/* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

When passwords are not sufficent to contain the risk - physical 'tokens'

Multi-factor authentication - what you (1) know, (2) have, (3) are or (4) can do

Validating the identity of a person is the goal that passwords (1 in the list above) seeks to achieve but as well as being 'hackable' and at the mercy of users who do not and should not need to understand them - they can be stolen by a wide variety of means. As a result, some businesses, typically banks are adding a second factor to how they ensure that it really is you.

I am going to ignore 'levels 3 and 4' in the list above - the 'who you are' and the 'what you can do' aspects of authenticating a person as they are relatively new and unproven - Biometrics and Turing-style (normally visualisation) techniques. What you physically have can be a powerful addition to a passwords but would obviously never replace them as theft would then be so easy.

Web site owners can issue either:

  • Keyfob-sized token-generators
  • Palm-sized smart card readers

to individuals which are uniquely synchronised to their web site authentication tools.

In the case of key fobs, pressing a button and keying the 1-off, 6 to 8 digit code displayed upon the device gives a very, very high probability that the user either:

  1. physically has the device with them - but note that doesn't guarantee to them that it really is you - hence the need for good passwords OR
  2. is an attacker who has compromised the key-fob by finding out it's serial number and initiation string - not trivial but perfectly possible with older devices (eg. Verisign SecurID) with a targetted attack unless precautions have been taken

Smart card reader/writers are now economically viable to be given to (some?) online clients - technically they can authenticate you as well as a (bank ATM) hole in the wall! What they offer (to the bank!) a much, much greater capability to manage the interactions that you make because they can also interact through you at the keyboard such that authorising significant actions. For instance, adding a new payee can be validated in addition to the login. I am guessing that the bank would then be able to regard that as non-repudiatable - i.e. that you cannot deny that it was not just you at the keyboard but that you instigated the action!

Essentially banks have had this approach for decades - they are the cards that you use at the 'hole in the wall'. The advantage that the banks have is that the machines in Banks can 'swallow' a card if multiple passwords (PIN number) fail. The web is of course much, much more anonymous! and 'remote'! but web sites can still block multiple attempts that fail authentication. However this 'block' cannot be permanent as the case of 'swallowing' a card because the 'real user' could then suffer a Denial of Service (DoS) attack by unidentifiable criminals which would be a potential opportunity for blackmail (of the bank).

When such a device is available the need to have very high strength passwords is reduced for that site but certainly not to a level where a trivial (or 'shared'!) password would be adequate. The lack of a punctuation character or even Upper Case letters in a password would probably be acceptable - scores of 50,000 or more in the How strong is YOUR password perhaps.

This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 7th August 2007. Please use the Contact us page to suggest any additions or revisions.


Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
 
Messages:
23May15: Suppress Msg2U when cannot analyse/react to them 0 or 0 or 3.80.224.52 SoLL /home/sa4ssu/public_html/cgi-bin/LLsHere.3.80.224.52

News and Information

Your access to this site:


We will attempt to give you perfect access to this site but this may be impaired by the fact that as far as we can tell you are either:
  • Accessing the Internet from behind a FireWall (Personal or Company) which is disabling cookies OR
  • You have made a technical change to your browser in that you have disabled cookies - perhaps only for this site.

If this was unintentional and you can enable temporary (session) cookies there is a brief description at the bottom of the page. If you don't understand a word of this gobble-D-guk or you don't want to!: leave everything as-is and report any problems via the `LinkTSNo_Cookie_pagenoc1'>Technical feedback facility.

For the technical user

We attempt to set 2 temporary cookies at each interaction you have with this site. The names and typical values are:

NaviSessID=12345 and NaviLastID=erTh1J68SnkK0

The fact they are temporary means that when you close down your browser they will simply disappear. For the paranoic - they are not even written to the cookie folder.

The purpose of these two cookies is to allow you to navigate our site across what is a "connectionless" Internet with security and privacy appropriate to the content and usage of the site.

This notice will disappear from the end of the site Web pages when you have interacted with the site 3-4 times - more than once just in case you miss it at the end of the Home Page.

The only downside that we cannot avoid is caused by us putting the same information in the "Location" or "Address" area towards the top of your browser. You will notice that even though you visit pages more than once that your browser will not recognise them as "visited" because this address changes with each interaction.

Changing browser settings
  • NetScape: Edit->Preferences & select the Advanced Tab (not one of the sub-options). You only need to set cookies that are sent back to their own site but we would recommend that you do not select the 'prompt' option as this will cause an irritating pop-up at each interaction.

  • MicroSoft IE: click on Tools->Internet Options & select Security Tab.

    You could select Local Internet, then Advanced and then add our site address. This assumes that you have got cookies enabled for that zone.

    Another option would be change the "Custom level" for the zone that we are currently in - the Setting to be changed is called "Allow per-session cookies (not stored)" - select Enable then OK)

News and Information