Skip to main content

strong-authentication-for-the-masses

WiKID got a nice review over at the Coffee Corner. I hope they do test the WiKID server on your home network. That is exactly the scenario we envisioned when we released the open source version. No reason why home users shouldn't be able to have strong authentication. I do want tot try to clarify some of the issues, if I understand them correctly:

1. "It would be possible to capture and spoof the encrypted PIN transmission to the WiKID server." The PIN is sent to the WiKID server encrypted by the server's public key and a one-time use AES key. Capturing and spoofing the PIN in hopes of getting the OTP doesn't do you any good unless you also steal the one-time AES key and the user's private key.

2. "In a traditional scenario, not only is my PIN secret but my token is unique - somebody has to have my token in order to impersonate me. With WiKID, I can authenticate using anybody’s device client that has my server’s key." Not so. Each user has a unique public/private key pair with their WiKID token. The security of the system is not solely dependent on keeping the PIN safe.

I look forward to hearing about the install. I think we've done a pretty good job there keeping things simple, but it always helps to get feedback.

Currently unrated

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom