Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

New Authentication Scheme Proposed

Posted by Soulskill on Fri Feb 08, 2008 09:21 AM
from the more-secure-less-portable dept.
Security Hardware
jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

Related Stories

Firehose:New Authentication Scheme Proposed by jerel (112066)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New Authentication Scheme Proposed 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Keybindings Beta
Q W E
A S D
Loading ... Please wait.

  • For increased portability... (Score:5, Funny)

    by sakdoctor (1087155) on Friday February 08, @09:35AM (#22347586) Homepage
    ...I suggest a booth with a dance dance revolution mat inside.
    When the user is asked to enter their password they enter the booth, shut the door and strut their funky password.

    • Re: (Score:2, Funny)

      by Tolkien (664315)
      Employer: Is your password really that long? Come on! Hurry up and finish already.
      Me(from within the booth after 5 minutes of dancing): Ssssh, I'm trying to concentrate - this is the best part!

  • Why oh why develop new fancy ways to authenticate that still rely on a one factor (the image portfolio) when 3 factor authentication (eg. username + password + one time pad with challenge and response codes) just works, as snooping the username and pw doe

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Wouldn't that only be two factor authentication? Username and password only count as one factor (something you know) and the pad is the second factor (something you have.) In order to be three factor you would also need something you are.

  • Keypad (Score:5, Interesting)

    by mpickut (721322) on Friday February 08, @09:38AM (#22347608)
    I've seen keypads with digital readout on the keys used in jails (my job takes me in and out of jails frequently). The keypad scrambles the digits each time and there is a prism-type covering over the keys so that unless you are looking directly at it you cannot see the numbers on each key. In order to see the numbers you need to stand in such a way that no one else can see them (your head blocks their view from the only angle the numbers are readable from).

    I tried to get the code by watching as the guards let me in and out, just to see how effective it was, and can say that I never succeeded in even getting close. What was even better is that from talking to the offenders I learned that they thought they knew the codes by watching the patterns the keys were pressed by the guards -- I didn't have the heart to tell them that using the pattern they had watched would actually punch in a different code than the one the guards used. I did make sure one of the guards knew about it though.

    • Re:Keypad (Score:5, Funny)

      by anothy (83176) on Friday February 08, @09:57AM (#22347722) Homepage

      my job takes me in and out of jails frequently
      yeah, that and the early burnout are the two big problems with a career in the narcotics trade.

      on the upside, you get to set your own hours.
      [ Parent ]

      • Re: (Score:2)

        by rickb928 (945187)
        Hey, he (?) may not be a drug dealer. He might be a lawy...

        Never mind, you were pretty much on the right track...

        • Re:Keypad (Score:4, Funny)

          by mpickut (721322) on Friday February 08, @11:30AM (#22348830)
          Don't you dare call me a lawyer! We heroin addicts have enough of a image problem without being linked to those soulless drains upon society. At least if you made heroin legal we would stop stealing and stay to ourselves.

          [ Parent ]

    • Re: (Score:2)

      by Eternauta3k (680157)

      (my job takes me in and out of jails frequently)
      Burglar?

  • Small sample size (Score:2, Interesting)

    by ssjx (1235532)
    They seem to have big plans for this yet have only tested it with 38 users?

  • This would NEVER work out (Score:3, Insightful)

    by brunes69 (86786) <(gro.daetsriek) (ta) (todhsals)> on Friday February 08, @09:57AM (#22347730) Homepage
    It is a cool idea, that is for sure, but it would never leave the lab. Why? Because these guys are obviously not usability engineers. The idea that the function of a button changes based on some random event, and the system will tell you which button means what before you click it, is not usable.

    I would like to see a formal usability study done on this thing I don't think it would get very far. I see they had some informal study going on where they had participation and error rates, but no data on what kind of users.

  • Overly complicated (Score:4, Insightful)

    by ddrichardson (869910) on Friday February 08, @10:08AM (#22347822) Homepage

    The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

    I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

  • Yeah, but the real question is... (Score:5, Funny)

    by Prototerm (762512) on Friday February 08, @10:21AM (#22347946)
    Would I be able to still fit my password on that yellow sticky note I keep on the monitor?
  • Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

    • Re:The problem with authentication is authenticati (Score:4, Insightful)

      by Psiren (6145) on Friday February 08, @11:18AM (#22348680)

      Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.
      How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.
      [ Parent ]
      • How can your authorize something, unless you know who you're authorizing?

        You've asked the right question. You can find an intro here [wikipedia.org]. That article links to arguably the best authorization scheme: capability-based security [wikipedia.org], where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.
        [ Parent ]

          • Re: (Score:3, Interesting)

            by naasking (94116)
            1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and

            You pose some good questions which I intend to address, but first there are a number of assumptions in this one state

              • Re: (Score:3, Interesting)

                by naasking (94116)
                I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion.

                If by "multi-user networked systems" you mean systems which host multiple competing interests which are mutually suspicious, then I agree. The

    • Re: (Score:2)

      by dreamchaser (49529)
      That's ok, you didn't get first post anyways.

      (I did the same thing once btw, don't feel bad :-) )

    • Re: (Score:2, Informative)

      by morgan_greywolf (835522)

      And within a month, someone will figure out a way to crack it. It's inevitable.
      Obvious. It's vulnerable to some of the same techniques that passwords are vulnerable -- sniffing (assuming no encryption was also used), man-in-the-middle, keyboard (mouse) sniffer, malicious code, etc.

    • Re: (Score:2)

      by Yetihehe (971185)
      Maybe using directional microphone to listen for characteristic noise of vibrating trackball? See, you didn't have to wait whole month.

    • Re: (Score:3, Funny)

      by thomasdz (178114)
      Aww crap... sorry... I thought TFA was about Encryption, not Authentication... so instead of a potential +5 Funny, I get a -1 Irrelevant.
      That's what I get for posting at 5:30am before I've had my caffeine.

    • Re: (Score:2)

      by apathy maybe (922212)
      Screen recorder.

      If your attacker can install software on the machine (e.g. keylogger), then they can just install a screen recorder and set it to run whenever certain software is run (such as your rotating keypad program). (That would be to limit the amoun

      • Re: (Score:2)

        by somersault (912633)
        If you have managed to install a program on an ATM then I don't think you need to bother with any program other than one to operate the bit where the money comes out..? I have been saddened and amused before upon seeing ATMs with BSODs, and one with a Wind
Check for more

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.