Public Websites & Six Digit Authentication

Static M.e.

Hi all.

Please bare with me while I try and explain what I would like to achieve. I don't know the correct terms for what it is Im exactly looking for but hopefully I can explain myself.

We are building are public facing website, to access the website you put in your username & password and your six digit code.

Its this six digit code that I'm having trouble with. If anyone has used the w.ros.ie (Revenue Online) or Reach Services site, Im looking to build something that does the exact same thing.

Every user is given a Six Digit code, posted out to them. When they access the site, they are asked for a Username and Password and three random digits from their six digit code.

Ie (My code is 345678)
So when I access the site it ask's me for 3 of the digits.

1st 2nd 3rd 4th 5th 6th
x ? x ? ? x

So in this case my code would be x.4.x.6.7.x

Does anyone know what this type of authentication is called or even better a product that does this?

I've spent along time googling this but because I don't know exactly what it is im looking for, its difficult to find answers.

Alot of banks are going down this route for their Internet Banking so I can't see why it couldn't be used on a very small scale.

Any help or advice would be much appreciated!

probe

Why not use the Yubikey instead? A zillion times more secure.

If there is a keyboard logger on the client computer, your 3 out of 6 code entry system could be cracked by monitoring a handful of logins.

The technology is called multi-factor authentication (MFA).

See: http://www.boards.ie/vbulletin/showthread.php?t=2055285334

Listen to the netcast:
http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-143.mp3


.probe

fergalr

I know the authentication you are talking about - used on websites like BoI's as well. I don't know a name that would describe this sort of technique, and whether it has one.


1) I haven't really thought about it, but I'm not convinced how useful this technique is.
I guess it's designed to stop an attacker stealing the entire 6 digit token in any one attack, but it does nothing against MITM attacks, or a keylogger that can grab repeated sessions.
There would also seem to be only 6c3 (ie 20, unless my maths is wrong) different combinations of positions it asks for, which doesn't lead to a terribly large amount of times to have to reload a page to be asked for the 3 digits you did capture, if you are an attacker.
It's difficult to see, at first glance, quite how useful this actually is as a security mechanism.
Maybe I'm missing some important benefit here, as it is widely deployed as you say... Anyone? You might indeed be better off spending the time on adding another authentication factor (as probe suggested in the advertisement-like post above).

Does anyone know what this type of authentication is called or even better a product that does this?
I've spent along time googling this but because I don't know exactly what it is im looking for, its difficult to find answers.

2) This sort of mechanism doesn't seem terribly hard to build from a programming point of view.
I'm not sure what sort of answers or details you are looking for - it almost sounds from your post that you are after some sort of tutorial, or cookbook solution to implementing this sort of thing.
If you find implementing this security mechanism difficult, you should be very careful about taking on the task of building a secure website, as there's a lot of subtle mistakes you can make that could lead to your security being easily compromised.

That said, I may be reading your query wrong, perhaps you could provide more details on what information you are after?

probe

fergalr wrote: »

(as probe suggested in the advertisement-like post above).

Probe is not for sale…

OpenID (www.openid.net) with multi-factor authentication is the only way to go. It is up to the user if they want to use yubikey or any other alternative.

It allows you to have one super-secure login for your email, bank account, payment card, corporate vpn, government services …. it might even end up as your car key…

.probe

Screaming Monkey

OpenID makes me cry...
http://idcorner.org/2007/08/22/the-problems-with-openid/

Static M.e.

Thanks for the responses, I started reading yesterday and ended up following tangents all over the web on OpenID, Security and MFA! good reading though.

I would prefer to go down the road of having something like the Yubikey instead but they tried the RSA keys here before and it left a bad taste, mostly because it wasn't managed properly.

2) This sort of mechanism doesn't seem terribly hard to build from a programming point of view.
I'm not sure what sort of answers or details you are looking for - it almost sounds from your post that you are after some sort of tutorial, or cookbook solution to implementing this sort of thing.
If you find implementing this security mechanism difficult, you should be very careful about taking on the task of building a secure website, as there's a lot of subtle mistakes you can make that could lead to your security being easily compromised.

I'm not a security admin or a programmer by any stretch of the imagination, this was just a task I was asked to look into by management. Its not something I personally am for, I would be perfectly happy using a key card.

I suppose I was really looking to find out what the name of this type of technology was, so I could goggle it more and see what people think about it. You can see allot of the banks and such using it, so I presumed it was quite common out in the security world. I also thought that once I got the actual name I could go off and find out what it would take to implement it and the cost involved, I wouldn't be building the actual site myself either.

One of the reasons they want it here, is because its sounds so cheap to build and implement and we could just email keys out to people. The company involved is a charity organization so they use allot of volunteers and elderly people, if they had to give out Yubikeys (Or something similar) to everyone I don't know first if they would use them and second would they just lose them or keep them sitting around the office.

Its a very hard situation to be in (I feel) because you want to do more and more to make information more accessible but they want less and less security and/or hassle. We have only JUST moved into a situation where they have a user name and password for Email, Computers are still more or less wide open.

The central idea behind all this is to take back data to one location, so we can back it up centrally and create structures where they can access data remotely and make things easier to manage for them and us.

Thanks again for your responses, feel free to add, while I continue reading.

fergalr

One of the reasons they want it here, is because its sounds so cheap to build and implement and we could just email keys out to people. The company involved is a charity organization so they use allot of volunteers and elderly people, if they had to give out Yubikeys (Or something similar) to everyone I don't know first if they would use them and second would they just lose them or keep them sitting around the office.

Its a very hard situation to be in (I feel) because you want to do more and more to make information more accessible but they want less and less security and/or hassle. We have only JUST moved into a situation where they have a user name and password for Email, Computers are still more or less wide open.

I understand where your coming from - that is a tough position to be in.

It's not a new problem, but you're right, it can be very hard to get resources for security - possibly because people are bad at evaluating the cost/benefit of security until a costly breach happens.

I would point out that while the system you outline does indeed sound cheap to build, e-mailing people out their passwords (assuming standard cleartext e-mail) is a very insecure way of building website authentication.

It seems wrong to try to move your password entry to a system that makes it harder for a listening attacker to steal the whole password at once (I assume password entry is over https?) - but then sending the very same full password in the clear over the public internet (e-mail) to the user.

If you are storing sensitive data, or taking donations through the website or other things like that (I have no idea what the website actually does, or how valuable these logins are, obviously), this could be very dangerous.
(Boards.ie e-mail passwords, and while it's not safe, there's little to steal - but your bank certainly wouldn't use such a scheme.)


In terms of talking to management, you might try to educate them to evaluate the the potential cost of these problems (eg, in future reluctance to use your website because of a publicised security issue) when considering the cost of e-mailing passwords. Sitting down, and estimating how much, roughly, in monetary terms such a breach would cost the organisation, and estimating how likely such a breach is to happen given current security might worthwhile, as it helps make these things tangible for management.

The central idea behind all this is to take back data to one location, so we can back it up centrally and create structures where they can access data remotely and make things easier to manage for them and us.

Knowing very little about the system, I would just say if this data is in any way personal, or critical, or subject to data protection laws, be very careful, as if the security isn't up to standard it also means you are centralising a lot of data which is now easy to lose all at once.

I'm not a security admin or a programmer by any stretch of the imagination, this was just a task I was asked to look into by management. Its not something I personally am for, I would be perfectly happy using a key card.

Tread carefully with such a project, especially if you'll be the one tasked with implementing it - make sure to give your management a realistic appraisal of the situation, and your abilities, so they can make an informed decision.

probe

Screaming Monkey wrote: »

OpenID makes me cry...
http://idcorner.org/2007/08/22/the-problems-with-openid/

I have read this article. It is not relevant here because it only considers OpenID without MFA.

MFA products were created to make stolen passwords useless.

It seems to me that using MFA and a “bankable” openID provider, the exploits outlined would not work. i.e. you would press the little green button on the Yubikey every time when performing an OpenID login, causing a unique one time authentication to be sent to the OpenID provider. This combined with your user ID and password would give them the go-ahead to confirm your authenticity.

By “bankable” openID provider I don’t mean Yahoo!, Google or similar. Perhaps not the ECB – but it might be an insurance company backed operation where there were deep pockets to back up the credibility of the operation and compensation for any losses incurred as a result of their negligence.

This could be the client equivalent of the EV (extended Validation) SSL certificates which provide a green bar in your browser when you have a secure connection to a website with the ***** EV SSL certificate.

.probe