MS to Trade Passwords for 2-Factor Authentication 449
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
MS version (Score:5, Funny)
Two Factor Authentication, MS style (with apologies to Monty Python).
"What... is your name..."
"What... is your favourite colour?"
Re:MS version (Score:5, Funny)
They're already doing this! (Score:5, Funny)
"What...is your login..."
"What...is your password?"
Re:They're already doing this! (Score:3, Funny)
"6hU&12D1er. No, 6Hu&...arrrrggggggggg....."
Re:MS version (Score:2, Funny)
Aw, that's a tough one
Starts with a B, Bob...
Ends with a B, Bob...
Bob
Bob! that's it!
-Cheech and Chong Big Bambu
Thumbprint & Iris Scan? (Score:3, Interesting)
between the OS, IE, ActiveX, and Apps that even
multiple biometric tests would not protect their
OS (exception by being unplugged from the network
and internet).
I understand that MSFT does have a solution to
the rampant security holes in their product line,
which is foolproof. MSFT can embrace/extend the
Webster's Dictionary's definition of "security".
The Dubya regime has used similar tactics in the
definition of "crisis" and "WMD" and "freedom".
This tactic does appe
A question worth asking (Score:2, Insightful)
END COMMUNICATION
Re:A question worth asking (Score:4, Informative)
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
Re:A question worth asking (Score:3, Informative)
Re:A question worth asking (Score:3, Informative)
1) You input your bank account number and a password into your bank's site.
2) You use a little calculator, you input a PIN into it, and it generates a unique number that you have to input into the page.
3) You're now authenticated.
Other schemes include having a little card with the numbers on it, and the site will request you to input code number N, and you do so, and it lets you in.
Re:A question worth asking (Score:4, Insightful)
If you start with a known item like the time (time changes, but it's not a secret what time it is) then multiply it by another unchanging item like a PIN, all you've done is make a more complicated PIN number. You haven't implemented two factor authentication, you're just making it hard to log in.
From TFA (Score:2, Interesting)
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
My friend who us
Re:A question worth asking (Score:5, Informative)
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
Re:A question worth asking (Score:3, Funny)
Re:A question worth asking (Score:3, Informative)
Yes, two factor is not perfect. But it is better than the password-only method. It is also (somewhat) cost-effective.
Since banks are used as an example for this, lets consider that, if the protection method is not cost-effective, it is cheaper for the bank to just accept the frauds, with or without ensurance.
Biometrics isn't perfect either. Even something that is widely considered perfect for security the
Re:A question worth asking (Score:3, Interesting)
Two factor is not better than one unless that second factor is also very hard to break. Combine something like a PIN and RSA key Fob with Digital Certificates (OK, that's three factors but two come from the user) and you are very secure. With a unique digital certificate issued by the bank that is verified by a special plug-in for your browser that adds security. Also what about using a pass PHRASE instead of a
Re:A question worth asking (Score:5, Funny)
gawd... i can jsut see it now, longhorn is also "for home users"
T: thank you for calling mircosoft
C: yesM i just got back from them there hospital, i done lost my finger in me JhonDeer 600GT riding lawnwoer
T: uhh.. yessss... and..
C: well they couldnt re-attach it ya see
T: riiiighhttt...
C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner
Microsoft's Response (Score:5, Funny)
MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.
Re:A question worth asking (Score:3, Funny)
Re:A question worth asking (Score:3, Insightful)
Basically, this story is about Microsoft announcing vague plans to improve login authentication. If we had specifics (smartcard support? biometrics?), then there'd be a story.
Re:A question worth asking (Score:2)
Something you are (a fingerprint, a voiceprint)
This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home. It is, according to most criteria, a very poorly chosen "something you have." Most decent references on authentication stick to something you have and something you know.
Re:A question worth asking (Score:4, Funny)
>This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home.
I have a solution.
Use something that is debatably "something you are"; i.e. a sperm sample.
I take these from guys, and they definitely do not find it to be "very painful".
They cannot easily change it.
They could possibly leave "it" at home, and the HAX0R could find and then use the sample.
It is not easy for someone to extract this sample from you under duress. When you are stressed out, kidnapped, at gunpoint, you may find it difficult to produce a sample.
There is a drawback. If it is required to produce a sample in order to log in, then pr0n sites might see a sudden drop in their visitors. Login screens will need to support plug in modules; so that the pr0n sites can market their materials as "login assistants".
Re:A question worth asking (Score:4, Insightful)
Most decent references on authentication stick to something you have
Not really. Something you know can be extracted via extreme methods like torture, or with "truth serum" type drugs. They can be grabbed from a database and brute forced. They are information. Biometrics, on the other hand, are physical characteristics of your body. They are very, very hard to change, can't really be left behind, and are constantly exposed. Once captured, they are often easily faked. They are very dangerous to use as an authentication mechanism and are only really valid when carefully verified by a human observer. There is a trend towards biometrics right now, in the consumer space that will likely result in a net decrease in security. This is why they are rarely mentioned in a positive light by experts. They are cool and high-tech, however, so doubtless marketers will use them as a tool to separate you from both your security and your cash. They fit perfectly into MS modus operandi. They are ineffective, and a liability, but easy to use, whiz-bang, and easy to make proprietary and lock out competitors.
Re:A question worth asking (Score:3, Funny)
"Hi. Your name?"
"Kevin James Renner."
"Do you eat live snails?"
"I'll eat anything."
"Where were you born?"
"Dionysius."
"Are you alone?"
"Quite alone."
"What's the word?"
"Hollyhocks."
"Are you sure?"
"Sure I'm sure, you stupid machine!"
"Let's try it again. What's the word?"
"Hollyhocks."
"Sure it's not rosebuds?"
"Hollyhocks."
"My instructions are to be sure you are calm and uncoerced."
"Damn, I AM calm and uncoerced!"
"Right. If you'll attach
Re:A question worth asking (Score:5, Insightful)
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).
I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.
Re:A question worth asking (Score:3, Interesting)
Re:A question worth asking (Score:2)
1. An authorized user would carry a physical token (swipe card or similar).
2. The user will have to further authenticate his identity by punching in the correct password associated with the physical token.
In addition to two layers of protection, if the token is lost it can be immediately invalidated and the risk of security is less than with a single password authentication scheme.
For a general OS I don't think this is a necessity.
Re:A question worth asking (Score:5, Funny)
Hopefully that helps...
2-factor authentication is ... (Score:2)
It's like a bank machine gives you money because you HAVE your bank card and KNOW your pin.
See two-factor authentication devices from RSA SecurID [rsa.com], VASCO [vasco.com], or Secure Computing [securecomputing.com].
Microsoft has had a tight partnership with RSA for several years. Any word if MS will roll their own?
Sam
Re:A question worth asking (Score:5, Insightful)
Re:A question worth asking (Score:2, Informative)
In case its still not clear to you, a common form of two-factor authentication is through the use of a small hand-carried device that uses a time-sensitive algorithm to generate a series of numbers. Time senesitive means that this number series changes over time.
In the industry, this is commonly called a "token" and there are multiple vendors that sell them :
RSA Security [rsasecurity.com]
ActivCard [activcard.com]
Vasco [vasco.com]
[etc.]
Typically the "two-factorness" of the authentication is a description of the relative strength of the au
It has its uses... (Score:5, Insightful)
I suspect that this is just MS responding to their corporate customers' requests.
Re:It has its uses... (Score:5, Funny)
Now speak the following phrase clearly into the microphone:
"When tweedle beetles battle, it's called a tweedle beetle battle
and when they battle in a puddle, it's called a tweedle beetle puddle battle
AND
when beetles battle beetles with paddles in a puddle, THIS is what they call...
a tweedle beetle puddle paddle battle
AND
when the beetle puddle paddle battle is a battle in a bottle THIS is what they call...
a tweedle beetle bottle battle puddle paddle muddle!"
Voiceprint recorded. Please repeat for verification...
All Your Prime Are Belong To ME (Score:2)
Logging in (Score:5, Funny)
Re:Logging in (Score:5, Funny)
Two Factor Authentication. (Score:4, Informative)
Re:Two Factor Authentication. (Score:3, Informative)
Revocation (Score:3, Funny)
Re:Two Factor Authentication. (Score:5, Funny)
Hurray for increasing IT costs! Good job MS, you always come through in that dept.
Re:Two Factor Authentication. (Score:4, Interesting)
Most large corporations require a badge. However, most businesses are small family-oriented businesses, not large corporations. These businesses have less than 50 employees, and rarely have advanced IT systems. To assume that this wont increase their costs is silly. It most certainly will -- assuming they decide to put it into place at all.
For more info:
http://www.census.gov/epcd/www/smallbus.ht
Re:Two Factor Authentication. (Score:3, Insightful)
Easy. That's Internet Explorer (not significantly updated in years), whatever new vaporware they're talking about today, the Windows interface ("borrowed" from Apple), and the Screen of Death
For those that don't know... (Score:2, Funny)
Re:For those that don't know... (Score:2, Funny)
Re:For those that don't know... (Score:2, Funny)
On the flip side though, you'll probably be much more hesitant to let others login to your computer...
It also gives new meaning to the phrase "log in"
Re:For those that don't know... (Score:4, Funny)
I will never, ever, ever go to an internet cafe again.....
Re:For those that don't know... (Score:4, Funny)
Re:For those that don't know... (Score:2, Funny)
Re:For those that don't know... (Score:2, Funny)
Re:For those that don't know... (Score:3, Funny)
Maybe my wife will want to see me more often now.
Bone marrow sample every time you log in (Score:2, Funny)
Solves the wrong problem. (Score:2, Redundant)
Most security professionals agree that authentication should involve something you have rather than something you remember -- such as a fingerprint, smart card or optical scan instead of a password or PIN number. Soon we will use smart c
What Is Two Factor Authentication? (Score:5, Informative)
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
Source [itsecurity.com].
Re:What Is Two Factor Authentication? (Score:3, Informative)
Having a system that required smart-card and a fingerprint without ever having to provide a username or password would be another possible example of two-factor authentication.
"Something you know" (password, PIN, mothers maiden name, checking account activity) and "Somet
They're making this problem seem too hard (Score:5, Funny)
Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]
Instant, foolproof security with no hardware to deal with or passwords to remember.
Re:They're making this problem seem too hard (Score:5, Funny)
But yet you still can't seem to crack the secret code known as humor.
No need for passwords anymore (Score:3, Funny)
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.
what's the bets... (Score:4, Insightful)
Re:what's the bets... (Score:2, Insightful)
Re:what's the bets... (Score:4, Informative)
Sure, they might drop NTLMv* authentication, but if you get a ticket from the KDC (usually an Active Directory Controller), you'll have access to what's yours.
This article has to do with authentication only, not the transport, however. They might drop CIFS for something else, which would mean that yes, we'd have re re-reverse engineer whatever file-transport MS uses next round.
I wouldn't worry much abou tit though, it's legal to reverse-engineer this sort of thing. They can't sue you for designing a compatible system, you only need to license stuff based on their implementation using THEIR code.
Bruce Schneier. The anti solution. (Score:2, Insightful)
How about giving us some ideas that *you* think will work.
Re:Bruce Schneier. The anti solution. (Score:5, Insightful)
Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.
I can't complain about that; security is actually *really tough* to pull off.
That's why much of /. likes him (Score:4, Insightful)
The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.
Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.
However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
Re:That's why much of /. likes him (Score:3, Insightful)
What he is doing here is putting the concept of two factor authentication in its place. He has expressed dissatisfaction in the past with "snake oil" cryptography and if he seems preoccupied with the shortcomings of security approaches it is IMHO because the benefits are usually
Re:That's why much of /. likes him (Score:3, Interesting)
He also says "Two-factor authentication is not useless. It works for local login, and it works within some corporate networks." which is exactly what it sounds like MS is talking about using two-factor authentication for.
He says his complaints do not appl
I think you are fundamentally mistaken. (Score:3, Insightful)
Rather, he keeps pointing out how NOTHING is 100% reliable.
So companies and individuals so NEVER rely upon it 100%.
Anyone who DOES rely upon any method, 100%, will be scammed, looted, etc.
That is what he keeps saying.
Re:Bruce Schneier. The anti solution. (Score:4, Insightful)
Re:Bruce Schneier. The anti solution. (Score:2)
Re:Bruce Schneier. The anti solution. (Score:2)
His basic premise is that no (current) technology can create "security". Security must be a balancing act between technology, good administration, training, policy, etc.
True, he does do the "anti" thing a lot, but I think he just gets frustrated when companies like Microsoft try to push the idea that Technology X = Security.
Re:Bruce Schneier. The anti solution. (Score:3, Insightful)
I see that often with firewalls. Companies deploy a strong perimeter defense, neglect internal auditing, internal security patches and then are shocked when some low level employee walks off with the candy store. "Why didn't the firewall save us?!"
Same holds true for two factor authentication. Is it an improvement? Yep. We use securID on all mission critical se
The point is not that TFA can fail... (Score:5, Informative)
Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.
With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.
Unrelated to Schneier's concerns (Score:5, Interesting)
But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.
MS ActiveButtPlug Technology... (Score:5, Funny)
Re:MS ActiveButtPlug Technology... (Score:3, Funny)
Sweet!
It's the same (Score:2, Interesting)
The real question is (Score:2, Troll)
They could very easily create a smart card or some kind of token system that *COULD NOT* work in linux, or with LDAP (LDAP allows unix and other systems to authenticate against Active Directory).
Needed (Score:2)
Passwords are terrible, they've had their day, they need to be removed from the planet now.
There should be a choice... (Score:2)
Blood, Pee, your in (Score:2, Funny)
MS to Trade Passwords for 2-Factor Authentication (Score:3, Funny)
They better not be trading my bloody passwords!
Some already do this, for some situations (Score:2, Informative)
The Scheiner article (Score:2, Informative)
Two-factor authentication is not useless. It works for local log-in, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a neglig
Some old hats ... (Score:3, Interesting)
Here are two new active attacks we're starting to see:
- Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
- ...
Back some decades: An attacker puts up a fake login screen on some mainframe. The innocent user logs in and is greeted with an error message indicating hat he has got his password wrong and after that logs in as usual, perhaps a little disturbed (but due to general overload, unsuspecting).Thus we do not see "new active attacks", but a variety of an old scheme.
I am too old.
CC.
No multople standards please! (Score:2)
standard package on Linux already (Score:4, Interesting)
My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.
Price Tag??? (Score:2, Insightful)
Last time I looked at RSA, it was somewhere around $40,000 for 100 people.
Sounds like MS Passport v2 (Score:2)
This won't work with keys or tokens (Score:2, Insightful)
What two factor means for the home user (Score:5, Insightful)
1) Something you can loose
2) Something you can forget
I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.
It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.
Only Useful in Corporate Environments (Score:5, Insightful)
I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.
How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.
Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.
Re:Only Useful in Corporate Environments (Score:3, Insightful)
There's a third way, of course -- get a trusted third party to do the authenticating. Like, say, a particular software company that we all know that has months and months of experience in Trusted Computing....
Could this be more about piracy than security? (Score:3, Interesting)
Could the "something you have" in this case be some physical artifact that comes with the media or machine and might thereby be difficult to duplicate, threby reducing the opportunity for unauthorized copying and use of the underlying software?
Two way authentication works today (Score:5, Informative)
After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.
This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.
Re:Example of two factor authentication (Score:2)
A password + snapshot or eye scan or DNA scan is a two factor authentication.
Re:Example of two factor authentication (Score:2)
This works best
1) A password with 6 characters followed by
2) The last 2 digits in your body weight (floor pad or chair will measure you for verification)
but that is just my own example. Does anyone have an example like this that is being used?
Re:Example of two factor authentication (Score:2)
Re:Example of two factor authentication (Score:2)
The problem is that it's bloody awful. IT's a nightmare to implement and administer. While the card works great to log into windows nothing else integrates properly. The consultants (cough, sales people) told us it would give us single-sign-on Nirvana but our email client, SAP, and various other implications don't want to be
Your Bank Card and PIN at an ATM. (Score:2, Insightful)
Re:Reporting leaves something to be desired (Score:5, Funny)
"Please enter your login"
"Thank you, please enter your password"
"So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"
Kinda like AdSense, but much more intrusive...
Re:I love his arguments against it... (Score:2)
I's said it before, I's say it again. Mainly I say it in regards to ATMs, though.
Any authentication scheme can be beaten out of somebody some how, so give each person a 'duress' password which can be entered. Absoutely nothing on the user side would act any differently from a normal login/authentication, but it would raise all sorts of flags and alarms elsewhere.
Usually I talk about this in regards to ATMs; you don't get shot, but the video cameras all click on to record you with the gun to your head