SiteKey is a web-based security system that provides one type of mutual authentication between end-users and websites. Its primary purpose is to deter phishing.
SiteKey was deployed by several large financial institutions in 2006, including Bank of America and The Vanguard Group. Both Bank of America and The Vanguard Group discontinued use in 2015.[1][2]
The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.
The user identifies (not authenticates) themself to the site by entering their username (but not their password). If the username is a valid one, the site proceeds.
If the user's browser does not contain a client-side state token (such as a Web cookie or a Flash cookie) from a previous visit, the user is prompted for answers to one or more of the "security questions" the user-specified at site sign-up time, such as "Which school did you last attend?"
The site authenticates itself to the user by displaying an image and/or accompanying phrase that they have earlier configured. If the user does not recognize these as their own, they are to assume the site is a phishing site and immediately abandon it. If the user does recognize them, they may consider the site authentic and proceed.
The user authenticates themself to the site by entering their password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.
If the user is at a phishing site with a different Web site domain than the legitimate domain, the user's browser will refuse to send the state token in step (2); the phishing site owner will either need to skip displaying the correct security image, or prompt the user for the security question(s) obtained from the legitimate domain and pass on the answers. In theory, this could cause the user to become suspicious, since the user might be surprised to be re-prompted for security questions even if they have used the legitimate domain from their browser recently. However, in practice, there are evidence users generally fail to notice such anomalies.[5]
Weaknessesedit
A Harvard study[6][7] found SiteKey 97% ineffective. In practice, real people don't notice, or don't care, when the SiteKey is missing, according to their results.
It also requires users to keep track of more authentication information. Someone associated with N different websites that use SiteKey must remember N different 4-tuples of information: (site, username, phrase, password).
Discontinuationedit
In May 2015, Bank of America announced that SiteKey would be discontinued for all users by the end of the year, and would allow users to log in with their username and password in one step.[1] In July 2015, Vanguard also discontinued the use of SiteKey for its website.[2]
Notesedit
^ ab. Archived from the original on 2015-05-10. Retrieved 2015-05-10.
^"Bank of America Online and Mobile Banking FAQs".
^Jim Youll (18 July 2006). (PDF). Archived from the original (PDF) on 2016-12-31.
^ abStuart E. Schechter; Rachna Dhamija; Andy Ozment; Ian Fischer (4 February 2007). "The Emperor's New Security Indicators" (PDF).
^Joel Hruska (20 June 2007). "Security study pokes holes in advanced authentication claims". Ars Technica.
^Schecter; Dhamija; Ozment; Fischer (2007-05-20). (PDF). Archived from the original (PDF) on 2007-09-27. Retrieved 2020-04-23. {{cite journal}}: Cite journal requires |journal= (help)
External linksedit
Authentication in an Online Banking Environment
SiteKey at Bank of America
Fraud Vulnerabilities in SiteKey Security at Bank of America
March 29, 2024
sitekey, based, security, system, that, provides, type, mutual, authentication, between, users, websites, primary, purpose, deter, phishing, deployed, several, large, financial, institutions, 2006, including, bank, america, vanguard, group, both, bank, america. SiteKey is a web based security system that provides one type of mutual authentication between end users and websites Its primary purpose is to deter phishing SiteKey was deployed by several large financial institutions in 2006 including Bank of America and The Vanguard Group Both Bank of America and The Vanguard Group discontinued use in 2015 1 2 The product is owned by RSA Data Security which in 2006 acquired its original maker Passmark Security Contents 1 How it works 2 Weaknesses 3 Discontinuation 4 Notes 5 External linksHow it works editSiteKey uses the following challenge response technique 3 4 5 The user identifies not authenticates themself to the site by entering their username but not their password If the username is a valid one the site proceeds If the user s browser does not contain a client side state token such as a Web cookie or a Flash cookie from a previous visit the user is prompted for answers to one or more of the security questions the user specified at site sign up time such as Which school did you last attend The site authenticates itself to the user by displaying an image and or accompanying phrase that they have earlier configured If the user does not recognize these as their own they are to assume the site is a phishing site and immediately abandon it If the user does recognize them they may consider the site authentic and proceed The user authenticates themself to the site by entering their password If the password is not valid for that username the whole process begins again If it is valid the user is considered authenticated and logged in If the user is at a phishing site with a different Web site domain than the legitimate domain the user s browser will refuse to send the state token in step 2 the phishing site owner will either need to skip displaying the correct security image or prompt the user for the security question s obtained from the legitimate domain and pass on the answers In theory this could cause the user to become suspicious since the user might be surprised to be re prompted for security questions even if they have used the legitimate domain from their browser recently However in practice there are evidence users generally fail to notice such anomalies 5 Weaknesses editA Harvard study 6 7 found SiteKey 97 ineffective In practice real people don t notice or don t care when the SiteKey is missing according to their results It also requires users to keep track of more authentication information Someone associated with N different websites that use SiteKey must remember N different 4 tuples of information site username phrase password Discontinuation editIn May 2015 Bank of America announced that SiteKey would be discontinued for all users by the end of the year and would allow users to log in with their username and password in one step 1 In July 2015 Vanguard also discontinued the use of SiteKey for its website 2 Notes edit a b More security tools and simpler sign in at Bank of America Archived from the original on 2015 05 10 Retrieved 2015 05 10 a b We ve streamlined the process for logging on to Vanguard com Archived from the original on 2016 03 04 Bank of America Online and Mobile Banking FAQs Jim Youll 18 July 2006 Fraud Vulnerabilities in SiteKey Security at Bank of America PDF Archived from the original PDF on 2016 12 31 a b Stuart E Schechter Rachna Dhamija Andy Ozment Ian Fischer 4 February 2007 The Emperor s New Security Indicators PDF Joel Hruska 20 June 2007 Security study pokes holes in advanced authentication claims Ars Technica Schecter Dhamija Ozment Fischer 2007 05 20 The Emperor s New Security Indicators An evaluation of website authentication and the effect of roleplaying on usability studies PDF Archived from the original PDF on 2007 09 27 Retrieved 2020 04 23 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help External links editAuthentication in an Online Banking Environment SiteKey at Bank of America Fraud Vulnerabilities in SiteKey Security at Bank of America Retrieved from https en wikipedia org w index php title SiteKey amp oldid 1138060907, wikipedia, wiki, book, books, library,
