Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

MS to Trade Passwords for 2-Factor Authentication

Posted by timothy on Wed Mar 16, 2005 02:43 PM
from the something-borrowed-something-blue dept.
Security Operating Systems Software Windows
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

MS to Trade Passwords for 2-Factor Authentication 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • MS version (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16 2005, @02:46PM (#11956647)

    Two Factor Authentication, MS style (with apologies to Monty Python).

    "What... is your name..."
    "What... is your favourite colour?"

  • It has its uses... (Score:5, Insightful)

    by winkydink (650484) * <sv.dude@gmail.com> on Wednesday March 16 2005, @02:48PM (#11956667) Homepage Journal
    Two-factor authentication is not useless. It works for local login, and it works within some corporate networks.

    I suspect that this is just MS responding to their corporate customers' requests.

      • Re:It has its uses... (Score:5, Funny)

        by Jeremiah Cornelius (137) on Wednesday March 16 2005, @03:42PM (#11957365) Homepage Journal
        Voiceprint, please...

        Now speak the following phrase clearly into the microphone:
        "When tweedle beetles battle, it's called a tweedle beetle battle
        and when they battle in a puddle, it's called a tweedle beetle puddle battle
        AND
        when beetles battle beetles with paddles in a puddle, THIS is what they call...
        a tweedle beetle puddle paddle battle
        AND
        when the beetle puddle paddle battle is a battle in a bottle THIS is what they call...
        a tweedle beetle bottle battle puddle paddle muddle!"

        Voiceprint recorded. Please repeat for verification...

  • Logging in (Score:5, Funny)

    by consumer_whore (652448) on Wednesday March 16 2005, @02:48PM (#11956674)
    Does that mean I have to type in 'password' twice?

  • What Is Two Factor Authentication? (Score:5, Informative)

    by MBraynard (653724) on Wednesday March 16 2005, @02:51PM (#11956707) Journal
    To review, two-factor authentication consists of:

    Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

    Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

    Source [itsecurity.com].

  • They're making this problem seem too hard (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16 2005, @02:51PM (#11956708)
    The computer industry should take a clue from the financial services sector. All you need for any system is a simple login screen:

    Name:__________
    Email address:_________
    Birthdate:__________
    Last four digits of SSN:________
    Mother's maiden name:___________
    [OK] [Cancel]

    Instant, foolproof security with no hardware to deal with or passwords to remember.

  • The point is not that TFA can fail... (Score:5, Informative)

    by datastalker (775227) on Wednesday March 16 2005, @02:51PM (#11956724) Homepage
    ...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.

    Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.

    With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.

  • Unrelated to Schneier's concerns (Score:5, Interesting)

    by lseltzer (311306) on Wednesday March 16 2005, @02:56PM (#11956783)
    Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.

    But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.

  • MS ActiveButtPlug Technology... (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16 2005, @02:56PM (#11956794)
    ...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.

  • What two factor means for the home user (Score:5, Insightful)

    by SuperKendall (25149) * on Wednesday March 16 2005, @03:15PM (#11957032)
    To put a slight twist on the normal definition, for the home user two-factor is defined as:

    1) Something you can loose
    2) Something you can forget

    I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.

    It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.

  • Only Useful in Corporate Environments (Score:5, Insightful)

    by BeBoxer (14448) on Wednesday March 16 2005, @03:25PM (#11957154)
    While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.

    I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.

    How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.

    Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.

  • Two way authentication works today (Score:5, Informative)

    by tliet (167733) on Wednesday March 16 2005, @04:25PM (#11957919)
    Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.

    After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.

    This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.

    • Re:A question worth asking (Score:5, Informative)

      by Sycraft-fu (314770) on Wednesday March 16 2005, @02:51PM (#11956719)
      A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

      Something you have (a key, a smartcard)
      Something you know (a password, a PIN)
      Something you are (a fingerprint, a voiceprint)

      It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

      • Re:A question worth asking (Score:5, Funny)

        by halo8 (445515) on Wednesday March 16 2005, @03:03PM (#11956886)
        thanx for answering that question.

        gawd... i can jsut see it now, longhorn is also "for home users"

        T: thank you for calling mircosoft
        C: yesM i just got back from them there hospital, i done lost my finger in me JhonDeer 600GT riding lawnwoer
        T: uhh.. yessss... and..
        C: well they couldnt re-attach it ya see
        T: riiiighhttt...
        C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner

        • Microsoft's Response (Score:5, Funny)

          by The Angry Mick (632931) on Wednesday March 16 2005, @03:49PM (#11957461) Homepage
          C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner

          MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.

      • Re:A question worth asking (Score:5, Insightful)

        by nine-times (778537) <nine.times@gmail.com> on Wednesday March 16 2005, @03:30PM (#11957204) Homepage
        A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

        Something you have (a key, a smartcard)
        Something you know (a password, a PIN)
        Something you are (a fingerprint, a voiceprint)

        It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

        On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).

        I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.

    • Re:A question worth asking (Score:5, Funny)

      by Infinityis (807294) on Wednesday March 16 2005, @02:52PM (#11956743) Homepage
      As far as I can tell, two factor identification is the dualization of the encryptable factorization process. When the vector based finglestrup is elongated to the point of dypstrontinazation, we find that standard passwords are, in a word, flangoozled. By dishappening the estronable bases, the possibility of grolingering becomes ziponified. All that said, I fully support two factor identification, and you should too.

      Hopefully that helps...

    • Re:A question worth asking (Score:5, Insightful)

      by Anonymous Coward on Wednesday March 16 2005, @02:57PM (#11956798)
      Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!

    • Re:Bruce Schneier. The anti solution. (Score:5, Insightful)

      by GMFTatsujin (239569) on Wednesday March 16 2005, @02:57PM (#11956811) Homepage
      I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.

      Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.

      I can't complain about that; security is actually *really tough* to pull off.
    • I'm sure it'll be something like the following:

      "Please enter your login"

      "Thank you, please enter your password"

      "So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"

      Kinda like AdSense, but much more intrusive...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.