New Authentication Scheme Proposed

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

For increased portability...

[sakdoctor (1087155)]

...I suggest a booth with a dance dance revolution mat inside.
When the user is asked to enter their password they enter the booth, shut the door and strut their funky password.

Re:

[Tolkien (664315)]

Employer: Is your password really that long? Come on! Hurry up and finish already.
Me(from within the booth after 5 minutes of dancing): Ssssh, I'm trying to concentrate - this is the best part!

3 factor authentication and one time pad

[Depili (749436)]

Why oh why develop new fancy ways to authenticate that still rely on a one factor (the image portfolio) when 3 factor authentication (eg. username + password + one time pad with challenge and response codes) just works, as snooping the username and pw doesn't give you the one time pad with challenges and responses, and stealing the pad doesn't give you the username and pw.

That is the principal method of authentication used by web banks atleast in Finland and other sensible countries :)

Re:

[by Anonymous Coward]

Wouldn't that only be two factor authentication? Username and password only count as one factor (something you know) and the pad is the second factor (something you have.) In order to be three factor you would also need something you are.

Keypad

[mpickut (721322)]

I've seen keypads with digital readout on the keys used in jails (my job takes me in and out of jails frequently). The keypad scrambles the digits each time and there is a prism-type covering over the keys so that unless you are looking directly at it you cannot see the numbers on each key. In order to see the numbers you need to stand in such a way that no one else can see them (your head blocks their view from the only angle the numbers are readable from).

I tried to get the code by watching as the guards let me in and out, just to see how effective it was, and can say that I never succeeded in even getting close. What was even better is that from talking to the offenders I learned that they thought they knew the codes by watching the patterns the keys were pressed by the guards -- I didn't have the heart to tell them that using the pattern they had watched would actually punch in a different code than the one the guards used. I did make sure one of the guards knew about it though.

Re:Keypad

[anothy (83176)]

my job takes me in and out of jails frequently

yeah, that and the early burnout are the two big problems with a career in the narcotics trade.

on the upside, you get to set your own hours.

Re:

[rickb928 (945187)]

Hey, he (?) may not be a drug dealer. He might be a lawy...

Never mind, you were pretty much on the right track...

Re:Keypad

[mpickut (721322)]

Don't you dare call me a lawyer! We heroin addicts have enough of a image problem without being linked to those soulless drains upon society. At least if you made heroin legal we would stop stealing and stay to ourselves.

Re:

[Eternauta3k (680157)]

(my job takes me in and out of jails frequently)

Burglar?

Small sample size

[ssjx (1235532)]

They seem to have big plans for this yet have only tested it with 38 users?

This would NEVER work out

[brunes69 (86786)]

It is a cool idea, that is for sure, but it would never leave the lab. Why? Because these guys are obviously not usability engineers. The idea that the function of a button changes based on some random event, and the system will tell you which button means what before you click it, is not usable.

I would like to see a formal usability study done on this thing I don't think it would get very far. I see they had some informal study going on where they had participation and error rates, but no data on what kind of users.

Overly complicated

[ddrichardson (869910)]

The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

Yeah, but the real question is...

[Prototerm (762512)]

Would I be able to still fit my password on that yellow sticky note I keep on the monitor?

The problem with authentication is authentication

[naasking (94116)]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

Re:The problem with authentication is authenticati

[Psiren (6145)]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.

Re:The problem with authentication is authenticati

[naasking (94116)]

How can your authorize something, unless you know who you're authorizing?

You've asked the right question. You can find an intro here [wikipedia.org]. That article links to arguably the best authorization scheme: capability-based security [wikipedia.org], where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.

Re:

[naasking (94116)]

1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and

You pose some good questions which I intend to address, but first there are a number of assumptions in this one statement which has lead people astray in the past, so I want to address those first.

The User: just about every single access control discussion, particularly informal ones like this thread, start by talking about "users". Talking about "users" quite naturally

Re:

[naasking (94116)]

I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion.

If by "multi-user networked systems" you mean systems which host multiple competing interests which are mutually suspicious, then I agree. The vast majority of systems are computer programs communicating with other computer programs, some at the behest of a single user or multiple users, some based on a schedule, etc. If you can solve the problem of safe collaboration among mutually suspicious p

Re:

[dreamchaser (49529)]

That's ok, you didn't get first post anyways.

(I did the same thing once btw, don't feel bad :-) )

Re:

[morgan_greywolf (835522)]

And within a month, someone will figure out a way to crack it. It's inevitable.

Obvious. It's vulnerable to some of the same techniques that passwords are vulnerable -- sniffing (assuming no encryption was also used), man-in-the-middle, keyboard (mouse) sniffer, malicious code, etc.

Re:

[Yetihehe (971185)]

Maybe using directional microphone to listen for characteristic noise of vibrating trackball? See, you didn't have to wait whole month.

Re:

[thomasdz (178114)]

Aww crap... sorry... I thought TFA was about Encryption, not Authentication... so instead of a potential +5 Funny, I get a -1 Irrelevant.
That's what I get for posting at 5:30am before I've had my caffeine.

Re:

[thePowerOfGrayskull (905905)]

Nonetheless, a smooth recovery...

Re:

[apathy maybe (922212)]

Screen recorder.

If your attacker can install software on the machine (e.g. keylogger), then they can just install a screen recorder and set it to run whenever certain software is run (such as your rotating keypad program). (That would be to limit the amount of crap that has to be saved).

Oh well.

Re:

[somersault (912633)]

If you have managed to install a program on an ATM then I don't think you need to bother with any program other than one to operate the bit where the money comes out..? I have been saddened and amused before upon seeing ATMs with BSODs, and one with a Windows desktop on it. I thought that they'd use custom systems..