New Authentication Scheme Proposed

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

For increased portability...

[sakdoctor (1087155)]

...I suggest a booth with a dance dance revolution mat inside.
When the user is asked to enter their password they enter the booth, shut the door and strut their funky password.

Re:

[Tolkien (664315)]

Employer: Is your password really that long? Come on! Hurry up and finish already.
Me(from within the booth after 5 minutes of dancing): Ssssh, I'm trying to concentrate - this is the best part!

mod parent up ...

[jimbojw (1010949)]

up down down right right-left up-down!

3 factor authentication and one time pad

[Depili (749436)]

Why oh why develop new fancy ways to authenticate that still rely on a one factor (the image portfolio) when 3 factor authentication (eg. username + password + one time pad with challenge and response codes) just works, as snooping the username and pw doesn't give you the one time pad with challenges and responses, and stealing the pad doesn't give you the username and pw.

That is the principal method of authentication used by web banks atleast in Finland and other sensible countries :)

Re:

[by Anonymous Coward]

Wouldn't that only be two factor authentication? Username and password only count as one factor (something you know) and the pad is the second factor (something you have.) In order to be three factor you would also need something you are.

Re:

[mollymoo (202721)]

This is for ATMs, so the "thing you have" is the card rather than a one-time-pad, but otherwise and it works pretty much as you describe. The need for a different "password" entry system is that it's trivial to shoulder-surf a PIN and then obtain the card by distracting the person and taking their card as it is ejected from the machine, picking their pocket, stealing their bag, beating the crap out of them...

Re:

[Sancho (17056)]

This is why a security fob would be useful.

Enter your PIN on the fob, get a code. Swipe your card, enter your card's PIN, enter the PIN from your fob, and you're in. To make it easier on the user, allow them to enter the PINs in any order.

Most users will use the same PIN for both devices--that's their fault. Some users will enter their fob PIN in full view of the security camera--again, their fault. At least people who care about their information will be capable of doing it securely, unlike the current

Keypad

[mpickut (721322)]

I've seen keypads with digital readout on the keys used in jails (my job takes me in and out of jails frequently). The keypad scrambles the digits each time and there is a prism-type covering over the keys so that unless you are looking directly at it you cannot see the numbers on each key. In order to see the numbers you need to stand in such a way that no one else can see them (your head blocks their view from the only angle the numbers are readable from).

I tried to get the code by watching as the guards let me in and out, just to see how effective it was, and can say that I never succeeded in even getting close. What was even better is that from talking to the offenders I learned that they thought they knew the codes by watching the patterns the keys were pressed by the guards -- I didn't have the heart to tell them that using the pattern they had watched would actually punch in a different code than the one the guards used. I did make sure one of the guards knew about it though.

Re:Keypad

[anothy (83176)]

my job takes me in and out of jails frequently

yeah, that and the early burnout are the two big problems with a career in the narcotics trade.

on the upside, you get to set your own hours.

Re:

[rickb928 (945187)]

Hey, he (?) may not be a drug dealer. He might be a lawy...

Never mind, you were pretty much on the right track...

Re:Keypad

[mpickut (721322)]

Don't you dare call me a lawyer! We heroin addicts have enough of a image problem without being linked to those soulless drains upon society. At least if you made heroin legal we would stop stealing and stay to ourselves.

Re:

[Eternauta3k (680157)]

(my job takes me in and out of jails frequently)

Burglar?

Small sample size

[ssjx (1235532)]

They seem to have big plans for this yet have only tested it with 38 users?

This would NEVER work out

[brunes69 (86786)]

It is a cool idea, that is for sure, but it would never leave the lab. Why? Because these guys are obviously not usability engineers. The idea that the function of a button changes based on some random event, and the system will tell you which button means what before you click it, is not usable.

I would like to see a formal usability study done on this thing I don't think it would get very far. I see they had some informal study going on where they had participation and error rates, but no data on what kind of users.

Overly complicated

[ddrichardson (869910)]

The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

Re:

[mollymoo (202721)]

I can't see what this does that a fingerprint scanner doesn't.

For one thing, I don't think you could could fool this with a gummy bear.

Yeah, but the real question is...

[Prototerm (762512)]

Would I be able to still fit my password on that yellow sticky note I keep on the monitor?

The problem with authentication is authentication

[naasking (94116)]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

Re:The problem with authentication is authenticati

[Psiren (6145)]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.

Re:The problem with authentication is authenticati

[naasking (94116)]

How can your authorize something, unless you know who you're authorizing?

You've asked the right question. You can find an intro here [wikipedia.org]. That article links to arguably the best authorization scheme: capability-based security [wikipedia.org], where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.

Re:

[Psiren (6145)]

Interesting, but I still don't see how that makes authentication unnecessary, at best it just seems another name for it. And I don't really see how it's applicable to everyday tasks such as, for example, access control on buildings or online banking.

Re:

[naasking (94116)]

Let me ask you this: what use is authentication without identity? Identity is generally irrelevant when making authorization decisions, particularly when using capabilities. Identity-based access control is the single cause of our vulnerable computing infrastructure. Identity-based security can be locked down somewhat, with Polaris [hp.com] being the epitome of what's achievable on Windows, but it has fundamental limits associated with the amount of information available to make appropriate authorization decisions [wikipedia.org].

C

Re:

[Psiren (6145)]

I'm sorry, I still don't get it. If person A needs access to some files, and person B must not have access, whatever mechanism is used must be able to differentiate between the two when those files are requested. How do we stop person B imitating person A? Maybe the examples on wikipedia are poorly written, but it still looks like it needs authentication to me.

Re:

[naasking (94116)]

Being used to identity-based access control, it's difficult to imagine another way. I just posted this elaborate response [slashdot.org] to another question, but perhaps it's a little too abstract. I'll assume you're a programmer. I'll further assume that you're familiar with Java.

Assume that we're in a Java-like language with no static fields or methods. All we have are object instances, and instance methods. Now, let's assume a simple filesystem API for our OS:

package Filesystem;

public abstract class Entry {

Re:

[naasking (94116)]

Hmm, from my reading, the poster asked an access control question, not an authentication question. To answer your questions, you connect that bag of meat to his session the same way you connect any other piece of software to another remote piece of software: carry an authorization token. I explained one way to make this easy here [slashdot.org].

Re:

[mattpalmer1086 (707360)]

I know the work of Mark Miller, Jonathon Shapiro, the E language, Waterken, etc. very well. It's really good stuff, and it has the potential to make more secure systems. However, I'm sorry to say, you've become a "true believer" and this is leading you into making vastly overreaching statements.

Authentication is not a broken concept. Authentication refers to the act of *proving* a claimed identity. Regardless of the authorization model that follows, you have to authenticate at the beginning. Doesn't

Re:

[naasking (94116)]

Identity is meaningless in a capability system, so it all depends how far down your capabilities go.

Re:

[mea37 (1201159)]

This is interesting material, and I'm hoping to find time to research the concepts further.

I have to say, though, that this article doesn't answer such questions as "when I approach a machine, how do I establish the capabilities I need for my tasks to be performed?"

In other words, I can see how this would reduce the roll of authentication during a session of activity, but I do not see in most common use cases how you could start a session without an authentication step. If you can persist your system's cap

Re:

[naasking (94116)]

1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and

You pose some good questions which I intend to address, but first there are a number of assumptions in this one statement which has lead people astray in the past, so I want to address those first.

The User: just about every single access control discussion, particularly informal ones like this thread, start by talking about "users". Talking about "users" quite naturally

Re:

[mea37 (1201159)]

Thanks for the reply; quite informative.

My next round of questions and comments would revolve around the proposition that "the user is generally not a threat". I'd divide the world into two types of system:

The Easy Cases: For some systems, I'd say it's clearly and demonstrably true that programs, not users, are the threat. For example, the WinXP desktop sitting in my office at home isn't under threat from any malicious users (and indeed I don't have it set up to take a password), while systems like it ar

Re:

[naasking (94116)]

I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion.

If by "multi-user networked systems" you mean systems which host multiple competing interests which are mutually suspicious, then I agree. The vast majority of systems are computer programs communicating with other computer programs, some at the behest of a single user or multiple users, some based on a schedule, etc. If you can solve the problem of safe collaboration among mutually suspicious p

Re:

[mattpalmer1086 (707360)]

Even in capability-based security, you need strong authentication. Or someone could just log-in as you (the authentication bit) and use your capabilities.

It is true that capabilities bind a permission to an object, so knowledge of the subject by the system is not required to use a capability. This has certain benefits - it's performant, it allows easy delegation or permissions to other subjects, and it avoids the Confused Deputy problem. There are also some downsides to this form of access control - it's

Re:

[naasking (94116)]

Let me pose a hypothetical: consider a capability OS a suspended shell session. Your OS stored a cryptographic token which directly designates that session on a USB key, or a secure crypto card of some sort. Plugging your key into the computer automatically reconnects you to your session. Do you consider this an authentication or an authorization?

Anybody who knows anything about security....

[mattpalmer1086 (707360)]

You think authentication is a "broken concept"?

Authentication - providing proof of a claimed identity
Authorization - managing permissions bound to an identity

See why you need both? You clearly have no idea what you're talking about, whoever you are.

Re:

[naasking (94116)]

Then perhaps you should get a better dictionary [reference.com]. There is more in heaven and earth Horatio, than is dreamt of in your philosophy...

Re:

[mattpalmer1086 (707360)]

Well, as I've said above, I know capability based access control very well. I nearly did my MSc degree dissertation on it, specifically the work of Mark Miller on the E language and distributed capabilities. But your original statement about authentication is still wrong. You still need good authentication in a capability based system. Authentication and authorization are not alternatives to one another!

Re:

[mattpalmer1086 (707360)]

I will concede that "managing permissions bound to an identity" isn't a great definition. The permissions themselves don't need to be bound to an identity, as capability systems demonstrate very well. A better definition might be "managing the association of permissions with an identity". Taking a very granular view, in an object based capability model, each object has an identity. Regardless of how they are bound, would you agree that authorization is about moving permissions around things that have id

Re:

[naasking (94116)]

"Anyone who knows security knows this" ...should be read as "anyone who agrees with me knows this". ...should be read as "I'm too ignorant on the subject to comment constructively, so I'll just be flippant".

This idea is stupid.

[rickb928 (945187)]

A trackball? Multiple keys? Sure, they got a great idea for selling lots of mouse replacements. And really just for authentication.

How about a biometric scanner? Oh, wait, that's beatable. Iris scanner? Too expensive. And strong passwords really don't work - just have someone steal the database.

It's just stupid.

Perhaps an overstated case...

[mea37 (1201159)]

This seems to provide two thigns:

1) It provides a limited degree of authentication of the machine to the user. This is lacking in, say, ATM transactions today (in the U.S. at least), which is one of the concerns the article talks about. However, while this system has the "side effect" of providing the user with some chance of noticing a fake machine (depending on details of how the system were implemented and deployed), it would be better to approach a design with the specific goal of validating the machi

Re:

[dreamchaser (49529)]

That's ok, you didn't get first post anyways.

(I did the same thing once btw, don't feel bad :-) )

Re:

[morgan_greywolf (835522)]

And within a month, someone will figure out a way to crack it. It's inevitable.

Obvious. It's vulnerable to some of the same techniques that passwords are vulnerable -- sniffing (assuming no encryption was also used), man-in-the-middle, keyboard (mouse) sniffer, malicious code, etc.

Re:

[Sancho (17056)]

I do this. My right hand types in my PIN, while my left hand provides cover. I get funny looks from people who are nearby, but that just justifies me.

Then again, I'm pretty paranoid about ATM use. Typically, I only go to the one at my bank, and I check it for signs of tampering before I use it. I'm familiar with the machine, so I'm hoping that if an outer casing was placed on top of it, I'd notice.

Re:

[mrxak (727974)]

They still need to steal your card though, and unless you're pretty careless you'll notice when they do, and then you can call your bank and have your card deactivated. This strikes me as a little less secure than an ATM.

Re:

[Yetihehe (971185)]

Maybe using directional microphone to listen for characteristic noise of vibrating trackball? See, you didn't have to wait whole month.

Re:

[thomasdz (178114)]

Aww crap... sorry... I thought TFA was about Encryption, not Authentication... so instead of a potential +5 Funny, I get a -1 Irrelevant.
That's what I get for posting at 5:30am before I've had my caffeine.

Re:

[thePowerOfGrayskull (905905)]

Nonetheless, a smooth recovery...

Re:

[apathy maybe (922212)]

Screen recorder.

If your attacker can install software on the machine (e.g. keylogger), then they can just install a screen recorder and set it to run whenever certain software is run (such as your rotating keypad program). (That would be to limit the amount of crap that has to be saved).

Oh well.

Re:

[somersault (912633)]

If you have managed to install a program on an ATM then I don't think you need to bother with any program other than one to operate the bit where the money comes out..? I have been saddened and amused before upon seeing ATMs with BSODs, and one with a Windows desktop on it. I thought that they'd use custom systems..

Re:

[rickb928 (945187)]

You ARE special.

Just like everybodyu else.