SiteKey

From Wikipedia, the free encyclopedia

SiteKey is a web-based security system that provides one type of mutual authentication between end users and websites. Its primary purpose is to deter phishing.

SiteKey has been deployed by several large financial institutions since 2006, including Bank of America and The Vanguard Group. It is one of the products recommended for use Federal Financial Institutions Examination Council.

The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.

Contents 1 How it works 2 Weaknesses 3 Notes 4 See also 5 External sites

[edit] How it works

SiteKey uses the following challenge-response technique:

Step 1: User identifies (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.

Step 2: Site authenticates itself to the user by displaying an image and accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.

Step 3: User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.

[edit] Weaknesses

Under ideal circumstances, SiteKey stands to prevent users from disclosing their login credentials, which can lead to exposure of personally identifying information, financial loss and identity theft. However it offers no immunity against some of the most common phishing scenarios, among them^[1]:

• Users are prone to provide their login credentials in the complete absence of a SiteKey dialogue

• It is susceptible to man-in-the-middle attack

• It allows bulk harvesting of usernames by phishing sites

• It begs questions of usability

It also begs questions of scalability on behalf of users. Someone associated with N different websites that use SiteKey must remember N different 4-tuples of information: (site, username, phrase, password).

[edit] Notes

1. ^ The Emperor's New Security Indicators

[edit] See also

• Bank of America controversies

[edit] External sites

• Authentication in an Online Banking Environment
• SiteKey at Bank of America
• SiteKey Man-in-the-Middle Demonstration
• Fraud Vulerabilities in SiteKey Security at Bank of America