[WEB SECURITY] New two-stage login procedure

Martin O'Neal martin.oneal at corsaire.com
Wed Dec 13 13:09:49 EST 2006

> 1)User hits login
> 2)Types in Acct number
> 3)user hits generate OTP (mobile number is linked to account details)
> 4)User gets SMS with OTP
> 5)User enters PIN + OTP
> 6) User logs in.
> Anyone want to tear apart that? :P

2/3) wascaly wabbit enters sequential acct numbers in bulk
4) valid users are spammed with 1*N unrequested OTPs...

Using predictable authentication values isn't big, and it isn't clever.


IMHO OTP and web applications is a bit of red-herring anyway.  The
client-side threats that they are pitched as a protection against imply
a level of control over the HTTP client that by definition makes them
useless at protecting the web application session.  For example, to
install a key logger you have more than enough control over the client
to be able to also get at the web session.  If you can get at the
session, then you don't need the authentication.

Additionally, IME the applications that require authentication to be
re-entered prior to executing a critical function (sending money,
changing password etc) often only require the static piece of the 2FA to
be entered, like the password.  

Ultimately, the problem isnt one of authentication; it is one of trust
in the HTTP client.  



The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list