Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Implementing a Public Key Infrastructure

From: "Cary, Kim" <Kim.Cary () PEPPERDINE EDU>
Date: Mon, 20 Feb 2006 10:01:12 -0800
SiteKey is rather interesting. Basically, you can't put in your password
(no blank for it) until you submit your userid.

In response to submitting your userid you are shown two tokens on the
resulting password input page:
1) A picture you chose from their set of pictures.
2) A phrase you previously input describing the picture.
They tell you not to put in your password unless you see the picture and
phrase you were expecting.

So, if someone is phish-ing, they have to guess my ID, snarf & load my
tokens into the phishing site in order to properly impersonate the site.


On Feb 16, 2006, at 9:00 PM, SECURITY automatic digest system wrote:


Date:    Thu, 16 Feb 2006 09:28:57 -0800

From:    "Barbara Chung (DURTSCHI)" < bchung () MICROSOFT COM
<mailto:bchung () MICROSOFT COM> >

Subject: Re: Implementing a Public Key Infrastructure




We often think of two-factor as being something-that-you-know and

something-that-you-have, assuming that what you have is on a hardware

token.  I suspect that the banks will be looking at deploying some kind

of cryptographic device (they won't tell anyone of course) on the user's

machine. Bank of America is using something they call SiteKey:

http://www.bankofamerica.com/privacy/sitekey/
<http://www.bankofamerica.com/privacy/sitekey/>
Previous By Date Next
Previous By Thread Next

Current thread: