[WEB SECURITY] New two-stage login procedure

Brian Eaton eaton.lists at gmail.com
Thu Dec 14 23:06:38 EST 2006

On 12/13/06, Nick Owen <nowen at wikidsystems.com> wrote:
> Here is my question:  Is it possible to do strong mutual authentication
> without using cryptography?

What about this:

Each user has a password they use to authenticate to a web site, a
phone number, and a "phone-only authentication code" that is printed
on the back of their ATM card.

The user authenticates to their bank with user-id and password.

After the user performs a transaction (or a set of transactions), they
are told they need to confirm the transfers.  They need to call the
number on the back of their ATM card.

They call the number, and a voice-response system asks them to confirm
the details of the transaction.  If the details are correct, they
enter their phone-only authentication code.  Then the transaction is

This system seems fairly resistant to compromised PCs.  A bogus
transaction inserted by a trojan horse would still need to be
confirmed via another route, the phone call.

Phishing could still be a problem, but I suspect it would become less
of a problem once someone had used the system a few times.  People
would learn their role in the protocol without too much trouble, and
they would balk if a phishing site told them to diverge from the

If the phone-only authentication code is compromised, the user gets a
new ATM card and throws away the old one.  If you want to rekey the
system, the phone-only authentication code could be refreshed every
six months or so by sending the user a sticker with their new auth
code.  They attach the sticker to their ATM card, and go on their way.

The heavy use of the voice-response system might increase costs, but
is probably less expensive than issuing everybody hardware tokens.

And because the customer calls the bank, instead of the bank calling
the customer's home number, the system copes well with customers who
are traveling.  No unexpectedly locked accounts just because the bank
couldn't reach the customer at home.  Instead, the customer uses the
same system in the same way, no matter where they are.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list