SiteKey is a web-based security system that provides one type of
mutual authentication
Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some pro ...
between
end-user
In product development, an end user (sometimes end-user) is a person who ultimately uses or is intended to ultimately use a product. The end user stands in contrast to users who support or maintain the product, such as sysops, system administrato ...
s and websites. Its primary purpose is to deter
phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
.
SiteKey was deployed by several large financial institutions in 2006, including
Bank of America
The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank ...
and
The Vanguard Group
The Vanguard Group, Inc. is an American registered investment advisor based in Malvern, Pennsylvania, with about $7 trillion in global assets under management, as of January 13, 2021. It is the largest provider of mutual funds and the second-la ...
. Both Bank of America and The Vanguard Group discontinued use in 2015.
The product is owned by
RSA Data Security
RSA Security LLC, formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rivest ...
which in 2006 acquired its original maker, Passmark Security.
How it works
SiteKey uses the following
challenge–response technique:
#The user ''identifies'' (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
#If the user's browser does not contain a client-side state token (such as a
Web cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's we ...
or a
Flash cookie
A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an HTTP cookie), is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of ...
) from a previous visit, the user is prompted for answers to one or more of the "
security questions
A security question is form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.
History
Financial institutions have used questions to authenticate customers ...
" the user-specified at site sign-up time, such as "Which school did you last attend?"
#The site authenticates itself to the user by displaying an image and/or accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a
phishing site
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software ...
and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
#The user authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.
If the user is at a phishing site with a different Web site domain than the legitimate domain, the user's browser will refuse to send the state token in step (2); the phishing site owner will either need to skip displaying the correct security image, or prompt the user for the security question(s) obtained from the legitimate domain and pass on the answers. In theory, this could cause the user to become suspicious, since the user might be surprised to be re-prompted for security questions even if they have used the legitimate domain from their browser recently. However, in practice, there are evidence users generally fail to notice such anomalies.
Weaknesses
A Harvard study
found SiteKey 97% ineffective. In practice, real people don't notice, or don't care, when the SiteKey is missing, according to their results.
It also requires users to keep track of more authentication information. Someone associated with ''N'' different websites that use SiteKey must remember ''N'' different 4-
tuple
In mathematics, a tuple is a finite ordered list (sequence) of elements. An -tuple is a sequence (or ordered list) of elements, where is a non-negative integer. There is only one 0-tuple, referred to as ''the empty tuple''. An -tuple is defi ...
s of information: ''(site, username, phrase, password)''.
Discontinuation
In May 2015, Bank of America announced that SiteKey would be discontinued for all users by the end of the year, and would allow users to log in with their username and password in one step.
In July 2015, Vanguard also discontinued the use of SiteKey for its website.
[{{cite web , url=https://personal.vanguard.com/us/insights/article/Single-Signon-072015 , title=We've streamlined the process for logging on to Vanguard.com , archive-url=https://web.archive.org/web/20160304054144/https://personal.vanguard.com/us/insights/article/Single-Signon-072015 , archive-date=2016-03-04 ]
Notes
External links
Authentication in an Online Banking EnvironmentSiteKey at Bank of AmericaFraud Vulnerabilities in SiteKey Security at Bank of America
Web technology
Computer access control