Moving Beyond Passwords For Security 235
Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process.
"The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."
Yes, we know. (Score:5, Insightful)
The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.
"Beyond Passwords" (Score:4, Insightful)
That almost sounds like a....password...
Really, this is an article about using things instead of passwords....which function like passwords....and using passwords when those wouldn't be secure enough. What a stupid fucking article.
Convenience vs security vs stupidity ... (Score:5, Insightful)
Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.
My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.
In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
http://www.dontclick.it/ [dontclick.it]
It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.
PEBKAC (Score:5, Insightful)
Re:Yes, we know. (Score:5, Insightful)
Yes, if you're always where there's phone coverage and you got battery. However, it doesn't solve the problem of a compromised terminal. That was what a bank virus did not that long ago, waited for the user to authenticate then sent money elsewhere "behind the scenes". Sure it might not get your email password but if it silently downloads your inbox compromising every password mail you ever got, well gee that's nice.
OpenID (Score:5, Insightful)
OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.
I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
This could just be my ignorance- (Score:4, Insightful)
Re:OpenID (Score:3, Insightful)
Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
They're also not cheap.
Re:OpenID (Score:3, Insightful)
For most applications "something held" (maybe with a simple PIN-protection) is perfectly fine. Like your keys, for example.
Good key revocation system is essential in this scenario, however.
Passwords are much overrated, anyway. Most users inevitably either choose weak passwords or just write them down somewhere.
Re:"Beyond Passwords" (Score:1, Insightful)
Perhaps, but it's still at a higher level than most companies are thinking. Lately the trend I've been seeing is for financial institutions to not just ask for, but require you to select from a list of security questions that can be used for access to your account with them. One of my brokerages is even threatening to suspend my account if I don't choose a set of security questions.
It's offensive to me that the companies require you to provide not only an additional and unnecessary route for access to your account, but that it's based on plain text answers relying on information that few to none of its customers consider to be private information. The questions also are often not easily changed, so I can't just used an additional (though plain text) password for them unless I want it to be permanent; with that the case I'd want to use different passwords for every such account I have - which means I'd probably end up writing down parts of each to remember them.
Re:OpenID (Score:3, Insightful)
Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
USB thumbdrive, passphrase protected private key.
Once sshd can tell if a private key has a passphrase and its authorized keys can be centrally managed, then there is never a reason a user should ever type a password. Just unlock the private key locally, and you can go wherever you are already authorized to go.
I just think its so stupid that we have to type usernames and passwords all the time. The burden is backwards. Its up to the server to say yes/no, it already knows who is allowed on the system, and their capabilities (roles, authorization, whatever), all the user needs to do is say here is my ID, is it OK for me to come in?
I mean this is the way credit cards work. No password whatsoever, and I can present my card, and a purchase is made, no password ever.
Now, with password security, since they are insecure by design, then you have to change them, to ensure they are secure again, thus placing a burden on the user and sysadmins and help desk people.
I mean, I don't use a username/password to enter my $500,000 house, or to drive my $100,000 car, or to enter my workplace where there is many millions of dollars of equipment and data. Why do I have to enter a username/password just to go onto a computer that already knows I'm ok to be on the system?
My reply, directly to the author: (Score:5, Insightful)
I felt I had to respond to your article about passwords. It's been Slashdotted here:
http://it.slashdot.org/article.pl?sid=08/08/10/186203 [slashdot.org]
But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.
OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.
But more importantly:
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.
Nothing about OpenID requires a password.
I'll say that again: NOTHING about OpenID requires a password.
What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.
Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.
One single-point-of-failure is better than N single-point-of-failure.
You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.
If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.
So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.
something you have? (Score:1, Insightful)
You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".
Right?
Comment removed (Score:2, Insightful)
Re:Yes, we know. (Score:1, Insightful)
That is a not so novel yet still good idea, but a cellphone which is capable of running such software is not quite trustworthy, because it is too complex to be secure: Bluetooth vulnerabilities, trojaned games, etc. Even if the actual secret is isolated in a smart card (such as the SIM), a compromised terminal can enable an attacker to use "what you have" remotely. At the very least the phone hardware would have to be designed such that the smart card could request exclusive access to the keypad, and the user would have to be able to recognize that mode (differently colored background light, for example), all without the possibility of software interfering.
I'm looking forward to smart cards with integrated display, keypad and RF or IR interface.
Comment removed (Score:5, Insightful)