Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I just opened a new bank account which comes with internet banking. Unlike the o

ID: 661355 • Letter: I

Question

I just opened a new bank account which comes with internet banking. Unlike the others I have used so far, this one requires a personal certificate (a .p12 file stored on my computer) + password for authentication instead of standard username + password. This method is rather inconvenient... I have to store the certificate somewhere safe, I have to back it up, I can't access my account on any computer unless I have the certificate with me, the certificate has an expiration date and I can't simply generate a new one.

So... are there any upsides? I would assume that this method would be more secure, but I'm not sure about it. I don't know how the authentication process actually works but it seems to me that stealing a certificate from client's computer is just as easy/difficult as stealing his username. Personally, I feel better about my username stored only in my head than about a file stored somewhere on my hard drive.

Explanation / Answer

The certificate protects users against the most common authentication security threat: password reuse. Most internet users have a tendency to use the same or similar passwords across different sites, even banking sites. When this occurs, it means the compromise of a password database from another site now allows access to the banking site.

Certificates also protect against the 2nd most common threat: phishing. Using mutual authentication in TLS for the client verification makes phishing almost impossible. (The attacker would need to plant a rogue CA in both sides of the connection, and if they're in a position to do that, they can do many worse things.)

You are correct that a certificate is not significantly harder for an attacker to steal than credentials, so offers little security to a user with a compromised endpoint. The certificate does protect against two very real problems, however, and is thus a more secure option than a simple username/password. As you've pointed out, this security comes with a usability cost, which is unfortunate.

Related Questions

I just need to change the two arrays into two vectors in this function. I need h
Question #3718904
I just need to check my answers for a specific problem, my teacher has provided
Question #2450150
I just need to create a date object for my final and it isn\'t working. My codin
Question #3635284
I just need to create the main method but im not good at calling the methods to
Question #3699960
I just need to double check with my answers. Your help is appreciated. Thanks Br
Question #3666029
I just need to figure out number 3 and 4. thank you!! All of these problems invo
Question #972413
I just need to fix the //TODO\'s in the following classes in C#.There is some co
Question #3803949
I just need to have a mutiplie choice answer more then 1 answer but each team ne
Question #3577030

Navigate

Previous
I just noticed that on the NIST website there is a PDF with a draft of the SHA-3
Next
I just posted a question about how to determine which compound (from a list of c