Pinpad

From Swivel Knowledgebase Wiki

Jump to: navigation, search


Image:logo.gif


Introduction

PINpad is an alternative way of implemeneting browser/image based authentication.

It is different from other forms such as TURing, in that the user has to click a scrambled keypad in order to authenticate.

In this model, the user has to click on the images that represent their PIN, rather than perform a one-time code extraction.

Because the user has to click their PIN, their PIN is not vulnerable to key-logging and because the entry pad is scrambled differently everytime, attacks that log where mouse clicks are made are not a threat as the clicks required are different for every authentication.



File:Sample.png

Implementation

Currently the PINpad soution is implemented by a new version of the Appliance Proxy.

This page contains the latest Appliance proxy software. You will need to extract it from the zip file before deploying.

This updated proxy retrieves a security string from the Swivel server and serves it, digit-by-digit as requested by the login page.

In order to ensure that each digit is only served once, the request of each digit must include a unique sessionkey.

This sessionkey should be the same for each digit requested for a given pad but then different for each pad requested.

The format of the request is via an http get.

eg <img src = https://<serverIP>:<port>/proxy/SCPinPad?username=test&padno=8370:3>

Where 8370 is the unique session key and the 3 indicates it is the 3rd button image that is being requested.

This approach has been adopted as it mirrors the methods used for retrieving single-channel images via the proxy, albeit that this method requires 10 different images rather than a single one.

As 10 different images are requested the html that renders login page can place and arrange these images as required.

Retrieved from "http://kb.swivelsecure.com/wiki/index.php/Pinpad"
Personal tools