[WEB SECURITY] New two-stage login procedure

Nick Owen nowen at wikidsystems.com
Fri Dec 15 13:51:21 EST 2006

Brian Eaton wrote:
> On 12/13/06, Nick Owen <nowen at wikidsystems.com> wrote:
>> Here is my question:  Is it possible to do strong mutual authentication
>> without using cryptography?
> What about this:
> Each user has a password they use to authenticate to a web site, a
> phone number, and a "phone-only authentication code" that is printed
> on the back of their ATM card.
> The user authenticates to their bank with user-id and password.
> After the user performs a transaction (or a set of transactions), they
> are told they need to confirm the transfers.  They need to call the
> number on the back of their ATM card.
> They call the number, and a voice-response system asks them to confirm
> the details of the transaction.  If the details are correct, they
> enter their phone-only authentication code.  Then the transaction is
> completed.

I would describe this as 'transaction authentication' (somewhere south
of a digital signature?).  I am of the opinion that certain transactions
will require this type of security eventually.  Though, you could do
this with a hardware token or a cryptographically distinct software
token.  Any out-of-bounds solution would help prevent malware attacks.
I think this would be very useful for online brokerage accounts, where
is is hard to do transaction analysis and speed is often critical.


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list