News
Home sCrib for Developers
This version is being introduced for companies who would like to develop internet systems for use with sCrib tokens. The additional functionality of the Home sCrib for Developers includes:
- reset of the token into the manufacturing state (no passwords present in the token); and
- computation of HMAC-SHA1 from data typed on a connected keyboard.
The latter allows internet applications to introduce challenge-response authentication and/or transaction authorisations.
The security of challenge-response authentication is comparable to one-time passwords using time synchronisation (RSA SecurID implements this mechanism) as the server can limit validity of a challenge (displayed in a browser window). Users will re-type the challenge on the keyboard and when finished, the sCrib will compute a cryptogram that will be sent back to the server.
This strengthens the security of the Home sCrib that already provides counter-based one-time passwords.
The second use is transaction authorisation when the sCrib computes a cryptogram from user input. User can type transaction data, e.g., a recipient account number and the amount to be transfered, and the sCrib will compute a cryptogram cryptogram authorising this data as genuine and type it into an browser's form.
Two-factor authentication/authorisation can be easily achieved by including a user's PIN as part of the data typed on the keyboard.