[WEB SECURITY] New two-stage login procedure

Nick Owen nowen at wikidsystems.com
Fri Dec 15 13:51:11 EST 2006

Henry Troup wrote:
> -----Original Message----- From: Nick Owen
> [mailto:nowen at wikidsystems.com] Sent: Wednesday, December 13, 2006
> 1:05 PM ...
> Here is my question:  Is it possible to do strong mutual
> authentication without using cryptography?  Are the FIs fooling
> themselves to think otherwise?
> nick
> I think so.  Yesterday I bought a copy of my credit report online.
> After the usual identifying stuff the site asked me five multiple
> choice questions, like "you have a credit card with last four digits
> 2468, which of the following institutions granted it...", and "which
> of these did you most recently open an account with".  Now, this is
> only possible when the FI holds a huge amount of info - as the credit
> bureaux do.  And, where I remember certain details accurately.
> Not generally applicable, but pretty strong, pretty slow.
> A modest database of information provided off-line by the customer
> provides a reasonably large set of different verifications.  Say, use
> three from a dozen items?  1320 combinations.

Not sure I follow. How does this validate a host to the user?  Could
there not still be a MITM?

 Another under-used
> technique is binary exponential backoff - after one failed logon
> attempt, introduce a delay of n seconds before displaying either
> success or failure.  After the next, 2n, after the next, double it
> again.  And so on.  There's a point at which this overlaps with timed
> lockout - but it does allow the user a fair number of genuine logon
> errors before denying service.
> And
>> The MITM is between the user and the valid website. There is no
>> authentication of the host to the user.
> That's the hard part; because what we're actually after is verifying
> that the host is the first host in the chain, not relaying.  I most
> thoroughly checked out the domain registration before I started.  I
> typed the URL, and I did inspect the SSL certificate.  Is that enough
> to have absolute confidence?  Well, it was an ad hoc inquiry to a
> site with which I had no prior contact; but it's a high-value target
> for someone to poison DNS and so forth.  "I'm paranoid - but am I
> paranoid enough?"

No prior contact makes it hard.  Clearly asking people to validate a
cert doesn't work.  Doing it with software on the client (and a
pre-established relationship) is easy.  E.g, our software token will
validate the cert for the user before presenting the OTP.


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list