November 21, 2014 at 10:15

Cards, money, two ... factors

    - Maybe you still give the key to the apartment, where the money is?
    Ilya Ilf, Evgeny Petrov. The Twelve Chairs (1927)


    I really do not want my money to fall into the wrong hands without my knowledge.
    You can probably plant gardens with chests, hares, ducks, eggs and needles, but you need to spend time rationally.

    Of course, first I introduce myself, and the payment system, after entering the username + password or using the client certificate, finds out that I am me. But I insist that right before the money transfer I was asked something else more or less secret.
    This can be called anything (PIN, secret code, payment password), but the essence is the same: create an additional barrier.
    On the one hand, everything should be simple, on the other hand, it should be safe enough.


    Fixed code



    A certain sequence of characters that the client and the system know.

    Pros: It's simple. Invented, remembered when asked - wrote.
    Cons: Another password. If "someone" knows how to get the first password, then he will get the second one. Saves only from accidental leak of the first password.
    Audience: Lazy, because you can write such a code in the form autofill along with a login and password to enter and not waste time in vain for any security.


    Code table with sequence numbers



    A type of one-time passwords (OTP). Codes can be used in turn or at random.

    Pros: Without access to the full list, it’s quite difficult to guess the code. There are programs for storing passwords that can work with lists.
    It can be used in session mode for performing several transfers in a row: valid until the client is identified by the system within one session.
    Cons: You must carefully keep the list, especially if it was issued on a piece of plastic or on a fading receipt tape.
    Audience: Customers to whom banks imposed this service because there are no other options.


    SMS code



    A one-time code is sent to a pre-provided phone number in the form of SMS.

    Pros: A very familiar and common option. No one needs to be explained.
    It can be used in session mode for performing several transfers in a row: valid until the client is identified by the system within one session.
    Cons: The phone must be with itself, serviceable, able to receive SMS, especially when roaming. It is important to remember that a phone number is issued not once for a lifetime, but could belong to someone earlier and may be acquired by someone in the future.
    Sometimes messages just do not come for unknown reasons. And this becomes just a very difficult problem to solve, which annoys customers greatly.
    Lecture hall: Most customers of most banks and systems, because it is mainstream.


    TOTP (RFC6238)



    An open algorithm for generating one-time passwords based on secret and accurate time. Many are known as Google Authenticator.

    Pros: Popularized as the second stage of two-factor identification. Easy to use: photographed QRCode, saw numbers, asked - wrote. The Internet on the device for code generation is not needed, the telecom operator is not needed. On different devices, you can generate the same code, knowing the secret. The algorithm is open and described, so there are implementations for almost everything (Nokia S40, Android, iOS, PC, Mac, KeePass, Javascript, etc.).
    Cons: The clock on the device must be very accurate. It is important to pay special attention to the safe keeping of the secret that may be needed to reinitialize the generator.
    Audience: Those who were "forced" and geeks, of course, because the lazy people are too lazy, and most will not want to understand.


    Hardware OTP



    Special devices generating a one-time code. They can be built into a plastic card with an LCD display and buttons, can be made in the form of a key fob with a corporate design of the bank, etc.

    Pros: Pretty easy to use. The Internet on the device to generate the code is not needed.
    Cons: Usually it exists in one copy, that is, each device is unique, because a secret is still recorded at it at the factory. Although the batteries in such devices last for a very long time, it is important that the charge does not run out at the most inopportune moment. Some banks like to sell such devices, albeit for little money.
    Lecture hall: Customers of some banks because they need additional security or have received the device as an additional option or bonus.


    Push notification



    A one-time code is sent by the service to a smartphone / tablet in the form of a special notification.

    Pros: It can be very similar to an SMS code. For the sender, a push notification is cheaper than sending an SMS.
    Cons: You need the Internet and you need an application that, at a minimum, will register a client to receive push notifications.
    Audience: Some customers of some banks, because they installed a well-made mobile application.


    USB Token



    A device that provides secure private key usage and strong data encryption.

    Pros: Everything should be very safe. Data encryption is transparent to the user. Does not require the client to switch attention from the main process.
    Cons: Exists in a single copy. As a rule, it requires special software on the client device. It requires significant refinement of the service to use such keys.
    Audience: I don’t know if anyone is using USB Tokens as an additional factor to confirm payments. Perhaps with the spread of UEC, something will change.


    conclusions


    Technically, we can work with fixed code, tabular one-time and session code, SMS one-time and session code, TOTP. At different times, as we have new implementations of payment passwords, we have turned on and off the ability to select them. Now in your account in the account management you can switch between fixed, tabular, SMS and TOTP code. But our statistics show that the vast majority of users have chosen what we offer them by default. And only some, apparently just geeks, have what they really need and is convenient to ensure security.

    As a result, when registering, we left only two methods: fixed code and TOTP.
    I think that TOTP provides security at a sufficient level, while it is not very difficult to use either for clients or in implementation in automated systems (it can even be implemented entirely at the database level).

    Is there any demand from society for other options: Hardware OTP, Push notifications and USB Tokens?

    (images from sites www.uecard.ru and www.vasco.com were used )
    Tags:

    Also popular now: