This is similar to the technology developed by Passmark (acquired by RSA, i suspect b/c of the banking customers who in a panic deployed it) called Sitekey. I blogged about it's weaknesses in 2009: https://www.wikidsystems.com/WiKIDBlog/sitekey-study-released. google 'sitekey' for more info. It was designed to authenticate the server to the user but utterly fails. While choosing one of many pictures is focused on the user, the analysis is the same.
It doesn't raise the bar at all. Once the attacker is in the middle they can pass anything they want back to user. Think of it this way: the server is sending the user an image. How hard is that? It is like sending the user text. It is what webservers do and is no stronger than what your webserver already does. As an example of how to do this with crypto, we added mutual authentication to our 2FA solution We could do this for two reasons: we use asymmetric encryption instead of shared secrets like most OTP solutions and our tokens actually talk to the server. In brief, a hash of the targeted site's cert is stored on the wikid server and delivered with the OTP. Before the user sees the OTP, the token fetches the targeted site's cert, hashes it and compares it to the hash from the server. If they match, the OTP is presented and the default browser launched to the url. If they do not match, an error is displayed. https://www.wikidsystems.com/learn-more/technology/mutual_authentication. This only works for our PC tokens, but it does work in both the Enterprise and open-source versions. I don't know if bank of america still uses it or not. I do know that Yodlee labs uses it still. To know what RSA thinks of it searh 'sitekey site:rsasecurity.com'. Hope this provides some info that helps dissuade your Security Office. Nick On Fri, Oct 17, 2014 at 3:43 AM, Alberto Cabello Sánchez <[email protected]> wrote: > On Thu, 16 Oct 2014 11:22:59 -0700 (PDT) > Andrew Morgan <[email protected]> wrote: > >> The pictures would be displayed after the user has entered their username >> and password (if I understand this correctly). > > I don't think so: quoting Bryan, "will be presented with multiple pictures and > must select the correct one before being prompted for their password". > > I think it tries to stop automated abuse with phished credentials rather than > prevent MITM attacks. > > -- > Alberto Cabello Sánchez > <[email protected]> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
