You are here: Home > net banking, token > Understanding How it Works Token net Banking (2)

Understanding How it Works Token net Banking (2)

Posted in net banking, token | September 15th, 2011

Two issue Authentication

At a essential and sensitive applications like money transactions, one authentication methodology is not enough. Hence the term 2FA (Two issue Authentication) which is an authentication system that uses 2 factors (methods) are totally different. Four authentication ways that I described sebelunya may be combined to improve security, one example is the combination of “something you have” in the kind of an ATM card with “something you know” in the kind of a PIN. this mix may be a combination of the most widely used.

Still another example is after you are looking in a modern market and pay by card, you’ve got unwittingly put on over one authentication issue. the primary issue is the “Something You Have” the debit card / credit you. The second issue is the “Something You Know”, after you are prompted to enter your PIN into the EDC. There may even be a third issue that’s “Something You Can”, after you are asked to sign a memorandum of payment are printed EDC.

Internet banking is also using a 2 issue authentication by combining “something you know” in the kind of passwords and “something you have” a hardware token (Token KeyBCA or Independent).

Passwords Issued Token net Banking

In general there are 2 modes of usage of net banking token:

1. Fashion Challenge / Response (C / R)

This is the mode most often used when trading. during this mode the server provides the challenge of a row of numbers. This figure ought to be entered into the token machine to get a solution (response). Then the user enters variety that seems on tokennya into the shape on the web banking web site. Tokens will be issued a code totally different challenge though with the same code periodically betting on the time when the challenge is inserted into the token.

2. Generated Self mode (Response Only)

In this mode the server does not give a challenge (challenge) of any kind. Token users will directly issue a series of numbers while not having to enter the challenge. Like mode C / R, conjointly issued a token code that varies periodically betting on the time when the token was asked to produce self-generated code.

Actually, the answer given by the token either in mode C / R or Self Generated (resopnse only) is nothing but the password furthermore. However, totally different from the password you utilize to login, the password generated token has limitations for safety reasons, namely:

1. may only be used 1 time

This is called a OTP (One Time Password). Once a password is used, then the same password will now not be used for the second time. during this means there’s no point intercepting the token generated password as a result of the password can not be used once more. However, if the password is in-intercept so it never comes to the server, then the password continues to be worthwhile as a result of in the eyes of the server, the password has never been worn.

2. may only be used within a restricted timeframe

Token generated password has a very restricted lifespan, in all probability between 3-6 minutes previous when it expires, the password can not be used, though has never been worn. Later i will be able to justify why it requires a password token age, time may be a very essential element during this system.

3. may only be used in the narrow context

If the password / PIN is the password used to log in a context-free, in the sense that armed with the password, you’ll be able to do several things, starting from viewing balances, check transaction and so on. but the token generated password, will only be used in a narrow context, for instance a password that’s used to fill pulses to the quantity 08123456789, can not be used to transfer funds.

Lack of context is owing to complete the transaction required a password to be sure by the challenge from the server, that the password can not be used for different transactions that require a distinct challenge code. for instance if the server may be a challenge given the last three digits of phone number (for transaction contents pulse), or three digits destination account number (for the transfer transaction). Then the token generated password for transaction contents to the quantity 0812555111222 pulses, will be valid conjointly for the money transfer transaction to the account of a hundred and fifty five,887,723,120,222. Second likelihood as a result of the transaction is requires a password that’s sure by the same challenge code, particularly 222 (taken from the last three digits).

This context applies only when the password is generated in a mode C / R. Password made in Self Generated mode, may be used in any transaction that does not require a password with a challenge code.

So it may be concluded that the password be issued tokens:

1. invariably changing periodically

2. Have a brief lifespan

3. only be used 1 time

4. Divided into 2 varieties, namely:

• Password contextually sure by a code in a fashion challenge, challenge / response.

• Password-free context resulting in a mode of self-generated.

Tags: , , ,

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • Twitter
  • RSS

Comments are closed.