I've noticed more banks and credit card companies doing this sort of additional authentication (pictures, passphrases, etc).
For instance my bank recently had me choose 3 security questions from a list of about 10. Things like the name of the city you were born in, favorite color, fathers middle name etc. I have to randomly answer one of these things each time I log in, along with my normal user name and password. The site will allow me to "remember this computer" and skip the question next time, but I notice that if I log in from a different computer, and then go back to the original one, I am required to reenter the additional item (so the system is tracking the last machine that authenticated as well). -Rob -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cowan Sent: Monday, November 19, 2007 12:21 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Increased Security All this is still open to phishing is one worry. [EMAIL PROTECTED] > Date: Mon, 19 Nov 2007 12:18:22 -0500> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Increased Security> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > that bank might be "bank of america".> > you enter your username...and click "login"..> > then they present you with a picture (that you previously chose from a> gallery of 20 or so)....if that picture matches the one you originally> picked and the description of said picture matches the description you> entered when you picked it...the user is expected to enter their password in> the privuded textbox and click a "login" button again....> > i wouldn't call this "challenge/response"...i'd call it.. "does this piece> of personal info match 'you'".> > you caould add a similar concept...by maybe using existing user information> instead of a picture....like the dollar amount of their last> transaction....the name of their street (no house number, no zipcode...just> "Commonwealth Ave")...the last login date.> > > > > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED] Behalf Of Paul Cowan> Sent: Monday, November 19, 2007 12:14 PM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] Increased Security> > > Hi,> They just do not feel username and password is adequate security.> > The guy sited some bank which stored questions as well as the password.> I do not want to go down that path as it would mean asking every existing> user to re-register.> > > > [EMAIL PROTECTED]> > > > > Date: Mon, 19 Nov 2007 12:11:35 -0500> From: [EMAIL PROTECTED]> Subject: Re:> [ADVANCED-DOTNET] Increased Security> To:> ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > can your clients specifically> pinpoint what they don't like about the> current security setup you use?> >> Or did they hear some buzzword in your description that>> kinda/sorta/might/maybe/possbily be mentioned in something else they read>> about how it might not be secure?> > > > > -----Original Message-----> From:> Discussion of advanced .NET topics.> [mailto:ADVANCE> ===================================> This list is hosted by DevelopMentorR http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com> > ===================================> This list is hosted by DevelopMentorR http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Celeb spotting - Play CelebMashup and win cool prizes https://www.celebmashup.com =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
