33

Background: I want to implement something like this in our websites, and I'm looking for advice and possibly APIs that allow this out of the box rather than re-inventing the wheel, but I can't even figure out the right search terms.

As seen on my bank account:

  • When I registered, I was asked to pick a phrase that I would remember
  • Now, when I log onto my website, the process is as follows:
    • I enter my Username and click "next".
    • The bank site shows me this phrase. This helps me to be assured that I am actually on my bank's site, and not some fake site set up to steal my login credentials.
    • If the pass-phrase matches, I enter my password to complete the authentication process.
    • If the pass-phrase doesn't match, I know that either I entered my username wrong or I'm on a phishing site, and I go back to my bank's home page and start over.

In my mind, this sounds like "multi-step authentication". However, when I search for that, I keep getting results for multi-factor authentication - authentication using a token, or two-step authentication as implemented by Google and other sites. While I'm a HUGE proponent of multi-factor authentication using tokens or codes sent to your mobile device, I also want to figure out how to do what my bank is doing.

Is there a name or term for this authentication pattern?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
David Stratton
  • 2,646
  • 2
  • 20
  • 36

2 Answers2

28

SiteKey is the feature name that many banks call it and should be able to be searched for under that name. It adds minimal if any security. Anything that your server can present to the user, a man in the middle can act as if they were the client and get the same information. SiteKey (which is likely what your bank calls it) is not secure and doesn't add meaningful security.

It can actually be harmful as it may give users a false sense of security and make them ignore otherwise good indicators such as SSL indicators because the "secure" image or phrase is there. My general recommendation is do not use such flawed mechanisms as they can do more harm than good.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Thank you for that advice. I'm running across similar advice elsewhere now that I know what search term to look for. Your advice is helpful.. I'd vote this up but it doesn't really answer the question, and might make a better comment on the question. – David Stratton Jan 02 '13 at 16:29
  • 1
    But that is a VERY good point. It *is* a false sense of security, and it ***would be*** child's play to get that image from the live site. – David Stratton Jan 02 '13 at 16:35
  • I think I'll ask a question that you can put this answer on - it'll be good for future visitors. – David Stratton Jan 02 '13 at 16:43
  • @DavidStratton - good point about not actually answering the question. I have altered my answer to include the name I normally search for information about it under as well as using the technical name for it as an introduction in to why I advise against it. – AJ Henderson Jan 02 '13 at 17:08
  • +1 now that the answer has been edited to give a Googleable term. – KeithS Jan 02 '13 at 17:08
  • Thank you. I did post another question, partly so you could address it, but also partly so that future visitors could find it more easily via search. – David Stratton Jan 02 '13 at 17:12
  • @DavidStratton - yes, I saw that and just replied to it with a more complete answer that looks at what it can potentially offer, what it can potentially hinder and what possible alternatives are to it. – AJ Henderson Jan 02 '13 at 17:20
  • I changed the accepted answer simply because googling "SiteKey" gave me the results I was looking for and "Knowedge Based Authentication" came up with a lot of other stuff with a few of the results I was looking for mixed in. – David Stratton Jan 02 '13 at 22:54
  • 2
    It's a bit scary that some of the [worst security practices I've seen online](http://programmers.stackexchange.com/a/87513/13815) come from banks... – BlueRaja - Danny Pflughoeft Jan 02 '13 at 23:45
  • 1
    Actually, knowledge-based authentication is something a bit different. Knowledge-based authentication is a broad category and refers to the kinds of questions that a bank asks *you*, to try to verify *your* identity. BOA's SiteKey is a specific mechanism to try to let you verify that you are talking to BOA. – D.W. Jan 03 '13 at 04:43
  • @D.W. - Thanks for pointing that out, while I think it might broadly fit under the name, since in principal, it is a piece of information which is "only known" by the party being authenticated, I also have to agree that it isn't really a standard practice either as it is generally considered a rather poor and ineffective measure, even in comparison to "security" questions. I updated my answer to remove the reference to avoid confusion since SiteKey will give the best Google results if someone want's to look for more detailed information. – AJ Henderson Jan 03 '13 at 14:00
  • 1
    For the record, SiteKey is the commercial name of a single product in this category. And as useless as it is, there are many competitors. Calling them all "sitekey" is like using Frigidair, Wonderbread, and Google (verb) as a generic term. Hmm, okay, fair enough.... But I think the more generic term is "Image-based identification" or something like that. – AviD Feb 25 '14 at 07:42
23

It's called knowledge-based authentication, and it's used to authenticate the remote server. Common authentication tokens are words and pictures.

One point I would make is that it's a bad idea to give out the authentication token only after being given a non-secret piece of information such as a username. An attacker could target a single user by simply putting their username into the page, or even via an iframe or similar remote fetching mechanism. Instead, it's best to ask the user to provide a weak authentication token (e.g. 4-digit pin), then provide the secret, then ask for the strong authentication token (e.g. password). This makes the mechanism much safer.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    The entire approach is useless pseudo-security even if you require a weak token first. It is meant to allow users to detect phishing sites, and it cannot do that. The phishing site can always just relay the information it got, and relay back to the user the correct "knowledge". Sure, it requires a bit more effort from the phisher, but if you use indexed TANs or similar, they need to do this anyways. – Jan Schejbal Jan 02 '13 at 16:28
  • True, but if anti-framing and proper ajax policies are used it makes it difficult. The phishing server would have to fetch it and pass it back to the client, which would quickly give away the IP of the phishing server to the bank. – Polynomial Jan 02 '13 at 16:43
  • I do see your point though - it's a minimal security measure, and might be more detrimental in the long run if users end up trusting a phishing site because it had the correct word / image. – Polynomial Jan 02 '13 at 16:44
  • 1
    @Polynomial - that assumes that the phishing site goes directly. It wouldn't be that hard to setup a relay on a botnet to get the page from a variety of different IPs so as to appear like a client while masking the IP of the phishing site. It is an additional step, but it still amounts to security through obscurity. – AJ Henderson Jan 02 '13 at 17:10
  • 2
    According to Wikipedia page the term "Knowledge based authentication" seems to be used for "secret question" schemes, not the one OP asked. – Sedat Kapanoglu Jan 02 '13 at 18:15
  • @ssg The Wikipedia page focuses on authentication of the client, not the server, but the same concept works both ways. – Polynomial Jan 02 '13 at 20:35
  • Sorry, I changed the accepted answer simply because googling "SiteKey" gave me the results I was looking for and "Knowedge Based Authentication" came up with a lot of other stuff with a few of the results I was looking for mixed in. – David Stratton Jan 02 '13 at 22:53
  • 2
    Actually, knowledge-based authentication is something a bit different. Knowledge-based authentication is a broad category and refers to the kinds of questions that a bank asks you, to try to verify your identity. BOA's SiteKey is a specific mechanism to try to let you verify that you are talking to BOA. – D.W. Jan 03 '13 at 04:43
  • @D.W. SiteKey is still a type of KBA, since you're authenticating the server based on its knowledge of a secret token. – Polynomial Jan 03 '13 at 06:48
  • 1
    @Polynomial if that were relevant, than any password authentication would be considered KBA. This is not that. – AviD Feb 25 '14 at 07:44