[WEB SECURITY] New two-stage login procedure

nowen at wikidsystems.com nowen at wikidsystems.com
Thu Dec 14 07:49:27 EST 2006

The MITM is between the user and the valid website. There is no authentication of the host to the user.   

Nick Owen
WiKID Systems, Inc. 
Commercial/Open Source Two-Factor Authentication    

-----Original Message-----
From: "Esteban Ribičić" <kisero at gmail.com>
Date: Wed, 13 Dec 2006 22:20:52 
To:"Nick Owen" <nowen at wikidsystems.com>
Cc:"Brian Eaton" <eaton.lists at gmail.com>, "Web Security" <websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] New two-stage login procedure

Sorry, i dont get it. (yeahhh, im newwwww!!) 
"In cryptography: <http://en.wikipedia.org/wiki/Cryptography> , a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised" 
could you explain further more? i cant see the relationship. 
User has a password for the site, a code (like 4 digit atm code). 
He calls, input that 4 digit code , he gets a token. 
He logs on the site, user + password. 
Whats wrong? 
On 12/13/06, Nick Owen <nowen at wikidsystems.com: <mailto:nowen at wikidsystems.com> > wrote: And it would still be susceptible to a MITM attack, like all 2FA schemes
focused solely on session auth. 

Here is my question:  Is it possible to do strong mutual authentication
without using cryptography?  Are the FIs fooling themselves to think


Brian Eaton wrote:
> On 12/13/06, Esteban Ribičić < kisero at gmail.com: <mailto:kisero at gmail.com> > wrote:
>> a smarter would be:
>> 1) user calls from a defined number (mobile) to a pbx
>> 2) pbx checks any and ask for a code 
>> 3) pbx replies with a token
>> user logs with this normal credentials (bank account and password) +
>> token +
>> "common pool of questions".
>> its not expensive...asterisk can do it. 
> Caller ID spoofing seems like a problem with this system:
> http://www.securityfocus.com/news/9822: <http://www.securityfocus.com/news/9822> 
> Regards,
> Brian 

Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com: <http://www.wikidsystems.com> 
Commercial/Open Source Two-Factor Authentication

https://www.linkedin.com/in/nickowen: <https://www.linkedin.com/in/nickowen> 


More information about the websecurity mailing list