Logout

Authentication

Original Username & Password System-

The user has a unique user name and a password which is hopefully secure.

How to make your password secure.

https://howsecureismypassword.net/

 

The problem with this system is that brute force can be used to crack a password; brute force is just trying every combination and with a

http://www.guru3d.com/news-story/password-cracking-25-gpu-monster-devours-passwords-real-fast.html

 

 

2-factor Authentication-

Combinations include:

- Mr. Rayworth's Bankofamerica was actually 3 factors the first time: security qustion + image confirmation + password

- Mr Rayworth's KB was also three factors the first time: SMS TAN (see next section), Certficicate on the comptuer + password.

- The same combination could be done with keeping the certificate on a flash stick; that way it is easier to use different devices/computers.

- Physical object like a keypad device (see "digiPass" below) to produce a TAN + something secret to the user like a password.

- Physical characteristic (i.e. biometric characteristic) of the user such as finger print, iris scan, + secret password.

 

 

TAN (Transaction Authentication Number)-

The example we saw was Mr Rayworth receiving an SMS with a a transaction number. It's a one time "single-use" number, and it is sent to something the user physically has control over such as a phone.

Here's one example of an app which gererates the TAN:

https://play.google.com/store/apps/details?id=com.blizzard.bma&hl=en

 

Or a little key chain kind of thing that has a little LCD that can generate a TAN

https://www.vasco.com/products/client_products/single_button_digipass/digipass_go6.aspx

 

One-time password- (note that a TAN is a type of one-time password)

See above. The SMS-ing to person's phone example. Or the generation of one by a keypad device.

 

 

 

Keypad device-

See above, the digiPass device. It has additional security since there is a password to access the device. The same could be said of a phone which is password protected, but it doesn't have to be.

 

 

Security Question-

From a list of questions the user answered when first producing the account. Questions which only they would know the answer to, such as "What is your mother's maiden name", or "What was the name of your first pet", etc.