1

Working with a developer to update a login system through a web-UI:

Currently, we use:

  1. Enter login ID
  2. Goes through Challenge/Step-up
  3. Based on results: Challenge/Step-up User is presented the password page to login

They are wanting to change the flow to:

  1. Enter login ID
  2. User is immediately presented the password page
  3. Goes through Challenge/Step-up

The second scenario appears backward and vulnerable to attacks.

I need to look for something that corroborates this from an compliance/regulatory standpoint.

Leptonator
  • 117
  • 1
  • 8
  • I'm not sure what "Challenge/Step-Up" is in this context. Can you clarify? – David Jun 25 '14 at 20:47
  • It is for a banking platform. We use challenge/step-up as part of the FFIEC Regulatory Guidance. – Leptonator Jun 25 '14 at 22:02
  • I don't believe the FFIEC or other US regulatory body provides specific guidance on the workflow of authentication. The first scenario seems less likely to allow online password guessing (assuming the challenge occurs out-of-band), but other security controls you have in place might already limit the usefulness of that type of attack. Also, with the first scenario you also gain some advantage if users learn that they shouldn't ever enter their password (e.g. at a phishing site) unless they've been challenged first. Otherwise I don't see a huge difference in the security of either approach. – PwdRsch Jun 25 '14 at 22:16
  • https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf – Leptonator Jun 25 '14 at 22:23
  • 1
    Yes, I'm aware the FFIEC has a standard about online authentication, but it doesn't lay out a specific authentication workflow that must be adhered to (other than before the transaction). I've never seen anything from them, the OCC, the Fed Reserve, or state regulators that would get that specific about an authentication design. And I've seen banking apps built like your scenario 2 that pass their review. – PwdRsch Jun 26 '14 at 03:38
  • 2
    I see the User-Pass-Challenge flow as more intuitive. After all, if they know your challenges, they probably know your password, too, but the inverse isn't as true (because challenges require more information knowledge than a password about the target). Besides, exposing the challenges without first asking for a password might result in leaking information about the target, especially if they are allowed to enter their own questions. Most major services I use follow that design pattern, too. – phyrfox Jun 29 '14 at 16:36

0 Answers0