Sep 21, 2011

Home sCrib for Developers


We have finished testing of a developers' version of the sCrib. It can be reset and it also implements transaction authorisation for input from a connected keyboard.
Category: General
Posted by: dc352

This version is being introduced for companies who would like to develop internet systems for use with sCrib tokens. The additional functionality of the Home sCrib for Developers includes:

  • reset of the token into the manufacturing state (no passwords present in the token); and
  • computation of HMAC-SHA1 from data typed on a connected keyboard.

The latter allows internet applications to introduce challenge-response authentication and/or transaction authorisations.

The security of challenge-response authentication is comparable to one-time passwords using time synchronisation (RSA SecurID implements this mechanism) as the server can limit validity of a challenge (displayed in a browser window). Users will re-type the challenge on the keyboard and when finished, the sCrib will compute a cryptogram that will be sent back to the server.

This strengthens the security of the Home sCrib that already provides counter-based one-time passwords.

The second use is transaction authorisation when the sCrib computes a cryptogram from user input. User can type transaction data, e.g., a recipient account number and the amount to be transfered, and the sCrib will compute a cryptogram cryptogram authorising this data as genuine and type it into an browser's form.

Two-factor authentication/authorisation can be easily achieved by including a user's PIN as part of the data typed on the keyboard.