I recently came across something called ShieldPass which is a two factor authentication system that you can integrate into your website easily and more importantly cheaply.
You receive a cool little credit size card that has a clear window area with parts of digits displayed. Once you add the code for this system into your website it will present an area on your screen that you place your card and match the numbers up to enter your password.
Presented on the screen of your computer is the following. You then hold your card up to align and enter the code displayed which is alternating. It even works on the Iphone and Ipad.
The Patten looks like this (animated image below):
For $9 you receive one card and includes one year subscription to their authentication system. This has various options like brute force lockouts, IP monitors, domain locking (so only my URL can authenticate against it) and so on. There is an option to have your own authentication server too.
This is a video showing how the card actually works.
The system operates using public and private keys and your login has a one time unique password created.
Sample code is supplied which you can simply copy and paste into your website, or plugins are available for WordPress, Oscommerce, Zen cart etc. This is what attracted to me this as I use WordPress. I can now cheaply and easily setup (took me 2mins without reading any docs) secure my admin panel further on my blog. So I now login as normal, then I am presented with an additional screen where I have to place my ShieldPass card against the screen and enter the one time unique code. I am then authenticated to the admin panel. I believe you can also turn off the normal WordPress auth and just use the Shieldpass, but I haven’t tried that yet.
Due to an earlier article I posted showing just how easy it is to enumerate and brute force WordPress users and passwords, this is a perfect solution. See old post here: http://www.commonexploits.com/?p=291
Backup cards can be supplied for $5 so if one should become lost you can manage the cards via their admin portal. Also you can lock users to regular IP addresses and various options as seen below.
As I work in the security industry I have seen so many E-commerce stores such as Oscommerce be compromised and credit card data extracted that was stored for offline payments. This is no fault of Oscommerce, but more a weak admin credential issue. For small companies who can’t afford massive authentication systems, this is where I see this being a great solution. For $9 you have a solution knowing that only your card (and your existing password) can gain access into the admin panel. Every time you login it is using a unique one time password.
For my blog it doesn’t contain anything really important, but if the admin panel was compromised the data could be changed and defaced. Obviously if this was a business with a store it would be essential to protect the admin panel from hackers.
I have not conducted any security testing on these devices, I am purely sharing the information as I think this does look a pretty good idea and for me it adds a much needed improvement over my existing authentication for my website.
Take a look at the ShieldPass site for more info. www.shieldpass.com
These seems to be a ‘cool’ solution. Who wouldn’t rather have a ‘credit card’ than an RSA token ?
But as with all these solutions they are fraught with fundamental weaknesses.
1. What happens if you lose the card? What kind of admin hassle do you have to go through to disable the lost one and then get a new one?
2. Where do you enter the PIN that is generated by the process? Into the browser – = which is not secure. No different from entering the PIN from an RSA token.
The hacker sits in the middle and uses your credentials.
I am not convinced. Or am i missing something.
thanks
R
All good questions.
You can assign backup cards and activate/deactivate them easily online. As they so cheap it really isn’t so much of an issue as loosing a RSA key ring.
It goes into the browser. If the hacker in the middle captures the pin you have entered then it is one time use only. I haven’t conducted any security testing on it, but from what I have seen it looks good. As in it is 100% better than using admin credentials for things like WordPress admin panel as I can enumerate the usernames easily. Then just brute force the password, and from what I have seen there is no lockout so I have endless time to attempt to gain access.
Only my card matches the codes being alternated on the screen, so to anyone else they are unreadable. Obviously someone sat on the same network segment could possibly capture the digits I enter, but they are useless once I have logged in. People administration websites typically (I would hope) wouldnt be sat in internet cafes etc, therefore the main risk is brute forcing the login page.
If you consider most online stores probably just go to the admin page and enter a user of admin with some weak password which holds most of your data, this would be a massive improvement and something cheap and simple and an extra layer of protection.
I have updated the post to show the card management options.
you should really give duo_wordpress a shot if you want some sane two-factor:
http://wordpress.org/extend/plugins/duo-wordpress/screenshots/
@Ross Hi guys, the developer of ShieldPass and inventor of PassWindow here.
Regarding lost cards in the client administrator admin panel at shieldpass.com you have a checkbox to assign an individual card as lost which puts it into a lockout mode and then a further box to mark it as permanently lost as they could have just been misplaced temporarily. Once marked permanently lost a backup card can be instantly assigned and it is up to the client to decide their policy until the newly assigned backup card is in the user’s hand, the system does come with a optional built in username and password system which can be enabled which while vulnerable could provide some extra protection for clients who need to allow a user in during that redeployment time. There are also options for user ip address locking and they all have gradually increasing timed lockouts on incorrect responses for brute force protection. I have tried to make the system as flexible as possible to a clients needs rather than most hardware systems which are baked at the factory. ShieldPass security can be modified on the fly even after the cards are out in the field so you could turn the general or a particular users overall authentication security/usability up or down depending on the use case. Another comment regarding lost cards is being that the form factor is a plastic card it should be in the universal wallet / purse not floating freely around user’s desks or left unattended which is one of my biggest complaints with hardware tokens. In fact the physical pain of not being able to easily carry them around without stress that I will sit on them and break one means that even I circumvent their security which is a topic the security community rarely discusses. For example if i travel overseas and dont want to risk leaving my RSA styled banking tokens unattended in a backpackers somewhere I leave it at home with my wife and just request a OTP over instant messenger which of course completely circumvents the security however as a user the general battle is for usability and convenience not security. I am unable to circumvent the security of ShieldPass in this way as I would need the physical card to superimpose on the screen to read the numbers, not that I would want to because as a plastic card I know its conveniently in my wallet which is arguably the most secure location on a person and no electronics means I dont worry about breaking it as I do with the electronics.
Regarding the security, I will try not to fill up the page here but this is actually the most exciting part from a technical security perspective. From the start the method assumes the malware / hacker has full unrestricted root access everywhere between the webserver and the physical user. There is no reliance on SSL or assumptions that the users terminal / device / mobile is secure as is erroneously done with most OTP hardware tokens. The attack no one wants to talk about is the MITM (man-in-the-middle) attack you described. How many 2nd factor authentication systems are described as “strong authentication” and yet ridiculously assume the user’s OS doesn’t have malware?, almost all of them. And yet it is constantly published that common malware such as SpyEye has MITM browser injectors for all the major browser types and mobile plugin too. The industry just doesn’t want to talk about it. In fact the the attacker doesn’t even need to compromise the users OS with malware as they can bypass OTP with many of the phishing pages which have built in jabber instant messaging clients relaying the OTP’s back to base. The info security industry doesnt talk about it because there were no easy solutions until passwindow and this is the big advantage, REAL transaction authentication done passively without the user needing to jump through 15minutes of hoops with a transaction signing token the size of a calculator. Essentially the system can encode specific transaction information encoded alongside the OTP on the clients webserver well before it hits the network or user’s browser. This is left open to the client to implement in any way they want and means that when a challenge hits your screen you know the information and OTP is genuine directly from the server and exactly what its purpose is. There is a quick demonstration in the youtube video at 30second mark demonstrating the last 3 digits of a destination account number. The attacker cannot switch the challenge for another and cannot pretend via MITM that the challenge is for something it is not ie a different account. (For example malware usually simply injects a “session expired please login again…” message with a fake login page to get a new OTP out of users any time they like. In fact there are no practical online attacks against the underlying passwindow method until you get into the ridiculous realm of asking for a user’s to give them their physical card or convincing a user to do something only the attacker wants to do and so I can argue its more secure than every other 2nd factor authentication method I have seen. (a bold claim I know and yet I have been making it publicly for years now)
The plugins are all quite simple and if anyone wants to beef one up with extra features and slap transaction authentication over everything they are welcome to and please contact me so we can make it freely available to everyone. The library is a little similar to recaptcha in design so it can be built into almost any webservice there is without much drama. For those who want to look at the underlying authentication technology there is https://www.passwindow.com including a comparison with all the other 2nd factor authentication methods on passwindow.com/security.html but I personally developed and run ShieldPass because it seems cooler and more in touch with the average client who just wants to buy the cards, paste in some code and get started rather than configure an entire commercial authentication server which is the commercial business realm of PassWindow. If anyone has further questions or suggestions please feel free to ask.