Increasing the Security of ESB User Accounts using the PIN

Both back-office and self-service user accounts in ESB have the facility to assign a 4-digit PIN in addition to the standard username/password.

When a PIN is set, ESB will ask the user to enter 3 random digits from their PIN each time they log in. This technique is sometimes known as 1.5-factor authentication. The particular 3 digits that are requested, along with the order in which they are requested varies each time the user successfully authenticates.

We were recently asked by a customer why the order in which the digits are requested is randomised. For example, we sometimes ask for the 2nd, 3rd and 4th digits, but other times may ask for the 3rd, 4th and 2nd. The reason for this randomisation is simple; to enhance the security of the account.

One of the weaknesses with a simple username/password authentication mechanism is that if the user’s computer is compromised with a key logger – either in software or hardware, then the username and password can easily be captured by simply re-playing the series of keystrokes.

By introducing a PIN, and only requiring 3 of the 4 digits to be entered, the key logger would need to capture multiple authentication processes before all 4 digits of the PIN were obtained.

However, if we always asked for those 3 digits in order, we would only be faced with 4 possible variations: 1, 2, 3; 2, 3, 4; 1, 2, 4 and 1, 3, 4.

By randomising the order in which we ask for the digits to be entered we increase the number of potential variations from 4 to 24. This makes it far harder for an attacker to discover a user’s PIN in full, even if they were able to monitor several authentication sessions.

If you feel that the 1.5-factor mechanism introduces an unacceptable level of complexity for your users, then it is easy to revert to the standard username/password combination. On the flip side, if you require something stronger than the addition of a PIN, you can enable ESB’s 2-factor authentication. This utilises time-based one-time passcodes using industry-standard algorithms, and supports a range of software and hardware-based tokens, including smartphone apps for Android and iOS.

If you have any queries about the best way to secure access to your ESB environment, please speak to one of our technical consultants who will be happy to provide more in-depth information.

Other news stories

ESB 21.07 Released
ESB 21.07 Released

Pentagull is pleased to announce the release of version 21.07 of the ESB platform. This release includes some great new features in addition to the usual incremental improvements.

We're going to the next LARAC event, are you?

We are excited to announce that we will be sponsoring the Local Authority Recycling Advisory Committee (LARAC), event in Glasgow on 24th August 2021. The event we will be sponsoring will be held at the Grand Central Hotel and will look in depth at the key issues around running an efficient and effective local authority waste and recycling service.

Two booking systems live in one day!
Two booking systems live in one day!

We are extremely happy to announce that West London Waste Authority’s HWRC booking system and Findhorn Village Conservation Company’s motorhome booking system have both gone live and are now seamlessly taking bookings.

First Edinburgh libraries reopen with the help of Pentagull’s booking system
First Edinburgh libraries reopen with the help of Pentagull’s booking system

The City of Edinburgh Council opens the doors of its libraries today for the first time since the December 2020 lock down. The first 4 libraries will open today with the remainder opening at various times later this month. All visitors to the libraries are required to book a slot in advance via an online booking form provided by Pentagull. The booking form lets visitors choose a time that suits them with no risk of being turned away due to the libraries being too busy.

ESB 21.04 Released
ESB 21.04 Released

Pentagull is delighted to announce the release of version 21.04 of the ESB platform. This release includes a range of incremental improvements in the areas of system configuration. There are also a number of technology improvements including use of updated Jquery and Bootstrap libraries and some security hardening.

Pentagull becomes an accredited Real Living Wage employer
Pentagull becomes an accredited Real Living Wage employer

We are pleased to announce that Pentagull has become a real living wage employer, accredited by the Living Wage Foundation. Our Living Wage commitment will see everyone working at Pentagull receive a minimum hourly wage of £9.50. This rate is significantly higher than the government minimum for over 25s, which currently stands at £8.72 per hour. This move will help solidify our long-term investment in our people.