• Bryan E (unregistered)

    I use etrade.com for banking, and they have true two-factor authentication (key fob). That was one of the main reasons I switched from a bank that uses 1+1 instead.

    What other banks use two-factor?

  • freelancer (unregistered)

    The swedish bank Swedbank (catchy name), that I use, also uses a real two-factor authentication (users have those key thingies).

  • Bitter Like Quinine (unregistered)

    Interestingly, I was on a team where it was decided that remote access to one (not particularly sensitive)system should use two-factor authentication.

    The cost of dongles being considered exhorbitant, it was suggested that we give the remote workers one-time-pads, with a different number for each hour of each day, which we could generate ourselves.

    Of course the cost of organising the printing and distribution of these pads would itself be not insignificant, but the project's champion had already thought of a way round that.

    He suggested we generate them as PDFs and e-mail them to peoples home mailboxes.

    We went with the dongles.

  • (cs) in reply to Miracle Ointment
    Miracle Ointment:
    Nope, they're not testing that you have a piece of paper with the question answers. They're testing that you have knowledge of the answers (which you happen to have recorded on a piece of paper).

    It's easy to prove this. Write your question answers on an etch-a-sketch and destroy/eat the piece of paper. You can still authenticate, even without the piece of paper. Real two-factor sorta requires that the item you posess is not trivially easy to duplicate or spoof.

    Which means really only the text message ones (since a cell phone that can receive messages directed at your phone number is not trivially easy to spoof) qualify. Not even email-based systems—well, that’s just “something else you know” being your email account server+username+password (server+username can be deduced in most cases from the email address, but that’s obscured at least by my bank’s system)

  • Jeltz (unregistered) in reply to freelancer
    freelancer:
    The swedish bank Swedbank (catchy name), that I use, also uses a real two-factor authentication (users have those key thingies).

    I think all Swedish banks do, except for Nordea since it just asks you for your codes sequentially instead of randomly.

  • (cs) in reply to Zylon
    Zylon:
    Where the hell the did the godawful term "Wish-It-Was Two-Factor" come from? Googling for it turns up exactly two hits-- this site, and a site linking to this site.

    Why the hell does it matter? And who the hell is silly enough to a) bother to search Google for that phrase, and b) is silly enough to complain about it?

    And usually getting a low number of hits in a Google search is a good thing. It makes it much faster to find what you're looking for, or to realize you need to change your search expression.

    Wow... Some people get way too excited and worked up over nothing.

  • (cs) in reply to Zylon
    Zylon:
    Josh:
    Um, it came from this site. It's a joke, This site contains humor.

    Except when it's trying to be funny.

    Let me fix that for ya:

    Zylon:
    Except when it's read by someone without a sense of humor.

    There ya go.

  • Synonymous Awkward (unregistered) in reply to rumpelstiltskin
    rumpelstiltskin:
    brazzy:
    Captain Spongebath:
    I'm not certain I understand your reasoning there... the password strength is figured on number of possible combinations AFAIK. 92^10 is a still fair bit larger than 62^11.

    Um... no. It's actually a fair bit SMALLER. The wonders of exponential growth and all that...

    It's smaller, but not by much- 1.5^10 is 50-something, so in security terms, they're the same.

    62^11 = 52036560683837093888 92^10 = 43438845422363213824

    (62^11) - (92^10) = 8597715261473880064 (62^11) / (92^10) = 1.1979269

  • ShelteredCoder (unregistered)

    I think all of this online security stuff is great. DNA, fingerprints, questions. What if someone gets your acccount number and just heads down to a local branch (assume you use a large bank) won't he/she be able to fill out a withdraw slip and get your money? As long as the person at the counter doesn't know you, they will assume the guy with the account number is the account holder. Hows that for security? (Yes I know they can ask for a photo id, but how hard is that to fake?)

  • (cs) in reply to B. McAninch
    B. McAninch:
    This is commonly referred to as "cognitive" or "mnemonic" authentication. Who sold it as two-factor?!? It's nothing more than multiple single factor (what you know).

    The purpose is to make authentication credentials easier to remember, with the intent of reducing/eliminating the need for password resets. Ultimately, this reduces social engineering attacks and overall support costs.

    Whether or not remembering your passwords is actually easier is subject to debate - the point is this is not nor does it attempt to be two-factor.

    Perhaps that's the reason the title of the article is "Wish-It-Was Two-Factor"?

  • iw (unregistered)

    Our bank here is almost as bad. We only have a username and password, BUT that username must have at least two non-alphanumeric characters. That means people end up doing nonsense like j$sm!th for their username.

  • Gambler (unregistered)

    These questions become infinitely more fun when you're Finnish like I am.

    I have an e-wallet account and needed to spell out my mom's maiden name (Pöyhönen) and where I was born (Seinäjoen keskussairaala) to a lady with an Indian accent over the phone. I am fairly sure she gave up around the fifth letter.

  • Steve (unregistered) in reply to gilleain
    gilleain:
    I got irritated with halifax's (sorry, HBOS) WIWTF authentication when it wouldn't accept my secret question.

    I was annoyed when it refused to accept a password that wasn't in the range of acceptable characters [a-z][0-9]. Who the hell thought that would be secure. Morons. PS I am actually opening an account with a building society now because I am so sick of the stupid stuff like this that HBOS keep doing

  • (cs)

    my favorite part of bank of america online banking has to be the sitekey. nothing better than having to choose from a set of cheesy pictures to look at every time you log in. do you want the fuzzy kitten or the pretty flower? oh, you're a boy, you must want the soccer ball.

    seems like it'd be more secure if you could upload your own image.

  • (cs)

    I agree on the absurdity of security so strict the user is unable to remember the correct answers. That forces a user to record the password/answes somewhere, defeating the security! Those of you with DoD Clearance know that access requires the correct answer to the "Three Golden Questions". In my case, I had originally acquired a Classified Clearance many, many years ago. I was required to update it and presented my "Three Golden Questions". The answers are in free form and here are two of the three; "What is your favorite movie?" Well, at the time I originally answered this question, WHAT WAS MY FAVORITE MOVIE? I have no idea. "How many brothers do you have?" That seems easy since I am an only child. But does it expect "0", or "zero", or "none"?

  • (cs) in reply to Zock
    Zock:
    tin:
    No it's not! The answer is "brillant".. No "I".

    Ha! And you just got denied access. Intentional typoes FTW!

    You must be new here. <g> Do a search on this site for "Paula" and "brillant" so you get the joke (and don't embarrass yourself again).

  • (cs) in reply to Grant
    Grant:
    The question is Paula. The answer is Brillant!
    Fixed.
  • Zock (unregistered) in reply to KenW
    KenW:
    Zock:
    tin:
    No it's not! The answer is "brillant".. No "I".

    Ha! And you just got denied access. Intentional typoes FTW!

    You must be new here. <g> Do a search on this site for "Paula" and "brillant" so you get the joke (and don't embarrass yourself again).

    Please read my post again. The whole quote is meaningful, not just the outer part you decided to quote here. If you still don't get it, ask someone else for clarification (but please avoid embarrassing yourself again). ;)

  • (cs) in reply to Test_subj
    Test_subj:
    With the kind where you write your own questions i usually go with something along the lines of "Q:What are you wearing? A:nothing but a cockring" that way when i have to call in, the CSR has to ask me and i have to answer them.

    of course if i'm not alone and i have to call in my coworkers give me funny looks,

    This reminds me of my helpdesk days when a user called because she had forgotten her password. Let's just say that when I reminded her that her password was 'dome69now', she was extremely embarrassed. :)

  • (cs) in reply to gilleain
    gilleain:
    I got irritated with halifax's (sorry, HBOS) WIWTF authentication when it wouldn't accept my secret question.

    I kept entering shorter and shorter questions, all of which were rejected as "unsuitable" until I tried just :

    "?"

    And it got rejected. So I entered a question /without/ a question mark, and it worked. Presumably someone had coded the application not to accept anything with puctuation, or something.

    Idiots.

    a "?" would be a question for a Unix geek. The answer is probably "h". . w comment 69 q

  • (cs)

    Both PayPal and EBay have now offered the key fob things as two factor authentication for customers for only $5 for the fob. They were initially going to offer them free, but decided that if people got them for free, they would be less likely to treat it as something with value. If you listen to Security Now Episode 103 you can learn all about how these things work, and how PayPal/Ebay implemented their system.

    If you don't have your fob or lose it, there are ways to still get in, and this is where the security reverts back to the Wish-It-Was Two-Factor, but you have to give them credit for doing this.

  • (cs) in reply to jpaull

    The worst I saw was for the website of one of my student loans. I guess when I signed up for the site, it asked me to make my own question/answer set. At some point in the future, I think I was trying to recover my password, it asked me for my e-mail, name, and my question/answer set. Except it prompted me to put in the question. So not only was I supposed to remember the answer, I had to remember the question. How the heck do the expect me to remember my QUESTION? I eventually figured out what my password was. But I still have no idea what my question was. I even went back and changed the question to something that I'd easily remember. Of course, I have no idea what I changed the question to. God forbid I ever forget my password again.

  • Anonymouse (unregistered)

    My Danish bank (Jyske) gives you a credit-card sized list of 80 4-digit keys. Whenever you log on or make a transaction, you're requested to enter a randomly selected key, each key being used only once before you're issued another list. In addition to that you need your CPR number (Danish eq. of a NI or social security number, it's considered reasonably sensitive information that you never disclose without a good reason), as well as a "strong" but fairly easily remembered password generated by the bank's system. All in all a very secure authentication system that you can safely use "from anywhere" (even if your keypresses are logged for a year you're reasonably safe).

    My UK bank (Lloyds TSB), on the other hand, have the most horrible system: You choose a password, as well as a bit of "memorable information". The latter is simply another password from which you have to enter three characters when you log on. So if you choose, say, "microsoft" as your second password, it may ask for characters 2, 3 and 9, and you then have to select I, C and T, respectively, from three drop-down boxes. Watch a guy log on two-three times, and you're more than likely to have seen the entire thing on hi screen (as he slowly navigates past the clumsy interface - FFS dropdown boxes?). Once you're logged in, you can make any transaction (including instant(!) transfers to other Lloyds accounts) using only the first password. And just as if that wasn't weak enough, they didn't even think to test the system using Firefox (Firefox asks whether or not to remember_the_password (!(!!!))).

    I think it goes to show that banks have the resources to provide really good online services and to secure them well, but all the money in the world won't do dick if you put an idiot in charge of spending them. So what else is new? ;P

  • Corporate Cog (unregistered) in reply to Corey
    Corey:
    I have a password safe program, so forgetting passwords isn't a problem (until I forget the master password, or lose my backups...)

    Ditto. This must be a modern meme. I personally don't give a rat's arse how many questions I'm asked; I just copy/paste from my password vault. If someone untrustworthy gets ahold of my home machine, I'll just consider myself screwed.

    The average Joe (like my brother) doesn't have a password safe and just struggles like the dickens to get anything done online (always requesting new passwords). Perhaps the future holds all of us owning some kind of key fob device. Makes sense.

  • (cs)

    I use Compass and I called the other day to have my password reset. (I had changed it and forgot to tell my wife, she then locked the account using the old password.) Anyway, the guy reads off my new password. I asked him if the letters are uppercase or lowercase. His response? It doesn't matter, it's not case sensitive.

  • Mr Fred (unregistered) in reply to bradfoje
    bradfoje:
    Just put a post-it on the monitor!! DUH!

    That is another kind of sort of two factor - i.e. "where you are"

  • (cs)

    A funny IRC quote about security questions.

    http://qdb.us/61277

  • Corporate Cog (unregistered) in reply to Benji
    Benji:
    No retinal scans. When a woman gets pregnant it changes her retinal pattern.

    And I recently had a minor retinal condition which altered it.

  • Rurouni (unregistered) in reply to Random832
    Random832:
    grrr:
    Banks should start by accepting the special characters !@#$%^&*()-=[]{}\|'";:,<.>?/`~ as part of the password.

    I am sick of having to neuter my strong passwords into weak ones.

    Put it into perspective. That's 30 characters. On top of 62 (alphanumeric), that's 1.5 bits extra bits. Random alphanumeric characters are worth about 6 bits each. So, all you have to do is add one extra character to the password for every ten. So, if you normally use ten characters that are alpha+numeric+all those symbols, you only have to use eleven alphanumeric chars for the same strength.

    Following this line of reasoning, why bother with alphanumeric when you can just use alphabetic and increase the password length by one (52^12 > 62^11)? And while we're at it, it's only a few additional keystrokes if we get rid of the confusing upper/lower case distinction (26^14 > 62^11). In fact, if you narrow it down to just 2 characters....

    No, the better approach is to allow the extra characters so that people can remember the shorter passwords.

    Also, SQL injection concerns (mentioned in a later post) should not be an issue if the appropriate prevention techniques are used.

  • Corporate Cog (unregistered) in reply to Zylon
    Zylon:
    Where the hell the did the godawful term "Wish-It-Was Two-Factor" come from? Googling for it turns up exactly two hits-- this site, and a site linking to this site.

    What do you mean "where did it come from"? It came from this post!

  • Corporate Cog (unregistered) in reply to Grant
    Grant:
    The question is Paula. The answer is Brilliant!

    It's brillant.

  • Chris Lively (unregistered) in reply to j005u

    Except for the part where now the government has an easy time of profiling how you vote, what you shop for, probably even what kind of toppings you like on your pizza.

    Then again, that's probably not so different from us. Bring on the national id card!

    captcha: craaazy

  • Corporate Cog (unregistered) in reply to Captain Spongebath
    Captain Spongebath:
    The onscreen keyboard isn't meant to stop "hackers", it's meant to defeat keyloggers trying to capture your password. It's better than the stupid "secret(lol) questions" but would be more effective if they introduced some randomization into it's appearance (position, scale, padding) so that the buttons aren't quite in the same position each time and the mouse clicks can't be logged and replayed...

    If you simply type your in pin, there's no security hole here. Maybe it should be required.

  • Corporate Cog (unregistered) in reply to ShelteredCoder
    ShelteredCoder:
    What if someone gets your acccount number and just heads down to a local branch (assume you use a large bank) won't he/she be able to fill out a withdraw slip and get your money? As long as the person at the counter doesn't know you, they will assume the guy with the account number is the account holder. Hows that for security? (Yes I know they can ask for a photo id, but how hard is that to fake?)

    The best trick was Frank Abagnale (Catch me if you can) who, in the old days, noticed that at a friendly local bank, many customers wouldn't put their account number on a deposit slip. When this happened, the teller would happily fill it in for them. So he simply took home a stack of deposit slips, put his account number on each, dropped the stack back at the bank and waited for the dough to roll in.

  • Doug (unregistered) in reply to blade
    blade:
    I like it when they let you write your own question and answer. That way you can think up questions you'd never forget.

    IE: What city were you born?

    If you forget that, bank security is the least of your problems.

    This is arbitrary to. Was it the town I lived in when I was born or the town where the hospital was?

  • (cs)

    Yes, I hate many of the common implementations of this.

    What is my maternal grandmother's first name? I can't remember. I know the first names of my other three grandparents, but not my maternal grandmother's first name.

    Who was my best friend in grade school? I don't remember.

    Many questions are about honeymoons or spouses. This doesn't apply to many people.

    Worse, one site required certain LENGTHS for the answers to THESE questions.

    You can require a minimum length of 6 or so for made-up passwords, but not for answers to real questions (like a city name or a person's first or middle name).

    When I called about this, they suggested I add some ones, or 123, to the end of the answer.

    How am I supposed to remember later, whether I added ones or 123?

    Finally, one system seemed to get completely screwed up. It asked me questions that I am SURE I have never set answers to. Like what was my favorite restaurant in college". Huh? I hadn't thought about it, and I am 100% certain I have never answered this question on any banking or credit card site. In fact, I can't think of an answer now.

    I hope some two-factor implementers are invited to read this thread!

    Oh yes, one other credit card site made me choose one of the 8 pictures that were shown. They somehow omitted the usual PassMark drop-down box that shows other categories, so you can select a different picture. I don't know how they did that.

  • Cloak (unregistered) in reply to Corporate Cog
    Corporate Cog:
    Captain Spongebath:
    The onscreen keyboard isn't meant to stop "hackers", it's meant to defeat keyloggers trying to capture your password. It's better than the stupid "secret(lol) questions" but would be more effective if they introduced some randomization into it's appearance (position, scale, padding) so that the buttons aren't quite in the same position each time and the mouse clicks can't be logged and replayed...

    If you simply type your in pin, there's no security hole here. Maybe it should be required.

    well, if you pin in a pin you might get a tiny hole in your screen and what leaks out from there could be captured by anybody. What? WTF!

  • Cloak (unregistered) in reply to DWalker59
    DWalker59:
    Yes, I hate many of the common implementations of this.

    What is my maternal grandmother's first name? I can't remember. I know the first names of my other three grandparents, but not my maternal grandmother's first name.

    Who was my best friend in grade school? I don't remember.

    Many questions are about honeymoons or spouses. This doesn't apply to many people.

    Worse, one site required certain LENGTHS for the answers to THESE questions.

    You can require a minimum length of 6 or so for made-up passwords, but not for answers to real questions (like a city name or a person's first or middle name).

    When I called about this, they suggested I add some ones, or 123, to the end of the answer.

    How am I supposed to remember later, whether I added ones or 123?

    Finally, one system seemed to get completely screwed up. It asked me questions that I am SURE I have never set answers to. Like what was my favorite restaurant in college". Huh? I hadn't thought about it, and I am 100% certain I have never answered this question on any banking or credit card site. In fact, I can't think of an answer now.

    I hope some two-factor implementers are invited to read this thread!

    Oh yes, one other credit card site made me choose one of the 8 pictures that were shown. They somehow omitted the usual PassMark drop-down box that shows other categories, so you can select a different picture. I don't know how they did that.

    If the question was: "What's the length of your dick?" you might have added 123 to it

  • Loren Pechtel (unregistered) in reply to Ryan
    Ryan:
    It's funny because just this morning I locked myself out of my bank account because I couldn't remember what street my office was on at the time I created the account, and whether I had entered "james" or "jimmy" or "jim" for my sibling's name.

    I know what you mean. Some time ago I managed to lock myself out of an investment account by not being able to remember where I was married.

    The problem was a case of the metro area vs the actual city name. We had a simple justice-of-the-peace wedding from a convenient justice. (Money was tight, neither of us are ones for ceremony and there were only two relatives that could get there.) I wasn't the one who did the scheduling, there was basically no planning ahead. (Yes, we knew we were going to get married but the actual date wasn't set.) What suburb was the courthouse in???

  • Steve M. (unregistered)

    My bank recently introduced a two-factor security question, and what frustrated me the most was that while I KNOW THE RIGHT ANSWER I couldn't get past the question because of formatting problems.

    For example, the question, "What is your sibling's birth date?"

    Here is the e-mail I sent to my bank, from which I (surprisingly! :) haven't gotten any reply:

    Using a free-form date as an answer to a security question is EXTREMELY BAD BAD BAD DESIGN! We are currently travelling and briefly lost our VISA card, so we really needed to get into the website to see if any unauthorized charges had been made. We got stuck at the security question "What is your sibling's birth date?" and had to wait overnight until we could get BECU rep on the phone and get it cleared up.

    For this question, we know the answer, but do we enter it "4/1/1901" (nope! illegal characters!), or "04-01-01", or 1 April 1901, or April 1, 1901, or apr 1 1901, or ... Hopefully, you get the picture.

    There are a million ways to enter the correct date such that you fail the security question. You are far more likely to enter a date in the wrong format - getting it right seems highly unlikely.

    If you keep this security question in your stable, then please change the input from a free-form text field to separate drop down combo boxes, one each for month, day, and year. At a minimum there should be text suggesting a format ("use MM-DD-YYYY").

    -Steve M.

  • old bloke (unregistered) in reply to Anon

    IN A HANDBAG. (http://en.wikipedia.org/wiki/The_Importance_of_Being_Earnest)

  • JL (unregistered) in reply to tiro
    tiro:
    > Anyone else notice that that would lead to actual (though horribly crappy) two-factor authentication?

    Something you have (the paper with the question answers). Something you know (a password).

    I thought about this too, and you're right: it is really crappy. The problem is that the data from your "thing you have" doesn't indicate that you actually have that thing. It's trivial for someone to create an identical "thing" if they have direct access to it or if they can eavesdrop on a few of your transactions. The changing keyfobs are much better in this respect.

  • SpamBot (unregistered) in reply to etr
    etr:
    Brandon:
    Q. What is your middle name? A. Ray Error: Your secret answer must be at least 5 letters.

    Doh! I guess I'll choose another question.

    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Doh! I guess I'll choose another question.

    I have to pick 3 and you only gave me four choices? I guess my money can go somewhere else.

    Captcha: pirates

    I ran into the same problems setting this up for our credit union when they decided to implement this bs. How can anyone put a four or five letter limit on first names? Idiots...

    I had a friend at school whose first name was A. No kidding. Just A. I think they might be having a few problems with online banking.... captcha: slashbot

  • (cs)

    I have spotted the WTF Here!. I would be just the kind of asshole who would send an email like that! Dude read my mind without even knowing me.

    On the up side... does anybody know my 8th grade earth science teacher? I need to log into my bank acount and make a transfer... ?

  • s (unregistered)

    One very nice method is to pick a specific method of scrambling the original question and putting it for an answer.

    Say: What is your favourite color? Wiyfc - easy, pick first letters from the question. Wsuoo - pick every nth letter from nth word. hsoao - pick second letters. Wsyac - pick first from odd words, second from even. wai_yufvcl - pick first and third from each word....

    Just remember the method of scrambling and you're home.

  • James (unregistered)

    So what you're saying is we need a federal regulation demanding implementation of the Ident-I-Eeze?

    "It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant — a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense. - Douglas Adams (RIP!), from Mostly Harmless"

    Seriously, at the very least, how much would it cost banks to mail out a smart card (and maybe USB reader) to every single online banking client they have? A few hundred grand, maybe a few million for the bigger banks? Then you have honest-to-goodness 2-factor authentication, and you can even charge your clients for the privilege. I'm so sick of lazy bastards trying to wish their way to decent security.

  • (cs) in reply to blade

    I found out late in life that i was wrong about what city i was born in. Now i never remember if the answer to that question is the wrong city or the right city.

  • (cs) in reply to blade

    I found out late in life that i was wrong about what city i was born in. Now i never remember if the answer to that question is the wrong city or the right city.

  • (cs) in reply to etr
    etr:
    Brandon:
    Q. What is your middle name? A. Ray Error: Your secret answer must be at least 5 letters.

    Doh! I guess I'll choose another question.

    Q. What was your high school mascot? A. Beavers Error: Your secret answer contains profanity and is not allowed.

    Doh! I guess I'll choose another question.

    I have to pick 3 and you only gave me four choices? I guess my money can go somewhere else.

    Captcha: pirates

    I ran into the same problems setting this up for our credit union when they decided to implement this bs. How can anyone put a four or five letter limit on first names? Idiots...

    It's pretty easy. In pseudo-code,

    if (name.length < 6) { sendToRejectController('message' => "Your name is too short"); }

    I think you're the idiot.

  • whats your name (unregistered) in reply to TheRubyWarlock

    This is true 2-factor.

Leave a comment on “Wish-It-Was Two-Factor ”

Log In or post as a guest

Replying to comment #:

« Return to Article