Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows

MS to Trade Passwords for 2-Factor Authentication 449

Posted by timothy from the something-borrowed-something-blue dept.
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
This discussion has been archived. No new comments can be posted.

MS to Trade Passwords for 2-Factor Authentication More

MS to Trade Passwords for 2-Factor Authentication

Comments Filter:

  • MS version (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16, 2005 @03:46PM (#11956647)

    Two Factor Authentication, MS style (with apologies to Monty Python).

    "What... is your name..."
    "What... is your favourite colour?"
  • For all of us who are not tin foil wearing cryptography nuts, what the hell is two factor identification?

    END COMMUNICATION

    • Re:A question worth asking (Score:4, Informative)

      by Txiasaeia ( 581598 ) on Wednesday March 16, 2005 @03:49PM (#11956688)
      From the last link:

      Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

    • From TFA (Score:2, Interesting)

      by tsanth ( 619234 )
      The second linked article, anyway:

      Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

      My friend who us

    • Re:A question worth asking (Score:5, Informative)

      by Sycraft-fu ( 314770 ) on Wednesday March 16, 2005 @03:51PM (#11956719)
      A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

      Something you have (a key, a smartcard)
      Something you know (a password, a PIN)
      Something you are (a fingerprint, a voiceprint)

      It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
      • I dunno, I've seen Mission Impossible II enough to know that we'll need about 10 factor authentication to be completely secure.
        • There is no such think as completely secure. That is the first think these analysis those understand.

          Yes, two factor is not perfect. But it is better than the password-only method. It is also (somewhat) cost-effective.

          Since banks are used as an example for this, lets consider that, if the protection method is not cost-effective, it is cheaper for the bank to just accept the frauds, with or without ensurance.

          Biometrics isn't perfect either. Even something that is widely considered perfect for security the
          • " There is no such think as completely secure."..Well there is "think" but there isn't "thing" :)

            Two factor is not better than one unless that second factor is also very hard to break. Combine something like a PIN and RSA key Fob with Digital Certificates (OK, that's three factors but two come from the user) and you are very secure. With a unique digital certificate issued by the bank that is verified by a special plug-in for your browser that adds security. Also what about using a pass PHRASE instead of a

      • Re:A question worth asking (Score:5, Funny)

        by halo8 ( 445515 ) on Wednesday March 16, 2005 @04:03PM (#11956886)
        thanx for answering that question.

        gawd... i can jsut see it now, longhorn is also "for home users"

        T: thank you for calling mircosoft
        C: yesM i just got back from them there hospital, i done lost my finger in me JhonDeer 600GT riding lawnwoer
        T: uhh.. yessss... and..
        C: well they couldnt re-attach it ya see
        T: riiiighhttt...
        C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner

        • Microsoft's Response (Score:5, Funny)

          by The Angry Mick ( 632931 ) on Wednesday March 16, 2005 @04:49PM (#11957461) Homepage
          C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner

          MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.

        • Easy solution to that problem. Instead of using your index finger to authenticate, give Microsoft the middle finger.
      • So they're not really abandoning passwords -- they're just requiring an additional authentication. Yeah, I know, a password doesn't have to be one of the two authentications. But you know almost everybody will use it.

        Basically, this story is about Microsoft announcing vague plans to improve login authentication. If we had specifics (smartcard support? biometrics?), then there'd be a story.

      • Something you are (a fingerprint, a voiceprint)

        This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home. It is, according to most criteria, a very poorly chosen "something you have." Most decent references on authentication stick to something you have and something you know.

        • Re:A question worth asking (Score:4, Funny)

          by DickBreath ( 207180 ) on Wednesday March 16, 2005 @05:10PM (#11957705) Homepage
          >>Something you are (a fingerprint, a voiceprint)
          >This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home.

          I have a solution.

          Use something that is debatably "something you are"; i.e. a sperm sample.

          I take these from guys, and they definitely do not find it to be "very painful".

          They cannot easily change it.

          They could possibly leave "it" at home, and the HAX0R could find and then use the sample.

          It is not easy for someone to extract this sample from you under duress. When you are stressed out, kidnapped, at gunpoint, you may find it difficult to produce a sample.

          There is a drawback. If it is required to produce a sample in order to log in, then pr0n sites might see a sudden drop in their visitors. Login screens will need to support plug in modules; so that the pr0n sites can market their materials as "login assistants".
      • If you want real authentication, take a page from Pournelle and Niven's book.

        "Hi. Your name?"
        "Kevin James Renner."
        "Do you eat live snails?"
        "I'll eat anything."
        "Where were you born?"
        "Dionysius."
        "Are you alone?"
        "Quite alone."
        "What's the word?"
        "Hollyhocks."
        "Are you sure?"
        "Sure I'm sure, you stupid machine!"
        "Let's try it again. What's the word?"
        "Hollyhocks."
        "Sure it's not rosebuds?"
        "Hollyhocks."
        "My instructions are to be sure you are calm and uncoerced."
        "Damn, I AM calm and uncoerced!"
        "Right. If you'll attach

      • Re:A question worth asking (Score:5, Insightful)

        by nine-times ( 778537 ) <nine.times@gmail.com> on Wednesday March 16, 2005 @04:30PM (#11957204) Homepage
        A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

        Something you have (a key, a smartcard)
        Something you know (a password, a PIN)
        Something you are (a fingerprint, a voiceprint)

        It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

        On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).

        I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.

      • And why would I want this on my workstation? How *I* choose to authenticate myself is my business, not Microsoft's.
    • In Two-factor authentication, the authorization is based at two levels.

      1. An authorized user would carry a physical token (swipe card or similar).
      2. The user will have to further authenticate his identity by punching in the correct password associated with the physical token.

      In addition to two layers of protection, if the token is lost it can be immediately invalidated and the risk of security is less than with a single password authentication scheme.

      For a general OS I don't think this is a necessity.

    • Re:A question worth asking (Score:5, Funny)

      by Infinityis ( 807294 ) on Wednesday March 16, 2005 @03:52PM (#11956743) Homepage
      As far as I can tell, two factor identification is the dualization of the encryptable factorization process. When the vector based finglestrup is elongated to the point of dypstrontinazation, we find that standard passwords are, in a word, flangoozled. By dishappening the estronable bases, the possibility of grolingering becomes ziponified. All that said, I fully support two factor identification, and you should too.

      Hopefully that helps...
    • "something you have and something you know".

      It's like a bank machine gives you money because you HAVE your bank card and KNOW your pin.

      See two-factor authentication devices from RSA SecurID [rsa.com], VASCO [vasco.com], or Secure Computing [securecomputing.com].

      Microsoft has had a tight partnership with RSA for several years. Any word if MS will roll their own?

      Sam

    • Re:A question worth asking (Score:5, Insightful)

      by Anonymous Coward on Wednesday March 16, 2005 @03:57PM (#11956798)
      Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!

    • In case its still not clear to you, a common form of two-factor authentication is through the use of a small hand-carried device that uses a time-sensitive algorithm to generate a series of numbers. Time senesitive means that this number series changes over time.

      In the industry, this is commonly called a "token" and there are multiple vendors that sell them :

      RSA Security [rsasecurity.com]
      ActivCard [activcard.com]
      Vasco [vasco.com]
      [etc.]

      Typically the "two-factorness" of the authentication is a description of the relative strength of the au

  • It has its uses... (Score:5, Insightful)

    by winkydink ( 650484 ) * <sv.dude@gmail.com> on Wednesday March 16, 2005 @03:48PM (#11956667) Homepage Journal
    Two-factor authentication is not useless. It works for local login, and it works within some corporate networks.

    I suspect that this is just MS responding to their corporate customers' requests.

  • I have your factors of your modulus: F = { f | f in Z and n/f in Z}. :-P

  • Logging in (Score:5, Funny)

    by consumer_whore ( 652448 ) on Wednesday March 16, 2005 @03:48PM (#11956674)
    Does that mean I have to type in 'password' twice?

  • Two Factor Authentication. (Score:4, Informative)

    by pavon ( 30274 ) on Wednesday March 16, 2005 @03:49PM (#11956684)
    For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.
    • Don't forget "something you are", as in biometrics. Any two of three will do.

    • Re:Two Factor Authentication. (Score:5, Funny)

      by Duncan3 ( 10537 ) on Wednesday March 16, 2005 @04:23PM (#11957133) Homepage
      Right, which means not only will users forget passwords, but they will also lose their smardcard (which aren't cheap).

      Hurray for increasing IT costs! Good job MS, you always come through in that dept.

  • For those that don't know... (Score:2, Funny)

    by Anonymous Coward
    ...The proposed 2-factor authentication involves both a blood and semen sample. It will be hard to foil.

  • Bone marrow sample every time you log in (Score:2, Funny)

    by Anonymous Coward
    It's the only way to be sure.
  • As I see it, two-factor authentication may work fairly well for local installations, but for remote access it falls short of the security mark because it is still susceptible to trojan horses/virii on the user's system or to middleman attack between the client and server.

    Most security professionals agree that authentication should involve something you have rather than something you remember -- such as a fingerprint, smart card or optical scan instead of a password or PIN number. Soon we will use smart c

  • What Is Two Factor Authentication? (Score:5, Informative)

    by MBraynard ( 653724 ) on Wednesday March 16, 2005 @03:51PM (#11956707) Journal
    To review, two-factor authentication consists of:

    Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

    Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

    Source [itsecurity.com].

    • I see a lot of people get this wrong. Two factor authentication isn't necessarily "something you have" and "somethig you know". It's using two of the three possible forms (a lot of people seem to forget the "something you are" form).

      Having a system that required smart-card and a fingerprint without ever having to provide a username or password would be another possible example of two-factor authentication.

      "Something you know" (password, PIN, mothers maiden name, checking account activity) and "Somet

  • They're making this problem seem too hard (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16, 2005 @03:51PM (#11956708)
    The computer industry should take a clue from the financial services sector. All you need for any system is a simple login screen:

    Name:__________
    Email address:_________
    Birthdate:__________
    Last four digits of SSN:________
    Mother's maiden name:___________
    [OK] [Cancel]

    Instant, foolproof security with no hardware to deal with or passwords to remember.

  • No need for passwords anymore (Score:3, Funny)

    by Anonymous Coward on Wednesday March 16, 2005 @03:51PM (#11956711)
    Microsoft has invented the PEA machine: it's an external USB device that you pee in it. The device is able to extract your DNA and authenticate the user.

    Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.

  • what's the bets... (Score:4, Insightful)

    by advocate_one ( 662832 ) on Wednesday March 16, 2005 @03:51PM (#11956720)
    they'll have got some teeny, tiny aspect of the protocol patented so as to lock Samba out of the party...
    • Teeny, tiny my ass! They'll TRY to separately patent every comma in the spec.

    • Re:what's the bets... (Score:4, Informative)

      by MarcQuadra ( 129430 ) * on Wednesday March 16, 2005 @07:19PM (#11959385)
      Nope. It doesn't work that way.

      Sure, they might drop NTLMv* authentication, but if you get a ticket from the KDC (usually an Active Directory Controller), you'll have access to what's yours.

      This article has to do with authentication only, not the transport, however. They might drop CIFS for something else, which would mean that yes, we'd have re re-reverse engineer whatever file-transport MS uses next round.

      I wouldn't worry much abou tit though, it's legal to reverse-engineer this sort of thing. They can't sue you for designing a compatible system, you only need to license stuff based on their implementation using THEIR code.
  • I swear, all I hear from Bruce Schneier is how nothing works...blah, blah, This isn't the solution, blah, that isn't the savior.

    How about giving us some ideas that *you* think will work.

    • Re:Bruce Schneier. The anti solution. (Score:5, Insightful)

      by GMFTatsujin ( 239569 ) on Wednesday March 16, 2005 @03:57PM (#11956811) Homepage
      I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.

      Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.

      I can't complain about that; security is actually *really tough* to pull off.

    • That's why much of /. likes him (Score:4, Insightful)

      by Sycraft-fu ( 314770 ) on Wednesday March 16, 2005 @04:00PM (#11956842)
      Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.

      The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.

      Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.

      However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
      • I didn't get the impression from Applied Cryptography or his newsletter that he wants to shitcan imperfect technology; indeed, he talked about the concept of trading off security for feasibility in a not entirely unfavorable way.

        What he is doing here is putting the concept of two factor authentication in its place. He has expressed dissatisfaction in the past with "snake oil" cryptography and if he seems preoccupied with the shortcomings of security approaches it is IMHO because the benefits are usually

      • In this particular case, both the citation in the story and your complaint do not match what he's said. Yes, he does say, "See how two-factor authentication doesn't solve anything?", but he's talking about web phishing, and he's right w.r.t. web phishing.

        He also says "Two-factor authentication is not useless. It works for local login, and it works within some corporate networks." which is exactly what it sounds like MS is talking about using two-factor authentication for.

        He says his complaints do not appl

      • Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem.

        Rather, he keeps pointing out how NOTHING is 100% reliable.

        So companies and individuals so NEVER rely upon it 100%.

        Anyone who DOES rely upon any method, 100%, will be scammed, looted, etc.

        The problem with security is there is no magic bullet, no perfect solution.

        That is what he keeps saying.

        Two factor

    • Re:Bruce Schneier. The anti solution. (Score:4, Insightful)

      by Sheetrock ( 152993 ) on Wednesday March 16, 2005 @04:02PM (#11956874) Homepage Journal
      If you want the best security, hire the pessimist, not the optimist.
    • I think he is pessimistic to indicate that there is not silver bullet.

      His basic premise is that no (current) technology can create "security". Security must be a balancing act between technology, good administration, training, policy, etc.

      True, he does do the "anti" thing a lot, but I think he just gets frustrated when companies like Microsoft try to push the idea that Technology X = Security.
    • I think what he Mr Schneier is actually trying to get across is that it will need to be implemented as part of a whole not as "the" solution.

      I see that often with firewalls. Companies deploy a strong perimeter defense, neglect internal auditing, internal security patches and then are shocked when some low level employee walks off with the candy store. "Why didn't the firewall save us?!"

      Same holds true for two factor authentication. Is it an improvement? Yep. We use securID on all mission critical se

  • The point is not that TFA can fail... (Score:5, Informative)

    by datastalker ( 775227 ) on Wednesday March 16, 2005 @03:51PM (#11956724) Homepage
    ...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.

    Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.

    With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.

  • Unrelated to Schneier's concerns (Score:5, Interesting)

    by lseltzer ( 311306 ) on Wednesday March 16, 2005 @03:56PM (#11956783)
    Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.

    But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.

  • MS ActiveButtPlug Technology... (Score:5, Funny)

    by Anonymous Coward on Wednesday March 16, 2005 @03:56PM (#11956794)
    ...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.

  • It's the same (Score:2, Interesting)

    by ajaf ( 672235 )
    All kind of authentication is vulnerable to the same problem, the "user". I think microsoft wants to put any crazy idea to their new OS, just to say that they have the coolest features, they don't care if those "features" are usefull or not.
  • Not how MS is doing this. But how they will attempt to lockout other OS's and vendors with this new initiative.

    They could very easily create a smart card or some kind of token system that *COULD NOT* work in linux, or with LDAP (LDAP allows unix and other systems to authenticate against Active Directory).

  • Just an opinion, but I think Bruce Schneider's dismissal of two factor authentication is essentially completely meaningless. It'd be useful if it suggested a viable system that would work, but simply dismissing this huge improvement is counter productive.

    Passwords are terrible, they've had their day, they need to be removed from the planet now.
  • First you give some blood, then you give a urine sample, then they know its you.

  • MS to Trade Passwords for 2-Factor Authentication (Score:3, Funny)

    by MoogMan ( 442253 ) on Wednesday March 16, 2005 @04:01PM (#11956858)
    MS to Trade Passwords for 2-Factor Authentication

    They better not be trading my bloody passwords!
  • My father works for John Deere (yes the tractor company). They acutally use this 2 part system of authentication for remote access into the network, the specifics Im not going to get into, but it uses a constantly updating token, and pin combination. It cant take a little work to figure out, but once you get the basics, its pretty simple. Now, a swipe card or biomentric system would also work.

  • The Scheiner article (Score:2, Informative)

    by rhythmx ( 744978 ) *
    From Bruce's article:

    Two-factor authentication is not useless. It works for local log-in, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a neglig

  • Some old hats ... (Score:3, Interesting)

    by foobsr ( 693224 ) * on Wednesday March 16, 2005 @04:04PM (#11956888) Homepage Journal
    From Bruce Schneier ...

    Here are two new active attacks we're starting to see:

    • Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
    • ...
    Back some decades: An attacker puts up a fake login screen on some mainframe. The innocent user logs in and is greeted with an error message indicating hat he has got his password wrong and after that logs in as usual, perhaps a little disturbed (but due to general overload, unsuspecting).

    Thus we do not see "new active attacks", but a variety of an old scheme.

    I am too old.

    CC.
  • This is all very nice, as long as there is only one authentication protocol/thingie. Id hate to have to carry around 5 different smartkeys, to fit in the three smartkey readers in my computer, and then being unable to connect to whatever because Im constipated and the voice recognition thinks I am OBL.

  • standard package on Linux already (Score:4, Interesting)

    by idlake ( 850372 ) on Wednesday March 16, 2005 @04:06PM (#11956923)
    If you want two-factor authentication, you can already get it with Linux, either with a variety of tokens/devices, or with simple strike-out lists. The necessary packages are pre-packaged for Debian and probably lots of other distributions.

    My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.

  • Price Tag??? (Score:2, Insightful)

    by 8400_RPM ( 716968 )
    Whats the price tag going to be on this?
    Last time I looked at RSA, it was somewhere around $40,000 for 100 people.

  • Remember when MS was going to save the world with MS Passport centralized authentication? Well now they will try again with another angle and tie into into Hailstorm.
  • I have to use a password and token at work and it's a pain in the ass. Most people won't want to use this system because they don't want a new token for everything they do business with. In Microsoft's world view, I'll have to have one or two for work, four for the banks I do business with, one to check on my mortgage, one to log into my computer, one to check my e-mail, etc. Where the hell am I going to put all these tokens? There needs to be a "one token fits all" situation, or there'll be riots. I d

  • What two factor means for the home user (Score:5, Insightful)

    by SuperKendall ( 25149 ) * on Wednesday March 16, 2005 @04:15PM (#11957032)
    To put a slight twist on the normal definition, for the home user two-factor is defined as:

    1) Something you can loose
    2) Something you can forget

    I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.

    It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.

  • Only Useful in Corporate Environments (Score:5, Insightful)

    by BeBoxer ( 14448 ) on Wednesday March 16, 2005 @04:25PM (#11957154)
    While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.

    I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.

    How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.

    Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.

    • How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication.

      There's a third way, of course -- get a trusted third party to do the authenticating. Like, say, a particular software company that we all know that has months and months of experience in Trusted Computing....

  • Could this be more about piracy than security? (Score:3, Interesting)

    by hwestiii ( 11787 ) on Wednesday March 16, 2005 @04:40PM (#11957351) Homepage
    My understanding is that two factor authentication generally means two of the following: something you know, something you have, something you are.

    Could the "something you have" in this case be some physical artifact that comes with the media or machine and might thereby be difficult to duplicate, threby reducing the opportunity for unauthorized copying and use of the underlying software?

  • Two way authentication works today (Score:5, Informative)

    by tliet ( 167733 ) on Wednesday March 16, 2005 @05:25PM (#11957919)
    Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.

    After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.

    This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close