Increasing the Security of ESB User Accounts using the PIN

Both back-office and self-service user accounts in ESB have the facility to assign a 4-digit PIN in addition to the standard username/password.

When a PIN is set, ESB will ask the user to enter 3 random digits from their PIN each time they log in. This technique is sometimes known as 1.5-factor authentication. The particular 3 digits that are requested, along with the order in which they are requested varies each time the user successfully authenticates.

We were recently asked by a customer why the order in which the digits are requested is randomised. For example, we sometimes ask for the 2nd, 3rd and 4th digits, but other times may ask for the 3rd, 4th and 2nd. The reason for this randomisation is simple; to enhance the security of the account.

One of the weaknesses with a simple username/password authentication mechanism is that if the user’s computer is compromised with a key logger – either in software or hardware, then the username and password can easily be captured by simply re-playing the series of keystrokes.

By introducing a PIN, and only requiring 3 of the 4 digits to be entered, the key logger would need to capture multiple authentication processes before all 4 digits of the PIN were obtained.

However, if we always asked for those 3 digits in order, we would only be faced with 4 possible variations: 1, 2, 3; 2, 3, 4; 1, 2, 4 and 1, 3, 4.

By randomising the order in which we ask for the digits to be entered we increase the number of potential variations from 4 to 24. This makes it far harder for an attacker to discover a user’s PIN in full, even if they were able to monitor several authentication sessions.

If you feel that the 1.5-factor mechanism introduces an unacceptable level of complexity for your users, then it is easy to revert to the standard username/password combination. On the flip side, if you require something stronger than the addition of a PIN, you can enable ESB’s 2-factor authentication. This utilises time-based one-time passcodes using industry-standard algorithms, and supports a range of software and hardware-based tokens, including smartphone apps for Android and iOS.

If you have any queries about the best way to secure access to your ESB environment, please speak to one of our technical consultants who will be happy to provide more in-depth information.

Other news stories

Yet another local authority benefitting from our HWRC booking system
Yet another local authority benefitting from our HWRC booking system

Bristol City Council are our latest customer to go live with our HWRC booking system. The integration of the system will provide effective traffic management and queue reductions at their existing Waste Reuse and Recycling Centres Avonmouth and Days Road. In addition to this, the system will also help manage congestion for the opening of the new site Hartcliffe Way, opening its doors on 21st June, by ensuring every visitor has their own allocated time slot.

ESB 22.04 Released
ESB 22.04 Released

Pentagull is pleased to announce the release of version 22.04 of the ESB platform. This release continues the recent trend of incremental improvements to reliability and usability as well as providing some feature enhancements.

Pentagull welcomes another two customers!
Pentagull welcomes another two customers!

Pentagull are thrilled to announce that South London Waste Partnership’s (SLWP) HWRC booking system and Hertfordshire County council’s commercial waste booking system have both gone live and are already receiving a high volume of bookings.

Providing our support for Ukraine
Providing our support for Ukraine

We are horrified by what’s going on in Ukraine, as I'm sure you are. Particularly cutting are the scenes showing young children and families fleeing a war zone or worse. At least 3 million people have fled their homes to escape conflict in Ukraine. Leaving behind jobs, belongings and loved ones, they now face an uncertain future. This morning we made a donation to the Disasters Emergency Committee.

Things are all go at Pentagull at the moment!
Things are all go at Pentagull at the moment!

Here at Pentagull we are finishing the financial year off with a flurry of activity. South Lanarkshire Council are our latest customer to go live with our HWRC Booking System, meaning they are now seamlessly taking bookings for Carluke Recycling Centre.

Password Advice
Password Advice

We suggest to both our employees and customers that employing a strong password, with a mix of capitalised letters, numbers and special characters is the most effective way of reducing the chance of being compromised by unauthorised access. However, we don’t force regular password changes for several reasons.