The token includes the hardware to do the verification. The operating system can not do the verification process with the webserver by itself, because the token doesn't allow to read the private key of the certificates stored on it directly. When you have a standard USB security token installed, the operating system will also look for any certificates on the token. It uses your operating systems certificate store to find an installed certificate which matches the identity the webserver requests. Your web browser uses HTTPS with client-based certificates to access your bank's website. They are very common for implementing multi-factor-authentication to high-security systems in enterprise IT. These are standardized hardware devices which almost every operating system supports plug&play out of the box. What your bank gave you is an USB security token with a digital certificate ( like these). PS: the measure obviously does not apply to their mobile apps, since smartphones don’t have USB ports, but that’s not a big deal because you cannot do much with their phone app (it's mainly a consultation app, not something you can actually make big payments/transfers with).Įdit: no open file dialog is used, which would make the explanation quite clear. I am not a big fan of plugging unknown devices into my computer to begin with, and my warning light flashed when this was explained to me, so I went for another identification method (you can choose).
And not only see this stick, but read it and use its content deeply enough to log you to the most sensitive level of your online banking app. I find it rather creepy that a website accessed from a sandboxed web browser, with no plug-in/module/app/toolbar installed whatsoever, can see the USB stick you just plugged in. How can this possibly work? Of course, I believe the USB stick to contain certificates/encryption keys of some kind, that are used in the login process, but they don’t require the user to install any software on the machine. The stick alone is not enough, you also have to type your password - basically, 2-factor-authentification with a USB device being the second factor. From this point, you’ll be required to plug the stick into your computer every time you want to log in. Basically, you have to go to the bank in person and the guy gives you a tiny, cheap USB stick with a very low capacity. Most importantly, they introduced a rather unusual (I’ve never seen this before) identification method, which they call the ‘electronic certificate’. Especially, security seems to have been dramatically enhanced. My bank recently revamped its website, and it changed for the better as far as I’m concerned.
0 kommentar(er)
