Hi Subin,
For SMS verification, there's usually a cost with sending each SMS, so
you verify the password first, then send SMS code.
For one-time password verification, usual practice is to ask for all
three at once: user name, password, code. And you only respond with
either a successful login, or an access denied message - don't say "bad
password" or "bad code".
Paul
On 22/01/2015 03:34, Subin T.K wrote:
--
Pentest - The Application Security Specialists
Shortlisted for Best Security Company, SC Magazine Europe 2014
Pentest Limited
Paul Johnston - IT Security Consultant / CREST Web App Tester
Office : +44 (0) 161 233 0100
Mobile : +44 (0) 7817 219 072
Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: : 4217114 England & Wales
Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982)
Hi Subin,
For SMS verification, there's usually a cost with sending each SMS, so
you verify the password first, then send SMS code.
For one-time password verification, usual practice is to ask for all
three at once: user name, password, code. And you only respond with
either a successful login, or an access denied message - don't say "bad
password" or "bad code".
Paul
On 22/01/2015 03:34, Subin T.K wrote:
>
> Does the order of verifying credentials matter in a multi factor
> authentication,especially in web sites that take user ID and password
> on the same page?
>
> for eg :
>
> Verify Username+Password first and if successful then verify the
> challenge ( device identification - security questions / sms code etc)
>
> Or
>
> Verify the Challenge first ( device identification - security
> questions / sms code etc) and then verify the Username+password )
>
> What would be a better option ?
>
> Thanks
> Subin
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Pentest - The Application Security Specialists
*Shortlisted for Best Security Company, SC Magazine Europe 2014*
Pentest Limited
Paul Johnston - IT Security Consultant / CREST Web App Tester
Office : +44 (0) 161 233 0100
Mobile : +44 (0) 7817 219 072
Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: : 4217114 England & Wales
Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982)
