Charles Holbrook
11-20-2007, 02:08 PM
I believe I have found a workaround for the time being for banks/credit unions that use secondary authentication of a specific type.
My credit union Austin Telco Federal Credit union, has a secondary authentication mechanism that requires you to click on the letters that make up your secondary password. This only has to be done once on a system, then you can authorize said system to not need to use said auth mechanism.
The problem with this is that there is no way to use anything other than a mouse at this point to do that.
The SOLUTION I've found is:
1. log in to my credit union's webpage.
2. Open a second tab and log in to mint.com
3. Click on the update button for my credit union accounts.
4. Switch focus back over to the already logged in credit union page.
I've confirmed that this 'solution' works with both Firefox and IE. Guesses as to why this work revolve around the client cookie. Without digging too far it seems to me that the auth stream goes something like this.
Type in account
Type in pin
Is system authorized?
yes - check for local cookie
no - prompt for secondary authentication
check for session id in cookie
no - finish authentication and create session cookie.
yes - Consider yourself logged in to site.
So, I THINK, this way is simply a mechanism for poaching the session ID of the other tab's connection to the site.
Don't forget to open the credit union site up first or all your hard work will be gone when it fails authentication and resets everything.
My credit union Austin Telco Federal Credit union, has a secondary authentication mechanism that requires you to click on the letters that make up your secondary password. This only has to be done once on a system, then you can authorize said system to not need to use said auth mechanism.
The problem with this is that there is no way to use anything other than a mouse at this point to do that.
The SOLUTION I've found is:
1. log in to my credit union's webpage.
2. Open a second tab and log in to mint.com
3. Click on the update button for my credit union accounts.
4. Switch focus back over to the already logged in credit union page.
I've confirmed that this 'solution' works with both Firefox and IE. Guesses as to why this work revolve around the client cookie. Without digging too far it seems to me that the auth stream goes something like this.
Type in account
Type in pin
Is system authorized?
yes - check for local cookie
no - prompt for secondary authentication
check for session id in cookie
no - finish authentication and create session cookie.
yes - Consider yourself logged in to site.
So, I THINK, this way is simply a mechanism for poaching the session ID of the other tab's connection to the site.
Don't forget to open the credit union site up first or all your hard work will be gone when it fails authentication and resets everything.