[WEB SECURITY] New two-stage login procedure

Henry Troup HenryT at watchfire.com
Thu Dec 14 15:25:04 EST 2006


 -----Original Message-----
From: Nick Owen [mailto:nowen at wikidsystems.com] 
Sent: Wednesday, December 13, 2006 1:05 PM
...

   Here is my question:  Is it possible to do strong mutual authentication
   without using cryptography?  Are the FIs fooling themselves to think
   otherwise?

   nick

I think so.  Yesterday I bought a copy of my credit report online.  After the usual identifying stuff the site asked me five multiple choice questions, like "you have a credit card with last four digits 2468, which of the following institutions granted it...", and "which of these did you most recently open an account with".  Now, this is only possible when the FI holds a huge amount of info - as the credit bureaux do.  And, where I remember certain details accurately.

Not generally applicable, but pretty strong, pretty slow.

A modest database of information provided off-line by the customer provides a reasonably large set of different verifications.  Say, use three from a dozen items?  1320 combinations. Another under-used technique is binary exponential backoff - after one failed logon attempt, introduce a delay of n seconds before displaying either success or failure.  After the next, 2n, after the next, double it again.  And so on.  There's a point at which this overlaps with timed lockout - but it does allow the user a fair number of genuine logon errors before denying service.

And

> The MITM is between the user and the valid website. There is no authentication of the host to the user.   

That's the hard part; because what we're actually after is verifying that the host is the first host in the chain, not relaying.  I most thoroughly checked out the domain registration before I started.  I typed the URL, and I did inspect the SSL certificate.  Is that enough to have absolute confidence?  Well, it was an ad hoc inquiry to a site with which I had no prior contact; but it's a high-value target for someone to poison DNS and so forth.  "I'm paranoid - but am I paranoid enough?"

Henry Troup
Watchfire Corporation
henryt at watchfire.com



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list