Thanks Nick, That is a good read.
-Bryan On 10/17/14, 9:54 AM, "Nick Owen" <[email protected]> wrote: >This is similar to the technology developed by Passmark (acquired by >RSA, i suspect b/c of the banking customers who in a panic deployed >it) called Sitekey. I blogged about it's weaknesses in 2009: >https://www.wikidsystems.com/WiKIDBlog/sitekey-study-released. google >'sitekey' for more info. It was designed to authenticate the server >to the user but utterly fails. While choosing one of many pictures is >focused on the user, the analysis is the same. > >It doesn't raise the bar at all. Once the attacker is in the middle >they can pass anything they want back to user. Think of it this way: >the server is sending the user an image. How hard is that? It is like >sending the user text. It is what webservers do and is no stronger >than what your webserver already does. > >As an example of how to do this with crypto, we added mutual >authentication to our 2FA solution We could do this for two reasons: >we use asymmetric encryption instead of shared secrets like most OTP >solutions and our tokens actually talk to the server. In brief, a hash >of the targeted site's cert is stored on the wikid server and >delivered with the OTP. Before the user sees the OTP, the token >fetches the targeted site's cert, hashes it and compares it to the >hash from the server. If they match, the OTP is presented and the >default browser launched to the url. If they do not match, an error is >displayed. >https://www.wikidsystems.com/learn-more/technology/mutual_authentication. >This only works for our PC tokens, but it does work in both the >Enterprise and open-source versions. > >I don't know if bank of america still uses it or not. I do know that >Yodlee labs uses it still. To know what RSA thinks of it searh >'sitekey site:rsasecurity.com'. > >Hope this provides some info that helps dissuade your Security Office. > >Nick > > > > >On Fri, Oct 17, 2014 at 3:43 AM, Alberto Cabello Sánchez ><[email protected]> wrote: >> On Thu, 16 Oct 2014 11:22:59 -0700 (PDT) >> Andrew Morgan <[email protected]> wrote: >> >>> The pictures would be displayed after the user has entered their >>>username >>> and password (if I understand this correctly). >> >> I don't think so: quoting Bryan, "will be presented with multiple >>pictures and >> must select the correct one before being prompted for their password". >> >> I think it tries to stop automated abuse with phished credentials >>rather than >> prevent MITM attacks. >> >> -- >> Alberto Cabello Sánchez >> <[email protected]> >> >> -- >> You are currently subscribed to [email protected] as: >>[email protected] >> To unsubscribe, change settings or access archives, see >>http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > >-- >-- >Nick Owen >WiKID Systems, Inc. >http://www.wikidsystems.com >Commercial/Open Source Two-Factor Authentication > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
