Exactly! This is where I'd like to bring focus back on what it really was. Neither is keybank.com allowing access to a 'registered' computer simply because it's registered, nor is it laying a file, key or id certificate on the client's machine to enable it to login. As Wesley pointed out, they are just adding an extra layer of authentication, which in all honesty may not do much but just identify which system the client logged on last from (for the purpose of tracing a transaction).... But it's not creating any vulnerabilities either, at least in my opinion. I had meaning to clarify this. I wasn't ask to install any certificate / key / software or file on my system by the bank. So they are definitely not using any such method which requires such kind of an authentication. I thought they are mapping to the MAC Address or some Hardware Component, but as pointed out, that is pretty impossible or requires ActiveX or something, well then that's not happening either because I didn't get any ActiveX notification or anything. Basically I have to login using my Username and password and then I have to register the system and give it a label (like Home, Wife's Computer, etc). But every time I login, be it from any computer, pre-registered or not, I have to always use my username & password. There is no automatic login or any such thing. @Kristen ... No you're not missing anything. That's exactly how it is. @Joe... Thanks. Yes I do also believe they are just using Cookies. @Bruce... Yes I've definitely heard about the kind of security you're referring to, where the client is required to download App and it communicates with the server. But I guess that's not what Keybank.com is doing. Considering that they are more then likely using cookies, I'm probably not going to implement this in my application for now... And possibly look at some other alternates. Thanks. On 10/4/06 3:36 AM, "Wesley Acheson" <wesley.acheson@xxxxxxxxx> wrote: > I don't see how its that much of a secuity risk, they create a ssh > tunnel. All it does is add an extra layer of authentication. Its not > like the password requirements are bypassed. > > > On 10/3/06, Richard Lynch <ceo@xxxxxxxxx> wrote: >> On Tue, October 3, 2006 2:33 am, Wesley Acheson wrote: >>> They could also be doing something like giving the client an SSH key >>> to download, I've heard of this situation in a bank before. >> >> Is the key tied to my hardware? >> >> At least that stops the virus/Trojan scenario. >> >> But not the petty thief who breaks in and takes my computer, and "oh >> look, now I have his bank account too! Sweet!!!" >> >> Puhleeze! >> >> Do you really want to bank with a place that does this? >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some starving artist. >> http://cdbaby.com/browse/from/lynch >> Yeah, I get a buck. So? >> >> Rahul S. Johari Supervisor, Internet & Administration Informed Marketing Services Inc. 500 Federal Street, Suite 201 Troy NY 12180 Tel: (518) 687-6700 x154 Fax: (518) 687-6799 Email: rahul@xxxxxxxxxxxxxxxxxxxx http://www.informed-sources.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
