Alternatives

Choosing between One-Time-Passwords & Digi-Access™

You have an existing, well structured and 'secured' online application. This could be an extranet, portal, online banking, insurance service, medical application or any other online system. Currently, access is controlled and 'protected' by usernames and passwords.

[1]Online Banking Example [1]

For many reasons, this security is no longer sufficient and there are only two credible options available:

One-Time-Password [OTP] Tokens

Digi-Access™ Certificates

In Favour of OTP

Against using OTP

In Favour of Digi-Access™

Against using Digi-Access™

You decide which makes more sense

And then let your users decide

Perhaps you don't have any plans to increase the security access to your online application. Budgetary restrictions may be another issue. So why not let your users decide if they want this security 'add-on'.

We have a simple programme for this too:

Avail of this ARP Special Offer >> [9]

Man-in-the-Middle Security Issue

How the Man-in-the-Middle attack occurs

The Man-in-the-Middle [MITM] attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

This attack can occur, even when One-Time-Password [OTP] tokens are in use. The MITM system simply takes the password as it is issued and uses it to gain access to the online system.

How Digi-Access™ protects against the Man-in-the-Middle attack

Using Digi-Access™ the Man-in-the-Middle attack is not possible because it uses completely different 'key-pair' technology. The server must receive the public key from the Digi-Access™ certificate and the MITM server cannot have the correct configuration to request this (because it is not part of the 'trust-link' that is an integral part of the Digi-Access™ 'key-pair' technology). Therefore the MITM attack will fail to work when the user has a Digi-Access™ certificate.

Concerns about the MS CryptoAPI

Some systems Administrators will refer to the security bug within Microsoft© CryptoAPI [10]. This security bug means that for users that have Internet Explorer© browsers, it is possible for hackers to break into the Microsoft© Certificate store and misappropriate the Digi-Access™ certificate (this does not apply to Mozilla browser users).

However, this security concern is irrelevant if the user has a properly configured PC with regular Microsoft© updates enabled. As most responsible users do have Microsoft© updates enabled (and you can provide help pages to highlight the issue), then this is as much a risk to end users as protecting their computers from viruses.