[WEB SECURITY] New two-stage login procedure

Gervase Markham gerv at gerv.net
Wed Dec 13 14:11:00 EST 2006

Wade Millican wrote:
> Shoulder surfing is still at the same level of risk.  The PIN protection 
> from randomising the order and only use 3/4, 

Actually, 3/6.

> I'd like to comment on the previous logon date/time.  I've seen this 
> used a few times before, where it was actually effective.  This should 
> NOT be presented until AFTER a validated login.

Why not? The user has already "half-logged-in" by providing account 
number and matching last name. They can check this information before 
giving up the last bit of login info.

> I'd like to see more banks using one time passwords sent to the mobile 
> number of the user on their DB(below)
> 1)User hits login
> 2)Types in Acct number

...and last name, to prevent the DOS attack Martin mentions...

> 3)user hits generate OTP (mobile number is linked to account details)
> 4)User gets SMS with OTP
> 5)User enters PIN + OTP
> 6) User logs in.

The problem with this is the delay and mobile reception, as you say. And 
if the user does it more then once (out of impatience), do you accept 
all the ones you've sent in the last five minutes, or just the last one?

Remember, also, SMS messages can be sniffed by anyone in the same cell.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list