Preventing Web Login with Exposed Credentials
We have a situation here. The client which I work for is currently placed as a finance brokerage firm and their current positioning are:
- The firm has different branches in different locations
- The firm has a giant customerbase
- The firm takes security serious
Now, their requirements specifies these:
- Passwords if shared by customers should trigger an OTP to real account
- With generation of OTP, the account owner is informed
The question is what can be done to prevent different people using the same shared password or in simple, what are different ways in which the firm can restrict the use of shared password for intended users apart from using OTP?
Note: Earlier they had trading password which alongside with the main password could be shared to the third-party so that’s not a reliable option.
Answer
The problems with a password is, that it can be shared and there is no good way of realizing if it was shared. You do not know easily if person A or person B used the password. As @Rory mentioned there are ways to try to cope with that. Implementing a sophisticated logic to verify if the password is used by the same human. You can track the client’s IP and if a user will try to login from south Africa one hour after being logged in from Australia your logic might deem this suspicious.
You should use something that can not be shared easily.
It is easier to identify the person with a second factor. You can use an OTP token that generates a One Time Password and which the user needs to enter and or you could send an OTP to the mobile phone of the user. Both scenarios are supported by privacyIDEA which is an open source solution you might take a look at.
But still the problem with OTP is, that person A could also share the current OTP with person B even via phone or email. Person B: “Hey, person A, I know your static password, but what is your current OTP?”
If you want to be really safe, you might want to use client certificates preferrable on a smartcard. Then the user needs to present his smartcard to login. person A will not be able to “share” his smartcard via phone 😉