static password b. steal my phone c. tie both to me and d. determine a long time ago that it’s way easier to go hack some cloud based something where two factor is not enforced… you get the idea.

    The idea here is to always be a little harder than the guy down the street who’s being a bit stupid.

  6. Dean says:

    “how does two factor confirm that the person on the computer logging in is me”

    Because it’s assigned to YOU and it’s supposed to be in YOUR physical possession. That was the whole point of having physical tokens with serial numbers. That’s why they called it factor AUTHENTICATION. Yes, someone else could take it from you but as you just said yourself how often is that going to happen.

    If you want to get technical about your posting then yes, one password can be intercepted over the Internet and the other one can not.

  7. bradley says:

    I still see it as best protecting the remote access interception issue the best.

  8. Dean says:

    “I still see it as best protecting the remote access interception issue the best. ”

    Of course.

    But you have to understand what you are using and why otherwise if something happens that you didn’t expect you won’t have any idea why it happened.

    How a security or authentication method is implemented is all important and I’m not convinced (yet) that doing two factor with a phone is a good idea. At the very least it takes the whole authenticating idea away. Unless the program still has a serial number.

  9. bradley says:

    The authanvil console tracks the specific token being used. I do understand what’s happening exactly behind the scenes. I’m saying that I am using it more for a reason that you aren’t giving the same weight to.