Bill Gates Proclaims End of Passwords

KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"

hard and soft

[mirko]

So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
But what about biometrics ?

Hmmmm....

[keeleysam]

This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...

News?

[tuomasr]

This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?

Sony gave me a Smart Card

[Moonlapse]

Being a member of MySony, they sent me an email and had me take a short survey, then decided to give me a free "wavecard" which is a Smart card with Felica technology. This is the contactless tech mentioned in the article. It requires software provided by Sony, and since I had the .NET runtimes installed already, I can't tell if .NET is really needed , I can say MS wasn't the first.

Re:hard and soft

[lukewarmfusion]

This has been discussed many times. Biometrics are not a reliable way of handling security. Once compromised (and they can be compromised!) you're left with a "password" you cannot change.

When used in conjunction with other security mechanisms, such as hardware smartcards, passwords, etc. then you've got a much better chance. For the basic user, biometric identification is probably OK. But you wouldn't want to rely on that for anything "secure."

Great another card to lose.

[LabRat007]

I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.

Re:News?

[bgat]

The "new" bit is that the smart card has a .NET interpreter, rather than an 8051/PIC/AVR/? microprocessor running a documented, proprietary, standards-based, stable OS or even Java. Embrace and extend.

Cards, dongles have major drawbacks

[gilesjuk]

Hardware security solutions require software to work, software can be cracked, therefore hardware solutions don't work.

Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.

Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.

Bill needs to do some proper R&D instead of spouting obvious potential developments.

It's simple, here we go:

I predict the end of magnetic media.

The mouse will be replaced.

We will get tables where the whole surface is a touchscreen.

Keyboards with changing key caps, the keys alter to suit the application.

etc..

Re:Hmmmm....

[peterprior]

Aye. pam-usb and a gpg key on a usb stick is always a nice way to authenticate in Linux

Man in the middle attacks?

[AndroidCat]

What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?

Bill is good at a lot of things...

[Nijika]

...but predicting the future isn't one of them. He does have a talent for molding the present to suit him, but he's more miss than hit when it comes to being an oracle of progress.

He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?

I know I wouldn't. Fhew!

password strengthening / stretching

[_|()|\|]

they should be innovating new technologies that make machines insensitive to dictionary attacks

Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.

Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.

Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.

If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.

Re:hard and soft

[xanadu-xtroot.com]

If someone steals an impression or picture of your fingerprint

OK, long story short, I'm a Network Administrator (sysop, Computer Geek, Asshole, and/or whatever else name(s) we get called in the office...). Currently I'm working in he Photo/Electronics department of the local K-Mart (again, long story... thanx W...). I process 80 or so rolls of film every day. I'm sure my finger print has ended up on some of those...

Just a word to the wise...

smart card assumption

[MattCohen]

One of the assumptions of a smart card solution (or a USB solution or a biometrics solution) is that the user has access to a computer that supports such a solution. In my business, I deal with mobile professionals that use many computers and other devices, many of which they do not control and could not install hardware or software on to support those types of authentication tokens, even if they were technically capable of it. For those types of applications, standalone keyfob type tokens (Secure Computing, RSA, etc.) still seem to be the best choice.

Re:end of passwords - not

[DHam]

It also conveniently solves the shop-at-home problem too (but does require that you have a smart card reader connected to your computer).

We already have this for net banking. My debit card has a chip on it (which is also used for stored value smart card stuff) and to authenticate to the banks website, I use a reader supplied by the bank.

The process works like this:

1. The bank sends me a challenge (number).
   
2. I authenticate to my card by keying my in in the smart card widget.
   
3. I key the challenge into the widget and get a response.
   
4. I send the response back to the bank.
   
   1. 
      

      Using basic public key signing, the bank now knows that it's me. In accordance with good crypto practice, all the security is in the key so I can use anyone's widget for the operation. Since it's a separate widget, I don't even have to trust my computer not to steal the pin - the computer only gets to see the one time challenges and responses
      

hardening windows

[Keruo]

Instead of using plain card authorization, I'm using third party software from inflexpoint, which offers usb key login.
This software allows me to embed user accounts to certain usb mass storage and if the usbkey is removed from the port, the machine automatically logs out current user and refuses to login another unless the correct drive assigned to the account is connected to the machine.

In addition to the token+password login, I'm using the EFS which is built-in to xp, which encrypts all my files with aes-256 on the fly.

Only downside is that currently the software doesn't support domain logins properly, so I have to manually mount all network drives but that's rather small annoyance for the cheap security it provides.

I'll keep my password, thanks.

[JeffTL]

Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.

But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.

Comment removed

[account_deleted]

Comment removed based on user account deletion

A different kind of password authentication

[silicon not in the v]

When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".

So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.

Never Proclaim End of Life

[nuintari]

Anything so entrenched can never be said to be heading the way of the Dodo. Things last, for better for for worse, things stick around:

floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems

Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.

From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.

I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.

Re:Um... no?

[nadadogg]

That brings us to a far better idea.
Genital-prints! Everyone hoo-ha and wingwang are unique, like snowflakes. The wrinkles, bumps, and lumps we all love so much can protect us from identity thieves!

Re:A different kind of password authentication

[Anonymous Coward]

Although you might have trouble logging in if you are drunk, have a cast on one of your hands, or some other hand-related medical problem.

Re:A different kind of password authentication

[Anonymous Coward]

This is actually not a terribly new scheme. And in fact, it doesn't just work with login names. I could login to the machine and just walk away at the command prompt. I wouldn't have to worry about security because it would only execute commands that I'd type in. It works a bit like voice recognition, only with typing. There are various patterns of words or letter combinations that are almost impossible to duplicate.

Perhaps somebody could implement a secure shell for Linux using this technique.

aQazaQa

Re:Reminds of of an old AI story

[droleary]

You love this phrase, "security through obscurity". I've never met a security expert who would consider dual private key challenge response encryption schemas security through obscurity

That's funny, because I've never met an actual security expert who didn't understand that all security is based on obscurity (i.e., it's the very nature of keeping things secret). I guess we must know very different manner of experts, but I must say your talk doesn't instill me with confidence in yours being able to get the job done right. If it seems I use the "security through obscurity" phrase more than necessary, it's because it is a favorite on Slashdot and I'm not above pandering to the crowd. The key difference, though, is that the obscurity that people around here harp on is kind that leaves unintended access holes, not the kind that are understood imperfections.

Deployed smartcard authentication systems are generally only vulnerable to key spoofing (which is a failure of the algorythm behind the authentication, NOT of the key storage mechanism) and vulnerable to physical decoding if the card is stolen, a point which even the PR guys in most smartcard vendors will stipulate. Are they perfect? No. But there exists no perfect security system in the IT world.

Right, which is why you shouldn't be so aggressively trying to defend smart cards when in reality they offer little beyond what a manual one-time password offers, yet come with oh-so-many-more holes. It's like you're trying to argue that a fair algorithm is better than a shitty one-time pad, so people should stop using pads. That might be convincing to people without real secrets to protect, but I know bettter, and I'll take a fair one-time pad over any shitty smart card, and I have to assume it's shitty because the operation is usually completely black boxed.

So let me rephrase what I said before - Given proper implementation, I KNOW its a level of security far above and beyond simple passwords.

That is by no means a given, and that is why I consider your viewpoint to be so dangerous.

But it is a battle-tested approach that's been very successful in deployment, and continues to be a favored system of authentication at the NSA and the Pentagon, two institutions who've spent quite a bit more brain cycles thinking about this problem then I'm sure you or I have.

More importantly, they're the types of organizations that don't take anything as a given. If they use a smart card, you can damn well bet it is built to their specification. The rest of us are stuck with off-the-shelf stuff we really, really can't trust if we want to be honest about a system's security.