[WEB SECURITY] New two-stage login procedure
nowen at wikidsystems.com
Fri Dec 15 13:51:11 EST 2006
Henry Troup wrote:
> -----Original Message----- From: Nick Owen
> [mailto:nowen at wikidsystems.com] Sent: Wednesday, December 13, 2006
> 1:05 PM ...
> Here is my question: Is it possible to do strong mutual
> authentication without using cryptography? Are the FIs fooling
> themselves to think otherwise?
> I think so. Yesterday I bought a copy of my credit report online.
> After the usual identifying stuff the site asked me five multiple
> choice questions, like "you have a credit card with last four digits
> 2468, which of the following institutions granted it...", and "which
> of these did you most recently open an account with". Now, this is
> only possible when the FI holds a huge amount of info - as the credit
> bureaux do. And, where I remember certain details accurately.
> Not generally applicable, but pretty strong, pretty slow.
> A modest database of information provided off-line by the customer
> provides a reasonably large set of different verifications. Say, use
> three from a dozen items? 1320 combinations.
Not sure I follow. How does this validate a host to the user? Could
there not still be a MITM?
> technique is binary exponential backoff - after one failed logon
> attempt, introduce a delay of n seconds before displaying either
> success or failure. After the next, 2n, after the next, double it
> again. And so on. There's a point at which this overlaps with timed
> lockout - but it does allow the user a fair number of genuine logon
> errors before denying service.
>> The MITM is between the user and the valid website. There is no
>> authentication of the host to the user.
> That's the hard part; because what we're actually after is verifying
> that the host is the first host in the chain, not relaying. I most
> thoroughly checked out the domain registration before I started. I
> typed the URL, and I did inspect the SSL certificate. Is that enough
> to have absolute confidence? Well, it was an ad hoc inquiry to a
> site with which I had no prior contact; but it's a high-value target
> for someone to poison DNS and so forth. "I'm paranoid - but am I
> paranoid enough?"
No prior contact makes it hard. Clearly asking people to validate a
cert doesn't work. Doing it with software on the client (and a
pre-established relationship) is easy. E.g, our software token will
validate the cert for the user before presenting the OTP.
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
The Web Security Mailing List:
The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity