Magic
Thu 26 March 2009, 10:33 pm GMT +0100
Hi all,
I want to make the log-in process to the secured area of our company website more secure by adding multi-factor authentication (we are currently just using username/pw) Does anyone know of a good system to use?
I have been trying to find a system myself online, but the only reasonable option I found is SafeTok (safetok.com). Does anybody have experience with this system?
I really like about SafeTok that it will be for free for us and our users since it's free to implement and the users do not need to buy expensive tokens for it but can just use any available USB stick or other consumer electronics item (mobile phone, ipod etc.) they already have. However, I wonder how our users will take the introduction of the system. Do you reckon that the users will find the system easy to use and the transition to the multi-factor authentication will go smoothly? Do you think the SafeTok system is a good option? What factors are most important to consider when implementing multi-factor authentication? If you have already integrated multi-factor authentication, what was most important to you and what did you find most troublesome? What system did you choose and why?
Nikolas
Thu 26 March 2009, 11:35 pm GMT +0100
I don't really find a reason to use such a thing for a website login. There are solutions like ssl which are 100% secure.
Magic
Thu 26 March 2009, 11:39 pm GMT +0100
Yeah but only if the users are actually vigilant... SSL doesn't really prevent phishing... After all even a phishing website can use SSL...
And then there are key-loggers... And what if users are careless with their passwords? (i.e. write them on post-it notes that the leave on their desk, use them for other services with lower security,...)
olaf
Fri 27 March 2009, 06:58 am GMT +0100
Just block the IP address after x un-successful attempts or 5 wrong passwords for one user name.
check the authentication from Google, works great
Nikolas
Fri 27 March 2009, 12:06 pm GMT +0100
I suppose if someone can sniff an SSL connection (that requires public/private keys) then why it would be impossible to sniff such a device?
Magic
Fri 27 March 2009, 02:33 pm GMT +0100
I think we are misunderstanding each other.
I am not worried at all about someone breaking SSL or brute-forcing the passwords out. What I am concerned about are social engineering & keylogger type of attacks.
For example:
- The user having troubles remembering the password and writing it on a post-it note. His cleaning lady (or whoever) reading it and getting access to the account
- Phishing - The user receiving an e-mail which seems to come from us, (but has been sent by an attacker) asking him to visit a link. The linked website looks like our webpage and asks the user to enter his username/password data for whatever reason (security checks, renewing account, whatever). If he does so, the data is submitted to an attacker who now has all data to log in
- The user having a key-logger installed that captures the username & password entered when he visits our website and logs-in. The key-logger then submitting the data to the attacker who has all data required to log-in.
- ...
The list of posisble attacks goes on and on.. It's really endless. SSL won't help against phishing, since it only ensures that the data is securely submitted - not that the user submits it to the right webpage. Actually, the phishing page could send the data to the attacker using SSL... Similarly limiting log-in attempts won't help since the attacker knows the correct log-in data.
Magic
Tue 31 March 2009, 12:57 am GMT +0200
I just found a link to a page which tells the story of a guy who got phished.
flickr.com/photos/toasty/1276202472/
Think this should help to understand what kind of attacks I want to prevent.
J n b
Tue 31 March 2009, 02:05 pm GMT +0200
So do you want a system where users click on a combination of numbers to enter a secret 4 digit code? This number would be unique and the keylogger couldn't track it as its only using the mouse.
mohit
Tue 7 December 2010, 06:39 am GMT +0100
I think you can go with SSL certificate you have with you. I think this one of the most secured way to work with it.
kiddoman
Sat 18 June 2011, 10:16 am GMT +0200
It seems to be some pro master's work! I think you can consult with some pro workers on this!
annabellabuzz
Sun 9 October 2011, 01:45 pm GMT +0200
I except only if the users are actually vigilant... SSL doesn't really prevent phishing... following all even a phishing website can use SSL...
as well as after that there are key-loggers... And what if users are slapdash with their passwords? (I.e. write them on post-it notes that the go away on their desk, make use of them for other services with inferior security,...)
HipHopMusic
Wed 12 October 2011, 11:23 am GMT +0200
I have been trying to find a system myself online, but the only reasonable option I found is SafeTok (safetok.com)
sanath123
Sat 28 April 2012, 12:40 pm GMT +0200
Nice post & tips provided by the author to the users.