Bill Gates Proclaims End of Passwords 488
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
So now instead of torturing me... (Score:5, Insightful)
Nice!
How long before we can get an open-source version? (Score:2, Insightful)
A better question would be (Score:2, Insightful)
Passwords? What for ? (Score:3, Insightful)
They'd better fix their software first.
Linux is missing an opportunity (Score:3, Insightful)
Re:hard and soft (Score:5, Insightful)
Think about this before assuming biometrics is the answer:
- then how do you get your identity back?
Correct me if I'm wrong, but. . . (Score:3, Insightful)
I think this is the wrong approach (Score:3, Insightful)
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
Re:a bunch of marketing speak (Score:3, Insightful)
HA! RMS was there first! (Score:3, Insightful)
Um... no? (Score:5, Insightful)
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
Comment removed (Score:3, Insightful)
I rarely use passwords now... (Score:3, Insightful)
Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.
Re:A better question would be (Score:3, Insightful)
There is. It is perfectly possible to use an SSH or kerberos key with no password to go with it. Its not a good idea though, and having the key stored on a smartcard does not make it one.
Re:HA! RMS was there first! (Score:2, Insightful)
Re:.NET? (Score:4, Insightful)
that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
Re:News? (Score:1, Insightful)
What OS? Smartcard doesn't need an OS, or an interpreter, or any shit like that. All it needs is an implementation of the authentication and communications protocols, nothing more, nothing less. Then again, Billy's shop has been known to overdesign stuff before. By, like, a factor of 10, maybe. I've written some Windows drivers where for 500 lines of functional code there is 5000 lines of code that has the single function of coping with the API. Now they've stuck a CLR on a smart card - what a great achievement of technology - it would be more appropriate stuck up their arse.
Re:I think this is the wrong approach (Score:3, Insightful)
Credit cards have a pin number, contain no customer details, and the ATM eats your card after 5 bad entries.. Many ATM's also take your photo, so its harder to use it. Finally, the ATM's generally only let you extract a small amount each transaction, so it isn't that easy.
Internet doesn't have a photo or restrictions, so you can log into a
tyranny of the monopoly majority (Score:3, Insightful)
The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
Re:end of passwords - not (Score:3, Insightful)
Re:hard and soft (Score:5, Insightful)
The same applies for a smartcard, doesn't it ?
No, it doesn't. If your smart card gets compromised, destroy it and get a new card with a new key. If someone manages to steal your fingerprint, you cannot change the media or key you authenticate with: The person did not only steal a material token that is linked to your identity, an unchangable characteristic that should be uniquely assigned to you now is not referring only to your person, someone literally stole your identity; To the ATM machine, he's not only the one in posession of your ATM card anymore: He is you.
Open Source Alternative (Score:2, Insightful)
Smart Card Module for J2SE:
http://www.gemplus.com/smart/r_d/publications/pdf/ GG00jaas.pdf [gemplus.com]
Cheers,
Tyler
Re:.NET? (Score:4, Insightful)
Re:And over in Java... (Score:3, Insightful)
This is actually a valid business model to some degree.
For those of us who don't like it, we've failed the world by not telling them about these things before Microsoft did.
Kerberos pre-existed Win2k3 by a long shot and directory services pre-existed it too. But who bothered telling the users that?
Re:hard and soft (Score:3, Insightful)
Even simpler. Biometrics is a layer on top of authentication that simply authenticates the key supplied by the biometrics. Even keycard access can be backed by pin number to authenticate that the holder of the card is who the card proclaims them to be.
The actual authentication is going to be a communication of ID to a server on a challenge/response basis; sidestepping the biometric step and cracking directly is likely to be a lot easier because of the _ASSUMPTION_ of security.
Re:hard and soft (Score:5, Insightful)
If compromised, get a new device with a new salt. It is basicly like a new identity (you'd have to revalidate with every authentication you had). If the perp just got your salted code, it is worthless. If he got your fingerprint, he still needs to get your new device to get a valid biometric/salt *pair*.
Now top it off with a PIN, and you have the holy grail. Something you are, something you have, something you know. Use any subset which is enough. In most cases, what you are/have (fingerprint/salt) should be enough. It'd certainly raise the bar another notch or two.
Kjella
passwords will never go away (Score:5, Insightful)
How long before.... ? (Score:3, Insightful)
I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).
About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
You can probably imagine when such a thing will "trickle down" onto OpenSource-software
cheers,
Rainer
Translation of phrase "Bill Gates Predicts" (Score:3, Insightful)
translation:
Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
Re:It is called Kerberos (Score:3, Insightful)
Right. Though Kerberos existed even before Linux ;-)
Reminds of of an old AI story (Score:5, Insightful)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Re:Um... no? (Score:3, Insightful)
Iris pictures are even easier to obtain than fingerprints; no material contact is necessary.
3 different types... (Score:4, Insightful)
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
Re:hard and soft (Score:4, Insightful)
You have to hand it to BillG (Score:3, Insightful)
Re:Man in the middle attacks? (Score:4, Insightful)
A smart card contains a microprocessor that can sign stuff that the PC send to it. It contains a secret private key for signing that never leaves the silicon, so no PC can get at it.
The viruses can't steal the identity in the smart card. The smart card will happily prove its identity to the viruses. The important thing to understand is that while the smart card can prove its identity, it can't prove that its owner is actually at the keyboard or that the IE session withdrawing funds is run by a human in charge of the transactions... There are smart cards with built-in keyboard/display for that. Or you use a Palladium PC...
Re:hard and soft (Score:2, Insightful)
And you'd carry them back ... how?