SiteKey
   HOME

TheInfoList



Click Here for Items Related To - SiteKey
OR:
SiteKey on:   [Wikipedia]   [Google]   [Amazon]

SiteKey is a web-based security system that provides one type of
mutual authentication Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some prot ...
between
end-user In product development, an end user (sometimes end-user) is a person who ultimately uses or is intended to ultimately use a product. The end user stands in contrast to users who support or maintain the product, such as sysops, system administrat ...
s and websites. Its primary purpose is to deter
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
. SiteKey was deployed by several large financial institutions in 2006, including
Bank of America The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank w ...
and
The Vanguard Group The Vanguard Group, Inc. is an American registered investment advisor based in Malvern, Pennsylvania, with about $7 trillion in global assets under management, as of January 13, 2021. It is the largest provider of mutual funds and the second-lar ...
. Both Bank of America and The Vanguard Group discontinued use in 2015. The product is owned by
RSA Data Security RSA Security LLC, formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rivest ...
which in 2006 acquired its original maker, Passmark Security.


How it works

SiteKey uses the following challenge–response technique: #The user ''identifies'' (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds. #If the user's browser does not contain a client-side state token (such as a
Web cookie HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's we ...
or a Flash cookie) from a previous visit, the user is prompted for answers to one or more of the " security questions" the user-specified at site sign-up time, such as "Which school did you last attend?" #The site authenticates itself to the user by displaying an image and/or accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed. #The user authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in. If the user is at a phishing site with a different Web site domain than the legitimate domain, the user's browser will refuse to send the state token in step (2); the phishing site owner will either need to skip displaying the correct security image, or prompt the user for the security question(s) obtained from the legitimate domain and pass on the answers. In theory, this could cause the user to become suspicious, since the user might be surprised to be re-prompted for security questions even if they have used the legitimate domain from their browser recently. However, in practice, there are evidence users generally fail to notice such anomalies.


Weaknesses

A Harvard study found SiteKey 97% ineffective. In practice, real people don't notice, or don't care, when the SiteKey is missing, according to their results. It also requires users to keep track of more authentication information. Someone associated with ''N'' different websites that use SiteKey must remember ''N'' different 4-
tuple In mathematics, a tuple is a finite ordered list (sequence) of elements. An -tuple is a sequence (or ordered list) of elements, where is a non-negative integer. There is only one 0-tuple, referred to as ''the empty tuple''. An -tuple is defi ...
s of information: ''(site, username, phrase, password)''.


Discontinuation

In May 2015, Bank of America announced that SiteKey would be discontinued for all users by the end of the year, and would allow users to log in with their username and password in one step. In July 2015, Vanguard also discontinued the use of SiteKey for its website.{{cite web , url=https://personal.vanguard.com/us/insights/article/Single-Signon-072015 , title=We've streamlined the process for logging on to Vanguard.com , archive-url=https://web.archive.org/web/20160304054144/https://personal.vanguard.com/us/insights/article/Single-Signon-072015 , archive-date=2016-03-04


Notes


External links


Authentication in an Online Banking Environment

SiteKey at Bank of America

Fraud Vulnerabilities in SiteKey Security at Bank of America
Web technology Computer access control