1

I need a help to understand some specific points about non-repudiation, nonetheless I implemented some authentication methods:

  1. Digital Signature Authentication;
  2. CHAP (Challenge Authentication Protocol)
  3. Zero-knowledge password proof

Let's imagine a situation that a user is authenticated either by TFA or SFA to his bank system using some devices with virtual MAC Addresses or other ways I don't know to hide device identity. The user makes some transactions, then goes to the bank complaining for an attack on his/her account and claiming for a money recovery.

How could we prevent this situation without Digital Signature Authentication? Can we do this with just TFA or are there some ways to do this? I don't think the user can be unmasked by finding his IP provided by some DHP. Is there a way to at least find the user's real MAC Address?

Maf
  • 203
  • 2
  • 10
  • Huh, you can authenticate with something you know, right? TAN codes, digipasses and whatnot. Of course, you'd like some kind of signature authentication to be used (e.g. my authenticator device of my bank does use a smart card chip), but that's not absolutely required. Using the MAC or IP address doesn't give you any authentication by itself whatsoever. – Maarten Bodewes Apr 02 '20 at 00:10
  • @MaartenBodewes thanks for your response. TAN or smart card chips are good ideas. But we know they aren't required often. – Maf Apr 02 '20 at 12:19
  • Depends where you live I guess, in the Netherlands they are commonly required. I even have a device that uses a smart card to sign a transaction that is displayed on screen using a color QR code. – Maarten Bodewes Apr 02 '20 at 12:20

1 Answers1

1

Think you can apply Something You Know, Have, or Are authentication principle, right now many fintech business use many different "2 of 3" combinations on this, like password+phone authenticator, registered phone number+fingerprint, etc. but as @maarten-bodewes stated, optimal solution to this answer lies on social context where it would be implemented.

gl4ssiest
  • 26
  • 3
  • Actually Something your are is the suitable option, but I need an approach which would be feasible and all users would be able to use even with very few knowledge about information security. – Maf Apr 05 '20 at 14:35
  • "Something you are" "non-repudiable" authentication options: - EYe retinal scan - Fingerprint reader - Voice print - Keystroke timing - Signature But as the use of biometrics grows, so, too, does the ways of hackers breaking it. As example, copies of fingerprints that could unlock almost a third of existing smartphone models, hacking facial recognition systems with 3D-printed heads, etc. So i would recommend biometric authentication (that could violate privacy if not handled the right way) along with at least other authentication method (2FA or 3FA) – gl4ssiest Apr 06 '20 at 03:05
  • TFA seems to be the approach which combines better low cost and security, but I don't know why people are not obliged to use it nowadays. Eye retinal scan would be the best option if it wasn't so expensive. Talking about TFA, do you think the message sent to you phone can also also be caught by the same attacker which is using your first factor (eg., password)? – Maf Apr 06 '20 at 19:55
  • A common TFA approach includes phone registration, for it to be verified though an SMS or via native app installed, ofc, a banking trojan could read SMS sent to the phone and get the password via keylogging, btw that is one of the most common payload goals. In that case in-app TFA verification could be an option, as tokens can use any cyphered protocol to do it, but what if the phone got stolen then? Technologies around the "Something you are" auth process are still unmature. An interesting approach could be (User-defined Challenge Question) + (RSA time-generated token pin) – gl4ssiest Apr 07 '20 at 18:17