Slashdot Mirror
Secure Ways to Determine 'Something You Have'?
Steve Cerruti asks: "My credit union is implementing multi-factor authentication for online banking. They are following guidelines provided by the Federal Financial Institutions Examination Council as outlined in Authentication in an Internet Banking Environment (PDF). As you are already required to enter a password, 'something you know' is covered. 'Something you are' has significant technical hurdles while 'something you have' is familiar to credit unions in the form of ATM cards.
My credit union chose to implement 'something you have' as a two dimensional lookup table that they email to an address you supply when you initially log in to the online banking service, further access is blocked until you enter a code from the table. New Measures to Make Online Access Safer describes the plan and a short video (FLV) provides further details." For the security conscious among us, do you think this is a decent way to implement the 'something you have' portion of a well secured system, or are there better ways to do it?
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?
Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?
Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"
RSA SecurID is an excellent "what you have". It displays a number that changes every minute, so there's no need for a special interface. Your server has the seeds, so it can figure out what number's being displayed on a given SecurID at any given moment in time.
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"