On Tue, 23 Nov 2004 14:40:30 +1100, Michael Silk <michaels (at) phg.com (dot) au [email concealed]> wrote:

> Just a quick little article about a login system that, should (i
> think :)), prevent phishing attempts on your site.
>
> http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm

> l

Why not an implementation base on OPIE (http://inner.net/opie), then?

The user navigates to the login page. The user enters their login
name. A challenge is generated and sent to the registered email
address along with a URL that will for a given time window allow them
to respond. The user calculates the response to the challenge
locally. The user clicks on the URL for the response page. The user
responds with their one-time password and can enter. As soon as the
reponse is entered correctly, the challenge is invalidated. If it is
entered N times incorrectly, it is invalidated. If the time limit has
been exceeded, it is invalidated.

This alleviates disadvantage #1, at any rate.

As you mentioned, the most severe disadvantage is that no users
currently have to jump through any sort of these hoops to login to a
site. It's a marketing nightmare. My assumption is that any
large-sale site would lose business in droves by requiring
non-standard authentication.

Implementing this might work as an opt-in solution, however.
Security-minded folks are more likely to adopt it quickly, while
enlightening the masses.

--John

--
John West jwest23 (at) gmail (dot) com [email concealed]
-><- 'tis an ill wind that blows no minds -><-

[ reply ]