[WEB SECURITY] New two-stage login procedure
Nick Owen
nowen at wikidsystems.com
Fri Dec 15 13:51:21 EST 2006
Brian Eaton wrote:
> On 12/13/06, Nick Owen <nowen at wikidsystems.com> wrote:
>> Here is my question: Is it possible to do strong mutual authentication
>> without using cryptography?
>
> What about this:
>
> Each user has a password they use to authenticate to a web site, a
> phone number, and a "phone-only authentication code" that is printed
> on the back of their ATM card.
>
> The user authenticates to their bank with user-id and password.
>
> After the user performs a transaction (or a set of transactions), they
> are told they need to confirm the transfers. They need to call the
> number on the back of their ATM card.
>
> They call the number, and a voice-response system asks them to confirm
> the details of the transaction. If the details are correct, they
> enter their phone-only authentication code. Then the transaction is
> completed.
I would describe this as 'transaction authentication' (somewhere south
of a digital signature?). I am of the opinion that certain transactions
will require this type of security eventually. Though, you could do
this with a hardware token or a cryptographically distinct software
token. Any out-of-bounds solution would help prevent malware attacks.
I think this would be very useful for online brokerage accounts, where
is is hard to do transaction analysis and speed is often critical.
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list