Two Stage Log In

StanTheMan

<div class="IPBDescription">Financial Institution Security ‘Improvement’.</div>Having got used to very frequently using a site over a long period of time there are upcoming changes which will have to be addressed, so I am exploring the ‘probabilities/possibilities’ of what will need to be done to continue this use.



At present this Financial Institution [FI]:



Firstly require the entry of a [b]10 digit Membership Number[/b], which they offer to ‘remember’ and which I decline to accept.

Currently 1PassWord stores this as [b]Username[/b].



Secondly require the entry of the customers choice of [b]Memorable Data[/b],

Currently 1PassWord stores this as [b]Password[/b].



Thirdly require the entry of [b]3 digits which are randomly selected from a 6 digit PassCode[/b].

Currently 1PassWord is set [b]not to submit the Log In[/b] because the [b]3 digits have to be manually selected from drop down lists[/b] before hitting the [b]Sign In Now[/b] button.



None of the above creates any issues and despite being the most awkward site that I use it probably only takes 20 seconds longer to gain entry compared to a more normal ‘blink of an eye’.

Unfortunately this is about to change and so I am seeking to make the transition as smooth as possible by investigating, as far as possible, any solutions that may be available.



A preview of the new system Sign On can be seen at:



Link removed by Stan



Effectively exactly the same information is required to be entered, but it appears from my experience that the 1PassWord Log In will only be able to cope with the [b]10 digit Membership Number[/b] on the [b]First Screen[/b]. On the [b]Second Screen[/b] I will have to manually enter the [b]Memorable Data[/b] and the [b]3 digits which are randomly selected from a 6 digit PassCode[/b].



Hopefully I am missing something, which may cope with this situation, within 1PassWord?

Any helpful suggestions, pointers or advice will be most gratefully received.



I am informed that eventually a Card Reader will be issued as a second means of Signing On, but when this happens the above form of access will have limitations placed on some types of transactions.

If the Card Reader System is as clumsy as that forced on me by another FI I may decide to move my accounts to a different FI that already appreciates the benefits of 1PassWord.

khad

Hello Stan,



Some of these crazy bank logins can be quite frustrating. They usually end up being more trouble than they are worth (especially if you are already using a good, strong password stored securely in 1Password). <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />



Fortunately, it looks like you may be able to actually reduce the burden with the new login system. If I am understanding it correctly from the link you provided, you should be able to save a login on the first screen for your [b]10 digit Membership Number[/b] which 1Password will again store as a username.



The second page seems to merely consolidate what was previously spread across the second and third pages. If you enter your [b]Memorable Data[/b] on the second page and then [b]manually save[/b] a login (prior to entering anything in the dropdown selectors), you should be able to edit the login in 1Password and set the Submit value to "Never." This should fill the [b]Membership Number[/b] and then allow you to enter the 3 digits before submitting.



I hope that helps. Please let me know if I have misunderstood.



Thanks!



[i]Of course, if it gets frustrating enough for you, we would take it as a great compliment that you would switch banks on account of their disregard for 1Password.[/i] <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />

StanTheMan

Thanks for the prompt response [b]khad[/b]



I did not explain well enough that the existing Log In system is all on one page.

If you visit:



Link removed by Stan



of the website and hit the Sign On button you can view the current situation, attempts to link direct to the Sign On page are usually not successful and display a Timed Out Warning.



In my view not saving the [b]Membership Number[/b] serves to increase my security, they clearly see it the same way given their cautionary statement.

I will be very [read [size="5"][b]VERY[/b][/size]] reluctant to lose this aspect of my security by having this information saved, even on my password protected, single user Mac.

Quite why they feel the need to split the Sign On in two and still only require the same level of input beggars belief, I would be happier if there was an explanation as to how this will improve security.

Given their intention to provide Card Readers in the future this really could have been left ‘as is’ in the meantime.

I am all for security and would not be without 1PassWord.



I assume from your comments that I am correct in thinking that only one ‘page/screen’ of input can be retained by 1PassWord?

Until the new system goes live I have no way of testing the water, so to speak.



Rest assured if I get upset any further they will be clearly informed that I think my MO incorporating the use of 1PassWord is eminently more satisfactory than their security update, and hammer it home by letting my feet do the talking <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' /> <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' /> .

danco

There are two possible answers to your issue.



Check the tutorials/help for a discussion of multi-page logins. You can have one item for one page and a separate entry for the other page. This is essentially what khad is suggesting.



Alternatively, your old login may work. Certainly I have one login for Firefox (the site used not to work well in Safari, which is my main browser) that fills my username on one page and fills my password on the next, all from a single 1Password entry.

StanTheMan

Thanks for your input [b]danco[/b]



I was tripped up by ‘terminology’, my searches for ‘two stage log in’ and several similar had not found anything useful.

Whilst ‘multi page log in‘ found:



[url="http://help.agile.ws/1Password3/multi_page_logins.html"]How to create multi-page Logins[/url]



I have bookmarked the article in readiness for when the new Sign On System goes live.



I certainly looks like it will save the day and to some extent offers at least one explanation how this system defends against attacks, even if the article writer seems to have some reservations about the latter.



Without the opportunity to test drive the system and before this thread was started my decision was that if faced with the new system and no apparent way to overcome it I would attempt making a Log In for each section.



I lost my nerve somewhat as accessing the site is very important to me. I am more confident now, thanks again for your help.

Gnarlodious

You should avoid linking directly to the bank website image. Their webmaster can see the referer URL on their stats page and come here to check out what all the traffic is. Then they will see people discussing how to break through their security and adopt even more ridiculous levels of security.

StanTheMan

Thanks for the info [b]Gnarlodious[/b]



I appreciate your concern and perhaps a Moderator here could remove the link/s if I am not able to do so myself immediately after completing this post.



I have had a lot of communication with this company on this subject and frankly it has been like trying to stir cold porridge with a straw whilst standing at the North Pole in winter, not very successful and I have a real need to get on top of this urgently.



EDIT: Perhaps you, or a Moderator, will be kind enough to delete the link you have quoted?

Thank you.

FURTHER EDIT: Thanks for removing the link G, I hope that has removed everything that may create issues.

If anyone knows differently please shout.

khad

I certainly don't think a discussion of using 1Password could be considered "breaking through" their security. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



In fact, it might do them some good to see the burden this places on their customers who are, in fact, utilizing a great security tool like 1Password. I can only dream that Bank of America would read this thread and make some changes in their login procedure…



Consider the [url="http://en.wikipedia.org/wiki/SiteKey#Weaknesses"]SiteKey[/url] approach used by Bank of America and others. It is pretty much complete security "theater." It's a very "feel-good" approach but the practical benefit is virtually zero. From Security Now episode 90 [url="http://www.grc.com/securitynow.htm#90"]Multifactor Authentication[/url]:



[quote]STEVE: … So if they see that you’re at a different computer that doesn’t have a cookie, that’s when they ask you some additional information. Well, it turns out that, if you were a victim of phishing, which is what this whole thing is designed to prevent, you log into what looks like BofA, and it’s not. They ask you your username and your state. So you fill that in. The phishing site turns around and submits that to the real BofA site.



LEO: And gets the SiteKey.



STEVE: Yes. Yes.



LEO: Give me your SiteKey. Now, actually it won’t get the SiteKey, will it, though, because it’s a different...



STEVE: No. What happens is, the BofA site asks the question, which the phishing site turns around and asks you.



LEO: Passes on to you. So you fill in the answers.



STEVE: So you fill in the answers.



LEO: And it fills in the answers.



STEVE: It sends it back to BofA. BofA then finally says, oh, this must really be Leo in a hotel.



LEO: Here’s the SiteKey.



STEVE: Sends the SiteKey, which the phishing site bounces through, providing you with the picture you’re expecting, and you give it your log-in.



LEO: So it’s completely stupid.



STEVE: It’s completely stupid.[/quote]



Essentially, multi-step logins just create an additional vector of attack. With a single login page, you can be phished. With multiple login pages you are still susceptible to phishing and [i]also[/i] man-in-the-middle attacks. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />



Not to mention that 97% of users in [url="http://www.usablesecurity.org/emperor/emperor.pdf"]an MIT study[/url] did not even notice when their SiteKey image was absent. If only banks would read these sorts of threads. If [i]only[/i]... <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/emoticon-0170-headbang.gif' class='bbc_emoticon' alt='(banghead)' />

StanTheMan

Hi [b]khad[/b]

Unfortunately Agile Solutions have no control over what users of their site do with information they glean. Whilst most here simply want to achieve the best possible security for their Log Ons there will always be folk intent on making a fast buck [or in my parlance quid [£]], or have malicious intent. The suggestion regarding my links was, in my view, well intentioned and so acted upon without hesitation.



Thank you very much for your links to the items highlighting some of the pitfalls and other aspects of on line security, I am too long in the tooth to fully take on board all that the Usable Security document has to offer, perhaps being deterred from getting my teeth into it by its date of publication? I really enjoyed listening to the full Security Now conversation on Multifactor Authentication.

I am a long term fan of MA at one stage using it as part of a Log On System to my own computer, more ‘out of interest’ rather than real need.



From what I have learned it seems that the intended deployment of Card Readers, by my FI, may be a good step up for security and can only hope it is going to be reasonably user friendly. However I have no dreams that it will come close to being as user friendly as 1PassWord.

I also feel slightly guilty now about complaining so bitterly against the impending changes having learned about the BofA Log On scenario.



All this fresh intake of info has whetted my appetite for more knowledge about the inner workings of 1PassWord, thanks again for your valuable input.

[Deleted User]

[quote name='StanTheMan' timestamp='1290323349' post='15581']

Hi [b]khad[/b]

Unfortunately Agile Solutions have no control over what users of their site do with information they glean. Whilst most here simply want to achieve the best possible security for their Log Ons there will always be folk intent on making a fast buck [or in my parlance quid [£]], or have malicious intent. The suggestion regarding my links was, in my view, well intentioned and so acted upon without hesitation.



Thank you very much for your links to the items highlighting some of the pitfalls and other aspects of on line security, I am too long in the tooth to fully take on board all that the Usable Security document has to offer, perhaps being deterred from getting my teeth into it by its date of publication? I really enjoyed listening to the full Security Now conversation on Multifactor Authentication.

I am a long term fan of MA at one stage using it as part of a Log On System to my own computer, more ‘out of interest’ rather than real need.



From what I have learned it seems that the intended deployment of Card Readers, by my FI, may be a good step up for security and can only hope it is going to be reasonably user friendly. However I have no dreams that it will come close to being as user friendly as 1PassWord.

I also feel slightly guilty now about complaining so bitterly against the impending changes having learned about the BofA Log On scenario.



All this fresh intake of info has whetted my appetite for more knowledge about the inner workings of 1PassWord, thanks again for your valuable input.

[/quote]



Hi Stan,



I just wanted to chime in here, being from the UK myself and as a former bank employee (please don't kill me if I tell you I worked for Halifax Bank of Scotland for a few years) I wanted to share my thoughts about some of these new security measures.



HBoS went to great length to try and strengthen their online security, with much of the data being randomly generated and then multi-factor authentication in the form of a phone call to your designated number. Thankfully all the sign in information was on a single page so I could use 1Password with the 'Submit' value set to Never.



When I left HBoS and before joining the Agile team I found that my staff benefits on my current account were, of course, no longer valid and so I switched banks to Barclays who employ the card reader approach, and I have to say I'm impressed so far. Basically, on the first page I enter my membership number and surname, 1Password handles this without any issues. The next page is for my card details, I enter the last 5 digits of a registered card and then the random 8 digit sequence generated by putting my card in the reader, entering my PIN and pressing 'Identify', that's it, I'm logged in and 1Password has done 50% of the work for me, I could make that more by letting it fill my card details, but I prefer to select a particular card depending on what I'm doing.



I really do think a lot of banks could learn a lot by actually using tools like 1Password, then they may see how using multiple strong passwords doesn't have to be a headache, or as that loveable meerkat, who apparently is rather upset at Compare the Market, would say 'simplez!'.



There we go, just my 2 pence, VAT included of course <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

StanTheMan

Hi [b]Stu[/b] and thanks for your input.



Sounds like good news if the system is going to be similar to Barclays, guess I will have to keep my fingers crossed [along with everything else <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />] until the Card Reader surfaces.



Great 2p’s worth.