Any creative solution to make it harder for hackers to copy your IdP login page?
Martin Lunze
martin.lunze at tu-dresden.de
Tue Mar 27 02:24:10 EDT 2018
With the way to enter firstly the name and later the password it could
be also possible to bruteforce / guess usernames.
In my opinion not a good idea!
With nice regards
Martin
Am 26.03.2018 um 23:23 schrieb Cantor, Scott:
>> My credit union discourages phishing by prompting for the username on one
>> page (www.example.com) and the password on another (my.example.com).
>> The password page is customized based on the username. When I set up my
>> CU account (years ago), I had to choose a Security Phrase and a Security
>> Picture. These always appear on my custom password page.
> The problem is screen scraping, it's really not defeatable if you don't bother to check the bar. There are tricks like the phrase or picture to force one to actually screen scrape (anti-XSRF stuff is another), but if somebody is willing to scrape it in real time there isn't much that will work, and it defeats MFA for at least that transaction. You just throw and error back to the user to make them think it failed, and meanwhile off you go with your sesson.
>
> The fix of course is token binding.
>
> -- Scott
>
--
Martin Lunze
IT-Systemadministrator
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden
Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5677 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20180327/91d599f5/attachment.p7s>
More information about the users
mailing list