Moving Beyond Passwords For Security 235
Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process.
"The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."
Re:"Beyond Passwords" (Score:2, Interesting)
How could it blame OpenID? (Score:3, Interesting)
OpenID does not required the use of password as the way for human to authentication oneself to the system.
It's just up to the OpenID signatory to use whatever technology to authenticate someone. This human interface is decoupled with the underlying authentication.
Although most public signatory currently use username+password, but it could be change. Say you could implement your own, using PKI to recognize your own certificate stored on removable media. If you gone crazy enough, nothing stop you from implementing One-time password + Biometric + whatever-you-can-think-of to authenticate yourself to your own signatory.
Re:OpenID (Score:4, Interesting)
Also, many OpenID providers like MyOpenID [myopenid.com] let you generate a browser-side SSL certificate and forbid password logins entirely on your account. At that point, you can't be tricked into entering your password because you simply don't have a password.
Re:Convenience vs security vs stupidity ... (Score:5, Interesting)
Kerberos did that years ago. (Score:5, Interesting)
With Kerberos, your password never leaves your machine.
The machine you're trying to log on to sends you a random string that is encrypted with your password.
Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.
Your password never goes across the wire.
Re:Convenience vs security vs stupidity ... (Score:1, Interesting)
Not to sound like a troll, but www.dontclick.it is one of the stupidest ideas I've seen.
Ok so I've saved time by not clicking on links, but what if there's something I want at the bottom of the screen, but there are all these mouse-over links between my cursor and it. The screen is suddenly a minefield.
Clicking doubles the dimensions of interaction with the computer. I can navigate my options without activating any of them. Mouseover should be passive movement. As as I was writing this I wanted to quickly highlight a section -- can't do that with mouseover. Sure there's the keyboard but that functionality already exists. Removing clicks is removing functionality.
I'm also reminded of Douglas Adams' "Hitchhiker's Guide to the Galaxy". In it, a super-advanced radio allowed you to control it by just gesturing in its vicinity. Of course, that meant you had to sit perfectly still while listening to the radio.
And as I tried to send them an email, I accidentally moused over another option on their website -- email erased!
What about digitags? (Score:3, Interesting)
In South Africa, everyone with a bank account by law has to undergo a KYC process (know your client). This basically means that you as a client have to verify your ID at a branch (in person) with ID documents and some of your monthly bills. Your cellphone number is then captured to which all notifications of activity on your accounts are sent.
The Digitag [actividentity.com] is used during online authentication. As a further backup, a one time pin (OTP) is send to your cellphone. This OTP is required for certain transactions like once off payments.
Granted the system is not perfect (there is still human stupidity), but I would like to hear your comments on these tpye of systems, as they are becoming more and more part of our lives.
Re:totally safe authentication method! (Score:2, Interesting)
Of course, I don't remember any time where Worf tried to use Riker's credentials, so I can't really back it up...
Re:Convenience vs security vs stupidity ... (Score:2, Interesting)
The one thing that has always bothered me about retry lockouts is the denial-of-service opportunity. If someone knows your username, then they can harass you by expiring the retry limit. Even worse, they can let a bot do it. They won't brute-force your account, but they can ensure that logging in yourself is a huge headache.
Perhaps a modification to the retry lockout strategy would be to make it per-IP address. It would shift the danger to large botnets, which could still distribute the password attempts over many machines.
Of course, now this makes processing logins expensive, as each attempt requires consulting with a retry-blacklist. One might try making a single, global blacklist and then dealing with the support calls from people with infected machines who were blacklisted for testing other accounts without their knowledge.
Tough game to win, really...
Re:Yes, we know. (Score:5, Interesting)
The US Government uses this method, except via smart cards. This started with the NMCI initiative. I was not keen on NMCI, as it used Citrix and centralized application serving. This creates a single point of failure (which quite often failed at the beginning) and a single, all-powerful account on a system (there's no other way of having a central system responsible for all privileges otherwise) on an operating system that probably isn't going to be in the Trusted class (ie: it ran Windows - and I am using the Trusted class in the Orange Book sense, not in any "popular" sense of whether people actually trust it).
PKI is a very sensible approach, but should not be used in isolation. This was discussed only a short time ago on Slashdot regarding "secure locks" - there should always be multiple layers of security, a reliance on a single layer is always going to be a disaster waiting to happen.
Passwords as a "bootstrapping" mechanism to enable the rest of the security sounds fine. It's something we already do with regards GnuPG/PGP keys, Kerberos, etc. They're weak, but bootstraps don't need to be that strong if you're using them in a multi-layer system. They're supposed to make it hard for anyone to tell if they've broken the other layers. That is sufficient.
There is, however, almost nothing else you can use. Biometrics are not safe (Slashdot has covered the breaking of many such systems) and not guaranteed to work (Slashdot has covered chimeras and other biological weirdness in the past). Two physical electronic keys won't give you significantly more security than one with twice the quality of encryption and just give you more you can lose. Call-back mechanisms are vulnerable to social engineering (if involving people) or replay attacks (if automated) since such methods have to use extremely primitive security as they are prior to authentication.
Graphical Pattern Method (Score:4, Interesting)
At my university, they were trying an experimental password alternative that comp-sci students could opt-in for.
Basically, we were presented with an image; this particular image was a bunch of cars in a parking lot, with people walking or standing around. I think it was a 400 by 400 pixel image. To set your pattern, you had to click and memorize five or six arbitrary points in the image, and also memorize the order you click them in. The idea was that it was supposed to be a lot easier to remember than an equally powerful password. Some people liked the new system, while others had a lot of trouble remembering the exact position of each of their clicks. I fell into the latter group.
Re:Yes, we know. (Score:3, Interesting)
It's an ineffective way of using your phone as "something you have".
I propose installing a program + private key on your cellphone, and use that to encrypt a random token. Then you get a hash of the ciphertext on the cellphone display, which you enter in order to login.
It could even be nicely integrated into openID, bringing me to my next point:
The thing I just mentioned CAN be made by an openID provider (I was surprised that I couldn't find such a provider though), and it would make a lot more sense to make it for openID than for 50 different websites each with their own implementation.
Re:Convenience vs security vs stupidity ... (Score:1, Interesting)
Use multiple choice questions and randomize the order of the answers.
Re:Yes, we know. (Score:4, Interesting)
And you can do that with openid. I got bored and made myself a GPG based openid provider. It isn't complete by any means since it lacks key revocation and such, but it is working and public.
http://id.l3ib.org/ [l3ib.org]
Re:totally safe authentication method! (Score:4, Interesting)
IIRC, Data has used Picard's credentials, and he was impersonating his voice, so that would support your theory.
Regards
elFarto
Re:Yes, we know. (Score:3, Interesting)
And the strategy still has a key advantage over smart cards with displays, namely the logistics problem.
Re:something you have? (Score:2, Interesting)
Still, punishment for murder is much greater than punishment for breaking into a computer system. Which means, the degree of effectiveness of a retina-scan biometrics is still formidable.
Now that I come to think of it, I also see that a password can be known by torturing the person who knows it, while the point of torturing a person for retina-scan or retina-sample is rather moot, I suppose. I am not sure what is more "pleasant" - to be dead or to be tortured.
Re:the real solution! (Score:1, Interesting)
Although the hivemind which developed might be interesting to some psychology academics studying groups.
Re:something you have? (Score:3, Interesting)
....The complexity of cloning security tokens varies....
Who needs to clone or copy anything? Nobody has ever car-jacked a vehicle by sticking a gun in the owner's ribs and demanding the ORIGINAL key? Nobody has ever robbed a "secure" vault by kidnapping the person who has legitimate access to that vault, key, combination or both?
Anyone who can come up with a security system that uses NEITHER what you have nor what you know would win a Nobel Prize and become extremely rich.
Re:beyond one password to another (Score:3, Interesting)
But it's not smoke and mirrors, IF you're looking at the realm of threats to your data/transactions on the internet.
What makes your password so valuable today is that the password alone is sufficient to unlock access to all your online data.
A two factor auth mechanism renders the password effectively useless, especially if the smart card implementation is competent. At a minimum, it raises the bar for the attacker dramatically higher than it is today.
It's not possible to have perfect security. All you can do is to make it harder for an attacker.
If I had a choice between using strong passwords (with the knowledge that strong passwords either (a) get re-used often or (b) get written down) or using 2 factor auth, I'd take 2 factor auth in a heartbeat. It's dramatically better than simple passwords.
Please note that there are other schemes that use a PIN that are NOT 2 factor auth that ARE smoke and mirrors. For instance if you use a keylocker application that requires a pin to access the actual keys, the security provided by the keylocker IS smoke and mirrors, the if bad guy can steal your password they can then use it to retrieve your passwords and it's game over.
But proper 2 factor auth relies on the CPU on the smart card (that's why it's called a smart card) for every auth sequence. If you don't have both the card AND the pin, it's worthless.