Increasing the Security of ESB User Accounts using the PIN

Increasing the Security of ESB User Accounts using the PIN

Both back-office and self-service user accounts in ESB have the facility to assign a 4-digit PIN in addition to the standard username/password.

When a PIN is set, ESB will ask the user to enter 3 random digits from their PIN each time they log in. This technique is sometimes known as 1.5-factor authentication. The particular 3 digits that are requested, along with the order in which they are requested varies each time the user successfully authenticates.

We were recently asked by a customer why the order in which the digits are requested is randomised. For example, we sometimes ask for the 2nd, 3rd and 4th digits, but other times may ask for the 3rd, 4th and 2nd. The reason for this randomisation is simple; to enhance the security of the account.

One of the weaknesses with a simple username/password authentication mechanism is that if the user’s computer is compromised with a key logger – either in software or hardware, then the username and password can easily be captured by simply re-playing the series of keystrokes.

By introducing a PIN, and only requiring 3 of the 4 digits to be entered, the key logger would need to capture multiple authentication processes before all 4 digits of the PIN were obtained.

However, if we always asked for those 3 digits in order, we would only be faced with 4 possible variations: 1, 2, 3; 2, 3, 4; 1, 2, 4 and 1, 3, 4.

By randomising the order in which we ask for the digits to be entered we increase the number of potential variations from 4 to 24. This makes it far harder for an attacker to discover a user’s PIN in full, even if they were able to monitor several authentication sessions.

If you feel that the 1.5-factor mechanism introduces an unacceptable level of complexity for your users, then it is easy to revert to the standard username/password combination. On the flip side, if you require something stronger than the addition of a PIN, you can enable ESB’s 2-factor authentication. This utilises time-based one-time passcodes using industry-standard algorithms, and supports a range of software and hardware-based tokens, including smartphone apps for Android and iOS.

If you have any queries about the best way to secure access to your ESB environment, please speak to one of our technical consultants who will be happy to provide more in-depth information.

Other news stories

Busy Worker (1)
Pentagull chosen to deliver Hampshire’s new digital HWRC booking and permit system

We’re delighted to share that Hampshire County Council has chosen Pentagull to deliver its new Household Waste Recycling Centre (HWRC) booking and permit system — one of the largest HWRC networks in the country.

North Northants Go Live
WE HAVEN'T TAKEN OUR FOOT OFF THE GAS

Here at Pentagull, we haven’t taken our foot off the gas recently and we’re excited to announce yet another go-live!

HWRC News Story
Pentagull’s HWRC Booking Revolution

What started with a simple question, “Could you build us a tip booking system by Monday”  has become a cornerstone of modern waste site management.

Cumberland Story
Waste Not, Want Not: Cumberland’s Journey to Smarter Services

Take a look at the work we have been doing with the new Cumberland authority to bring together their waste systems.

Manchester To Blackpool 2025
MANCHESTER TO BLACKPOOL CHARITY BIKE RIDE 2025

It’s approaching that time of year again! At Pentagull, we’re proud and excited to once again sponsor one of the biggest fundraising cycle events in the UK to raise vital funds for The Christie Charity.

South Glos Go Live
We’ve been as busy as ever at Pentagull over the past few months!

South Gloucestershire Council have recently launched our HWRC Booking and Permit System, taking a significant step forward in managing site access and improving operational efficiency.