Just a quick note to check our our howto on HTF: How To Secure Postgresql Using Two-Factor Authentication From WiKID . Since databases are the repository for critical information such as credit card numbers, we thought this would be a useful edition given PCI requirements, etc.

I'm always explaining what my company does to laymen and to some technical peoptle who look confused when I say that that WiKID does two-factor authentication. However, I am surprised that a security researcher and Trend Micro would not know what two-factor authentication is.

In Two-Factor Authentication Debunked by TSB Phish Fatima Bancod states:

The phishing Web site asks the user for his/her Open24 Number and Internet Password. Open24 is the online banking service established by the said bank to allow clients to access his/her records and transact via the Internet. It is usually printed on account-holders’ ATM or LASER cards, along with the Internet Password.

After keying in his/her credentials and clicking the CONTINUE button, the user is redirected to another phishing Web page that asks for the user’s 6-digit access number. The 6-digit Personal Access Number is a password previously created by the user. This password is a second layer of authentication that banks use to test whether the user is really who he/she claims to be.

At first I wondered if the "Open24 number" was a pre-printed list of one-time use numbers. But apparently not. So, this is equivalent to saying "write down your username and password on a sheet of paper and this will be your 'something you have' factor". This is not two-factor authentication. Not even close.

Of course, there are attacks against one-time password systems, as mentioned on this blog and there easily could be real-time phish attacks against time-based one-time password systems - and strong mutual authentication will protect against them. This attack just isn't one of them.