SiteKey

SiteKey is a web-based security system that provides one type of mutual authentication between end-users and websites. Its primary purpose is to deter phishing.

SiteKey has been deployed by several large financial institutions since 2006, including Bank of America and The Vanguard Group.

The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.

How it works

SiteKey uses the following challenge-response technique:

1. User identifies (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
2. Site authenticates itself to the user by displaying an image and accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
3. User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.

Weaknesses

SiteKey is designed to prevent users from disclosing their login credentials to a phishing site. The rationale is that a phishing site wouldn't have the SiteKey info for a user. The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, "proving" its legitimacy^[1]. SiteKey is thus susceptible to a man-in-the-middle attack.

It also requires users to keep track of more authentication information. Someone associated with N different websites that use SiteKey must remember N different 4-tuples of information: (site, username, phrase, password).

Notes

1. The Emperor's New Security Indicators

See also

External links

• Authentication in an Online Banking Environment
• SiteKey at Bank of America
• Fraud Vulnerabilities in SiteKey Security at Bank of America