WiKID – Two Factor Authentication
WiKID is another project I’ve been checking out recently.
WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter their PIN, which is encrypted and sent to the server. If the PIN is correct, the account active and the encryption valid, the user is sent a one-time passcode to use instead of a static password. You can think of WiKID as ‘certificates on steroids’. It is more secure than certificates because the required PIN is only stored on the server, so it is not susceptible to offline passive attacks.
From reading a couple articles about how WikiD works, it seems it is a form of two factor auth, where the something you have is a software client with a trusted key.
How I read it, is kinda like having a GPG key, encrypting and signing you PIN with that. Sending that to the server which has both your key and pin. It checks and then encrypts and sends back a OTP token with the same key. So the token is useless without the PIN and vicevesa. However I’m not sure how save the system is to a man in the middle attack, where the attacker has stolen a copy of the key. Would this allow a) the attacker to encrypt the key on the way to the server to be authed, or b) steal the OTP token on the way back to the user and thus create an auth race condition.
Also given there are now some python bindings, I’m wondering if there might also be some ruby bindings around the corner. It could be a useful system to build into easy use for rails.
Pete Said,
December 29, 2005 @ 12:13 am
This sounds very similar to a product from a company called Arcot that I used to work for. The clever part of the Arcot product was that every PIN that you entered resulted in a plausible key pair. It worked pretty well, but alas I had to part company with them when they downscaled their UK operation.