Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
Two Factor Authentication, MS style (with apologies to Monty Python).
"What... is your name..."
"What... is your favourite colour?"
For all of us who are not tin foil wearing cryptography nuts, what the hell is two factor identification?
END COMMUNICATION
I suspect that this is just MS responding to their corporate customers' requests.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I have your factors of your modulus: F = { f | f in Z and n/f in Z}. :-P
Does that mean I have to type in 'password' twice?
How does MS intend to set up two-factor? Are they going to be partnering with another firm like RSA? Will it be integrated directly into AD, or will it be available for standalone systems? None of this is addressed.
For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.
The second linked article, anyway:
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
My friend who used to work at some larger company (before he worked for an Even Larger Company) used a token generator to log into the company VPN. It would generate a random number, then hash that against his password, yielding a value which he actually put into the VPN password box. Nifty little doodad.
...The proposed 2-factor authentication involves both a blood and semen sample. It will be hard to foil.
something you have and something you know. like a rsa fob, username and password or something biometric, a username and password
It's the only way to be sure.
Most security professionals agree that authentication should involve something you have rather than something you remember -- such as a fingerprint, smart card or optical scan instead of a password or PIN number. Soon we will use smart cards that use public key encryption to communicate with servers for authentication as they do not require security on the local system or network to retain their potential.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
Source.
Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]
Instant, foolproof security with no hardware to deal with or passwords to remember.
Microsoft has invented the PEA machine: it's an external USB device that you pee in it. The device is able to extract your DNA and authenticate the user.
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.
Except they don't know how to spell "name" and "favourite colour." :-D
"What...is your login..."
"What...is your password?"
picpix image polls. create - share - vote. fun!
A password + snapshot or eye scan or DNA scan is a two factor authentication.
they'll have got some teeny, tiny aspect of the protocol patented so as to lock Samba out of the party...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I swear, all I hear from Bruce Schneier is how nothing works...blah, blah, This isn't the solution, blah, that isn't the savior.
How about giving us some ideas that *you* think will work.
...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.
Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.
With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.
Find out about the Lexus Rx400h Hybrid!
RSA SecurID is the example most implemented: http://www.rsasecurity.com/node.asp?id=1156
AOL and E*Trade both offer this to the public, and many corporate customers use it to secure private nets.
I hate when people say something is useless but don't offer alternatives. He says it's good for local login, but not remote. Fair enough. Now what?
/.ers wish to chime in?
The man-in-the-middle scenario that he describes has been known for a while and even discussed at RSA conferences.
What other alternatives are there for remote logins? Any
Wearing pants should always be optional.
It's like a bank machine gives you money because you HAVE your bank card and KNOW your pin.
See two-factor authentication devices from RSA SecurID, VASCO, or Secure Computing.
Microsoft has had a tight partnership with RSA for several years. Any word if MS will roll their own?
Sam
Sure, I work with a smart card deployment. The idea is that two factor is something you have (the card) and something you know (the pin). There's a PKI backend that makes it all run
The problem is that it's bloody awful. IT's a nightmare to implement and administer. While the card works great to log into windows nothing else integrates properly. The consultants (cough, sales people) told us it would give us single-sign-on Nirvana but our email client, SAP, and various other implications don't want to behave with it. Unless you use various band aids and work-arounds
My thought is that 2-factor will only really take off if MS implement it as standard - however then it will only work if you do it MS's way using software approved / created by them. Everyone that doesn't want to play MS's game will find corporate customers ignoring them for something that plays the MS 2Factor game.
Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.
But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.
...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.
Ubiquitous software that requires enormous storage and ever increasing CPU/memory-bandwidth? That's a good thing!
The owls are not what they seem
But that doesn't change everytime. I was hoping someone would give me an example like this:
This works best
1) A password with 6 characters followed by
2) The last 2 digits in your body weight (floor pad or chair will measure you for verification)
but that is just my own example. Does anyone have an example like this that is being used?
All kind of authentication is vulnerable to the same problem, the "user". I think microsoft wants to put any crazy idea to their new OS, just to say that they have the coolest features, they don't care if those "features" are usefull or not.
ajf
I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.
Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.
I can't complain about that; security is actually *really tough* to pull off.
Socialism. Where security doesn't matter.
-Bruce
They couldn't sell enough of their fingerprint scanner devices? They're going to require everyone to buy one?
They could very easily create a smart card or some kind of token system that *COULD NOT* work in linux, or with LDAP (LDAP allows unix and other systems to authenticate against Active Directory).
Religion is a gateway psychosis. -- Dave Foley
Just an opinion, but I think Bruce Schneider's dismissal of two factor authentication is essentially completely meaningless. It'd be useful if it suggested a viable system that would work, but simply dismissing this huge improvement is counter productive.
Passwords are terrible, they've had their day, they need to be removed from the planet now.
Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.
The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.
Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.
However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
First you give some blood, then you give a urine sample, then they know its you.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Well if Microsoft goes this way with Windows eventually the rest of the world will, including websites and eventually corporate service lines. Seems like two factor authentication will generate loads of more useful data for data mining.
What's your favorite color?
What do you do for a living?
What is your favorite coffee?
How many purchases have you made in the last month?
MS to Trade Passwords for 2-Factor Authentication
They better not be trading my bloody passwords!
My father works for John Deere (yes the tractor company). They acutally use this 2 part system of authentication for remote access into the network, the specifics Im not going to get into, but it uses a constantly updating token, and pin combination. It cant take a little work to figure out, but once you get the basics, its pretty simple. Now, a swipe card or biomentric system would also work.
I don't know everything.
If you want the best security, hire the pessimist, not the optimist.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
From Bruce's article:
Two-factor authentication is not useless. It works for local log-in, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.
He cites two types of attack against two-factor authentication: Man in the middle, and a Sniffer Trojan. Password authentication is already suffering from these attacks, and increasing complexity will make such attacks at least slightly harder. He doesn't mean that two-factor authenticaion would be in any way worse than passwords, ever.
Most of Mr. Schneier's article was about how banks were trying to use this as a secuity panacea. This is certainly not the case, especially since there is money involved; Nothing keeps attackers from going that extra mile.
--Sean
Here are two new active attacks we're starting to see:
- Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
- ...
Back some decades: An attacker puts up a fake login screen on some mainframe. The innocent user logs in and is greeted with an error message indicating hat he has got his password wrong and after that logs in as usual, perhaps a little disturbed (but due to general overload, unsuspecting).Thus we do not see "new active attacks", but a variety of an old scheme.
I am too old.
CC.
TaijiQuan (Huang, 5 loosenings)
See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
Yes, and an attacker can physically beat the living @*#^ out of you untill you give him what he wants. See how it doesn't solve anything?
This is all very nice, as long as there is only one authentication protocol/thingie. Id hate to have to carry around 5 different smartkeys, to fit in the three smartkey readers in my computer, and then being unable to connect to whatever because Im constipated and the voice recognition thinks I am OBL.
Something you have, something you know.
If MS acctually implements this, I'm sure they'll have to implement a button that says something like this:
I don't understand, please let me in anyway
This is ridiculous, when he said that 2-factor authentification was not good enought, he stated quite clearly that this was for e-commerce/e-banking. For LAN and local authentification it works just fine. Try doing a "man-in-the-middle" attack when loging on to the computer in front of you... And in a LAN enviroment the risk must be very low and requires physical access to the network. RTFA before posting a reference to it (yeah I know, I'm nuts).
"You superiour intellect is no match for our puny weapons" - The Simpsons
Jesus f'ing Christ on a pogo stick! Your sig uses a quote from Yoda you dipshit! And his name is Mr. Spock, not Dr. Spock! Dr. Spock wrote books about raising children. Mr. Spock modified the 2 finger peace symbol to use 4 fingers.
/stumbles of muttering about kids not learning the basics these days...
You have to type in Factor twice!
Here's some folks that bring two-factor authentication to the masses without those tags or tokens: www.paynacea.com
Never used them, but they have a cool FAQ which is well worth reading.
I think good old Bruce is a fatalist.
Graceful - I like this one...
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
Uh oh... more work for me now....
I can envision Windows 2000 being the longest running and deployed OS in the SMB space ever now....
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
If you want two-factor authentication, you can already get it with Linux, either with a variety of tokens/devices, or with simple strike-out lists. The necessary packages are pre-packaged for Debian and probably lots of other distributions.
My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.
Whats the price tag going to be on this?
Last time I looked at RSA, it was somewhere around $40,000 for 100 people.
There should be a choice for authentication methods, with a PAM-like model.
500GB of disk, 5TB of transfer, $5.95/mo
It's not too uncommon to see things like the RSA SecurID fob in the DC area - it's just a pseudo-random number generator, that has a counterpart on the server's side (software with the same algorithm and the same seed to start with). Every couple hundred of seconds it cycles to the next number on it's list, so when you log in, you type in your password, and the number on your fob, which then has to match the server's number.
It is not as though we didn't know that most MacroSloth windows experts SUCK at security any way...
MacOSX, because making *NIX better is a lot better than waiting for Micro$loth to fix Windows
But if your pessimist decides its the best solution to sit in the corner and cry about the ugly world that isnt perfect, and the optimist actually does something, i would take the optimist.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
M$ software doesn't get hacked via logins, it's usually done via remote exploit. So putting two-factor identification on an M$ system ain't even as good as closing the barn door after the horse ran away.
It's more like patching the barn roof after the horse ran away. And came back. And ran away again. Then came back and eloped with the goat. Fifteen times.
I think he is pessimistic to indicate that there is not silver bullet.
His basic premise is that no (current) technology can create "security". Security must be a balancing act between technology, good administration, training, policy, etc.
True, he does do the "anti" thing a lot, but I think he just gets frustrated when companies like Microsoft try to push the idea that Technology X = Security.
Since I never go to fake banking websites, and my Unix never had a trojan (I believe :D), the two tricks don't affect me.
Certainly two-factor-auth is a step that I for one welcome!
Remember when MS was going to save the world with MS Passport centralized authentication? Well now they will try again with another angle and tie into into Hailstorm.
I have to use a password and token at work and it's a pain in the ass. Most people won't want to use this system because they don't want a new token for everything they do business with. In Microsoft's world view, I'll have to have one or two for work, four for the banks I do business with, one to check on my mortgage, one to log into my computer, one to check my e-mail, etc. Where the hell am I going to put all these tokens? There needs to be a "one token fits all" situation, or there'll be riots. I don't want to keep track of twenty tokens just to use my computer.
My thought is that 2-factor will only really take off if MS implement it as standard - however then it will only work if you do it MS's way using software approved / created by them.
/. :) has realized (up tp now) that this is a fine road to lock users/customers in.
Seems - if I did not miss something - that no one (even here on
CC.
TaijiQuan (Huang, 5 loosenings)
To put a slight twist on the normal definition, for the home user two-factor is defined as:
1) Something you can loose
2) Something you can forget
I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.
It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If you use Unix (no trojans) and never go to fake websites (I never did that; why should I??), you are unaffected by the two described possible workarounds.
Ok, maybe someone could manipulate a DNS account, but let's hope that gets fixed.
Learn some manners.
Nowhere did the GP's post or Schneier's article mention MS. In your blinding fit of rage you screwed up and extrapolated like a mental patient. You should apologise.
But he did - two channel authentication. As he said in his blog is that two factor is solving a set of old problems which are largely mitigated using SSL, SSH, stronger passwords, and dual passwords.
The new problems, like identify theft, phishing, etc that are causing much of the insecurity today with internet-based commerce will not be solved by two-factor authentication - since the consumer will likely not have the option of using a second (non-password) token for authentication, and even if provided, a man-in-the-middle attack can still be used to defeat this.
Two channel authentication could make phishing much more difficult than it is today, and have more true security impact that Longhorns promise.
Yeah, but I just know that won't work out.
And if the optimist is wrong, and by going with the optimist you think everything is happy and sunshiney when in fact your system is actively being used to process stolen CC numbers, are you better off than the person who went with the pessimist?
As I see it, two-factor authentication may work fairly well for local installations, but for remote access it falls short of the security mark because it is still susceptible to trojan horses/virii on the user's system or to middleman attack between the client and server.
Thank you for repeating what the blog entry linked to in the summary said.
I think what he Mr Schneier is actually trying to get across is that it will need to be implemented as part of a whole not as "the" solution.
I see that often with firewalls. Companies deploy a strong perimeter defense, neglect internal auditing, internal security patches and then are shocked when some low level employee walks off with the candy store. "Why didn't the firewall save us?!"
Same holds true for two factor authentication. Is it an improvement? Yep. We use securID on all mission critical servers here.
Is it the end all, be all solution? Of course not.
Before microsoft can credibly deploy a two factor autentication system, they need to clean house on their server codebase. A autentication server that has multiple administrator exploits in a year is not going to help me sleep at night and will not have me trading in my Solaris SecurID box anytime soon.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Yeah...I have a crappy version of windows, and I know it!
+1 Insightful?
And looking at the other peoples reply, man, that turned out to be an awesome troll (even if it wasn't intended to be one, i.e. you were just trying to be funny).
OH goodie yet another RSA keyfob to add to the ring. Lets see theres the one for work, home, bank, car, McDonalds, etc... Can we try using rfid chips instead. that way i dont have to drive home to get the keyfob for work.
Think a USB dongle as the second factor, "the key". Think this USB dongle with a Hard Disk. The HD with a bootable operating system in it. And room left for all your sensitive data. Everyday you take your "key" away from your desk -- leaving behind essentially keyboard, mouse, printer, monitor and a clueless motherboard.
First factor would still be password. Which could cypher the HD contents. Which could have, perhaps, a HW block against repeated login attempts (such as data self destruction ?).
Now, such a system could still be subject to a Trojan horse attack, from the net or another infection source. However, chances of that happening could be greatly dimnished by using a safer than MS Windows OS. Perhaps an Open Source one. Perhaps a specific variation of an OpenSource one.
Quem a paca cara compra, paca cara pagará.
http://www.wikidsystems.com
Two Factor Auth over wireless devices. My friend Eric is the co-founder of the company.
I see this as valid for that application, but putting straight into the OS....I think not.
Sorry M$, Try again.
"God of Rock, thank you for this chance to kick ass. "
You have no idea what a truism that could be!!!
While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.
I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.
How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.
Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.
Once someone is authenticated, nothing occurs to make sure the person STAYS authenticated.
If I can break in on the conversation after the authentication has occurred, I can STILL see everything that occurs.
"Draco dormiens nunquam titillandus."
I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.
WHOA. "Better to implement NO security policy"? I think not, he's not saying that at all. That's like saying we can't prevent all auto fatalities from occuring, so lets not implement any safty features.
His point really is that this is not the silver bullet solution, regardless of what M$ market speak will try to spin it as (and to be fair, he focus' on banking industry market speak and not Microsofts, that part is mine). Also, there is no implication that once this method becomes popular, that it will somehow "discourage" further investigation, that was just something plucked out of the air by the parent poster.
The comments from Schneier do not make any sense to me. A man-in-the-middle attack is an attack on the network communications protocol rather than the authentication method. And a trojan is the end result of being hacked, rather than a hacking method by itself. He even comments that the trojan simply waits for the user to log in first. So what does this have to do with authentication?
Passwords dont seem to be the security flaw most of the time I would think...
Well, sir - the database with the signature hash for your retinal record was compromised, so we cannot regard your eyes as valid authentication tokens. Please consider your retinas revoked. Any attempt to continue in their use will be construed as an attempt to defraud, and will subject them to confiscation.
"Flyin' in just a sweet place,
Never been known to fail..."
Sorry, we have a correction:
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of american beer.
Thank you.
There are three categories of ways you can verify you are who you say you are:
;)
Something you know: (password, PIN, mothers maiden name, etc.) This is the one we are all familiar with, you know your password and theoretically, no one else does, so by giving your password you can verify that you are who you say you are.
Something you have: (smart card, RSA token, dongle, etc.) This is where there is something you posess that is somehow keyed to you and uniquely yours. Think hotel key. The way you tell your hotel room that you are the resident of that room is by presenting something you have, your hotel key. Theoretically, no one else would have that key, so it suffices to verify who you are.
Something you are: (finger print, voice print, iris, retina, facial structure, hand structure, etc.) This is the wide world of biometrics. Again, pretty simple, your fingerprint is uniquely yours, and by presenting it, you can verify that you are who you say you are.
Two factor authentication is simply having two forms of verifying that you are who you say you are that are from seperate categories. We are all used to this already and may not realize it. When you drive up to an ATM, you insert your card (something you have) and type in your PIN (something you know) and then you can withdraw funds. Imagine if all you had to do was insert the card, or all you needed to know was your PIN, it would be disastorous.
Schneier concludes: Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.
I really think he missed the boat on this one. Yes, two factor authentication won't solve everything, but to claim that it won't have an effect at all is simply short sighted. Back to the ATM example; yes, there are people that will swipe a copy of your card at the gas station counter, there are people that will lurk over your shoulder and get your PIN, and there are people that may simply put a gun to your head and tell you to enter your card and PIN and withdraw whatever you can, but Schneier is saying that it's no improvement over someone just having to copy or steal your card, or just figure out your pin and not need anything else.
There are ways around two-factor authentication, but they are a lot more involved, require a lot more effort and some times access to begin with. Setting up a man in the middle is in a whole nother ballpark then calling someone up over the phone and convincing them that they should give you their password. Try then convincing that person to mail you their debit card and then tell me two factor authentication wouldn't have a significant impact.
Disclaimer: I'm usually a big fan of Schneier, don't call me a hater
My understanding is that two factor authentication generally means two of the following: something you know, something you have, something you are.
Could the "something you have" in this case be some physical artifact that comes with the media or machine and might thereby be difficult to duplicate, threby reducing the opportunity for unauthorized copying and use of the underlying software?
If one of the factors a physical key or a rotating passphrase generator, they'll misplace it. If it's a thumbprint, the reader will fail after six months of junior's greasy fingers and it never being cleaned. Et cetera. And home users will not tolerate being locked out of their computer. Nor should they.
http://alternatives.rzero.com/
ING Direct.com uses this method :
:
:
first establish an encryption session through SSL so data is not sent in clear-text.
then ask for both the password (4-digit PIN) as well as a random question, such as first-3 of SSN, or last-4 of SSN, or birth year, etc.
another solution for phising attacks
have a registry of all known financial institutions, and their domains (through WHOIS).
when a user accesses a financial institution, ask the user to input the name of the financial institution they're trying to access. if it matches the WHOIS, the website is legitamite
for example
a. user accesses www.chase.com
b. browser asks : "What institution are u accessing?"
c. user types in "chase bank"
d. browser checks WHOIS, then lets user goes through.
scenario b.
a. user clicks on phising attack to access URL 250.250.250.250 (let's say, www.phishnet.com)
b. browser asks : "What institution are u accessing?"
c. user types "wachovia"
d. browser checks WHOIS, sees mismatch, then notifies user to phishing attack and denies access.
I first read the subject line and wondered how could "the f*ing article" fail?
.. i stab at thee! (penny-arcade)
I can see his point about possible exploits for two factor authentication schemes.
But, can't you mitigate Man in Middle attacks by securing the transport? If you used SSL (or even IPSec), with client certificates, you could authenticate the user's session based on his certificate. Then, using a strong authentication for each transaction (matched with the user identity from the SSL Cert) would provide a fairly strong structure.
Of course, that wouldn't necessarily stop a trojan running on the client machine. But, what would?
In any case, each of these security measures would raise the bar for attackers / phishers. So, I don't think they should be dismissed because they don't solve 100% of all theoretical problems.
What other alternatives are there for remote logins?
A car to drive you to the remote location. The car key would be the 'something you have' and the your parking spot would be 'something you know'.
MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.
I'm not tense. I'm just terribly, terribly, alert.
You don't read his newsletters, do you. He DOES give ideas that he thinks will work. Schneier makes the point that what DOESN'T work is expecting any technology to make security easy. Anyone who accepts this flawed idea becomes a target for hackers (or terrorists). Schneier's idea for something that will work is HARD WORK coupled with INTELLIGENCE. After all, "security" really means "keeping people out." People are adaptive and intelligent. No security measure works forever.
Suggested apporaches included: The user would be presented say 5 rows of ten photos, and asked to pick one photo in each row. Each time the logon is done the order of the photos changes. An alternative (better) approach would be to present a photo of a collection of objects and the user must click on several of the object in the photo in a certain order.
perhaps MS aims to combine this with a password to avoid making the photo selection have to have too many layers for combinatorics?
Of course this only works for graphical sign on. Handling text based remote login would require smartcards or something. But then again are there any text based devices left? I mean if you can pull up an ssh-terminal these says you nearly always can pull up a full browser window that could handle the pictogrpaphic interface.
Some drink at the fountain of knowledge. Others just gargle.
You probably meant "looze".
No, it's loose, as in "let loose the hounds!"
Let us say that this proxy isn't benign, though. It intercepts the login phrase sent to it and sends a duplicate to the intended destination. The intended destination now sets up a secure line to the proxy, say via SSL. The proxy now has to set up a similar line to the person they are phishing from.
This is the only hard part in the sequence - obtaining the targt's security certificate. However, a few years ago, hackers were able to obtain Microsoft's certificates by phoning up the provider and asking for a copy. It is improbable that security has improved that much.
(Despite massive thefts of credit cards and SSNs over the years, sites are STILL storing such information on unsecure servers in an unsecure form. Security doesn't improve because it's needed. It improves only when there's a near-riot by consumers and the company has no alternative.)
You can achieve a reasonable level of security if servers use One Time Passwords, both servers and clients need certificates, AND you use IPSec to both authenticate the end-points AND to prevent evesdroppers from obtaining enough related information that decryption becomes possible.
(That last part is often neglected, with SSL/TLS and other encryption forms used only for specific items. Anyone who has been in or worked for the military is aware of STUs - Secure Telephony Units - and how NOT to use them. You begin encryption ASAP, you do NOT chit-chat first. The same rule applies to Internet traffic. If you want it secure, it must ALL be secure. Start to finish.)
I'd throw in one other factor. You can't break a cypher if you don't know what the cypher is. I would therefore suggest that, on setting up the connection (via a different medium) the encryption algorithm is shared between the two parties.
As both sides know the algorithm used, that information need never be transmitted again. It is simply applied at each end to encrypt and decrypt the messages as they are passed. It's not as good as doing a genuine one-time pad, but it would be more environmentally friendly than making and breaking DVDs by the millions on a regular basis and would be "good enough" to stop most attacks.
By algorithm, I don't mean a key. I mean an algorithm. For example, customer A may have it set so that all communcations with their bank are encrypted using the 3DES block cypher, using the 2DEM encryption mode, with the SHA-256 hash used for digital signatures for message authentication. Customer B, for the same purpose, may be using the Rainbow block cypher, using the IAPM encryption mode. IAPM handles the authentication, so no additional signature is required.
This would not be invulnerable. People want to be able to access their data from any computer, which means that you'll have people accessing bank accounts from untrusted machines (may have keystroke monitors or other internal nasties) and therefore would involve putting confidential information on them (which someone can always read back later).
On the other hand, I don't see how you could get much better security than this would offer, at the kinds of levels of cost and effort that users and companies would be willing to spend.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Actually, Bruce often advocates solutions that actually work. Take airline security. He advocates putting security doors on the cockpits. That will do more to prevent hijackings and increase security than all the TSA guards you see milling about. It's also cheaper and less intrusive.
That said, I also think his analysis of man in the middle attacks is a little flawed. The problem is that the vulnerablity lies in clients not authenticating the servers. If the client (via the security token) encrypts the stream before sending it out, that should prevent man in the middle attacks. Typically then, you might need one token for each server (or group of servers) that you want to access. On the other hand trojans are nearly impossible to beat. They have access to the token and they can steal your username/password unencrypted.
bance.net
Ok, but this article is not about security in general. The title of his article is "The Failure of Two-Factor Authentication". Aside from that, he also goes on to state "see how two-factor authentication doesn't solve anything?". I've read many of his articles but this one doesn't offer any real words of wisdom. Two-factor authentication has a place in security but it is a small place and is useless unless it is part of a larger more well thought out scheme. Scheier makes none of these points. Instead he makes it seem like it's worthless no matter how you use it.
Please scan your thumb...hello Anonymous Card...would you like to buy more porn today?
.NET Universal sign-in where the company needs permission from user in order to login.
Kind of like on Minority Report
Though this could work with something like
Right now we only have SSN's where anyone can use it without authentication.
They are called ATMs. I don't know why that hasn't come up constantly in this discussion--it's a perfect example and everyone is intimately familiar with the concepts.
The last 2 digits in your body weight
:)
Great, then you'll get pop ups trying to sell you Atkins products
If you could reason with religious people, there would be no religious people
With Hells Heart I stab at thee.
For Hate's Sake I spit my last breath at thee.
"God of Rock, thank you for this chance to kick ass. "
Both of the examples given on why this does nothing are shaky at best. In both examples it relies on the perpetrator to hack *at the time that the user is logged/logging in*. In both cases two factor auth has the advantage of not allowing subsequent logins after the one compromised one. Of course the damage can be done at the time the user logs in, but it ups the level of sophistication an attacker needs to be successful as well as the likelyhood the the user is going to notice.
In the case of remote servers and such, it really eliminates a substatial portion of the threat altogether. Yes, an attacker *might* be able to set up a fake server for a man in the middle attack, but that's pretty unlikely to succeed. Piggybacking and preventing the user from actually logging off could work, but how much is that really going to gain them if they are not able to log in again (gotta be careful who has access to add authetication methods of course).
Two factor also *GREATLY* decreases the threat that Kevin Mitnick claims is the biggest threat of all. Yes, an attacker can still get a user to give them the current pass code, but once again that's only good for one login. The likelyhood that the user is going to stay on the phone and keep reading passcodes is pretty low. Once again this relies on the idea that the two factor auth needs to be pretty secure in that it's not bypassable (i.e. log in with a passcode then issue himself a non changing password) but it adds a layer of security and eliminates a substantial threat.
I'm sure that there are other eventualities that I have not considered, but to claim that password issues are a security issue of 10 years ago is just stupid and out of touch. The author is obviously looking for a magic bullet that will solve all his security problems in one fell swoop. I have news for him: it doesn't exist. Two factor auth solves a few problems which anyone with an open port 22 the last few months knows for a fact still exists.
looks like they also support strong authentication via other clients as well, includeing windows, mac and *linux* http://www.wikidsystems.com/technology/clients ((company site)
Just a thought: The MS Windows Mobile OS should come bundled with a background app that sends token keys, like the RSA keychain I am holding. It'll drive sales of phones using their OS, and be an easy way to distribute quality authentication hardware.
Adding two-factor authentication to Windows would be like using a Medeco lock on a bike chain made of overcooked spaghetti.
no security hole "to be named later" was involved?
Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.
After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.
This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.
I hadn't ever heard about this two-factor authentication thingy yet. According to this paper, an example of two-factor identification is an atm machine card and a PIN code. One identifies who you are, the other is matched to the first and only if you have both, you're in. Theft of either of the two doesn't compromise security.
;)
So if I got this straight, first MS had two-factor identification (username and password), then allowed the users to click on a username(icon) so that they would only need to enter a password. Now they go back to what they did before and market it as better security. Of course I must be missing something- another poster pointed out two-factor authentication of being a combination of 'something you have and something you know', meaning a tangible object and something that goes along with it. Biometrics come to mind, fingerprint-recognizing keyboards have been around for ages at low price but never seemed to catch on because fingerprint scanners are too easy to fool. With this two-factor authentication thing, finally we would be able to use our fingerprint to for logging in, but without the promise of never needing passwords anymore... instead it is added to the password as an extra layer of security. But in any case the 'something you know' probably keeps coming down to either (still) a password, or answering secret questions about your early childhood that you really wouldn't want anyone to know about. Great opportunity for people to start blackmailing you
Did I get that about right?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
The two attacks mentioned by Schneier can be thwarted using strong authenticaiton.
First, the session hijacking attack: Any two-factor authentication system can thwart this attack if the banks require a second one-time passcode for processing a transaction - in addition to authenticating for the session.
Second: pharming, DNS-casche poisoning:
I can tell you at least that our solution (http://www.wikidsystems.com/ can stop this via out PC client (yes, runs on Mac & Linux). We encrypt a PIN and send it to the server. The server responds with the one-time passcode encrypted. If DNS is down, no passcode. I suspect that some challenge-response systems might also block this, but I don't know.
As for the MITM attack, it is possible to extend a PC client to stop this as well.
I would expect more from Schneier on this front. Disappointing, IMO.
It's far-fetched, but I still wouldn't put it past Microsoft.
Thats Melville, not Kahn, for those who dont know.
They can be more easily compromised than can a smart card. If I can get you to look into my retinal scanner, I can easily steal your retinal pattern (think of ATM card reader scams). However, since your smart card constantly produces new pass keys, I would have to actually steal your card.
#1. A delay between password attempts.
#2. Lock out the account for 15 minutes after 3 incorrect attempts.
#3. Log the failed attempts, lock outs and the correct logins after failed attempts & lock outs.
#4. Have a good network administrator MONITOR THOSE LOGS.
#5. Mandatory password changing.
Too often, people focus on attempting to build unbreakable passwords (as with this article). Don't even bother with that. Given enough time, your password will be cracked. Even if it requires an RSA token and your fingerprint and a 15 character, random password.
That means that you have to be too secure with too many items for too long.
Scenario, a new neighbor moves next door to you. He likes the same things you do and you hang out with him a lot. How difficult is it going to be for him to get your finger prints and to "accidentally" pickup your RSA token over the next year? That just leaves your password.
It always comes down to your password.
The system MUST be able to handle security based only upon your password or it will NOT be able to handle security when the physical identifications are compromised.
And the way to do that is to log EVERY attempted login and to have a person read the logs and look for changes in the patterns and delay the login attempts enough so that a person CAN review the logs BEFORE access is gained.
Google is now beta-testing yet another new service, Google-login, it stores all your passwords and biometrics and has advanced algorithems that copy the functionality of onetime-tokens.
Very cool indeed. That's a completely different, refreshing, approach to two-factor authentication.
Of course there's a massive possibility I've just never bothered to look anywhere else for it.
Cleverly hidden beneath the keyboard.
There, no more lost smart cards.
What we REALLY need is an incentive system (think "positive reinforcement") for people who follow good security practices.
Instead, we have positive reinforcement for bad practices.
New source of revenue.
1. Design Longhorn to only accept Authentic Microsoft Certified Smart Cards (which can only be purchased from Microsoft of course).
2. When you buy the card, it's good for a year. After that you need to renew your smart card license.
Suppose you require two factors
1. Something you know (password)
2. Something you have (cell phone)
Your phone could have a custom Java Midlet installed. These are easy to get installed, but they are not necessarily easy to get uninstalled. Even if there are utilities to get a midlet uninstalled so that you can install it to a different phone, it may not be so easy to get to the smallish "preferences" data that the midlet api allows the midlet to store within the phone. i.e. the "preferences" data in the phone is not part of the midlet application, and may not be retrievable. Or it may.
The Java Midlet in your phone can be YOUR key frob. A much cheaper alternative to those expensive RSA key frobs.
The idea is this. That little Java Midlet in your phone gives you a PIN that changes every 60 seconds. That PIN must be the same as the one that the login is expecting.
Furthermore, during login, the server could SMS or e-mail you a third PIN that must also be entered. (Or the Java Midlet could transparently, securely interact with the server to negotiate this.)
Now in order to log in, you are checking that you know your password, and have YOUR cell phone.
Second Idea...
If I want to interact with MY OWN server from an untrusted location, such as a Cafe, I would only want to interact through a custom Java Applet running in the browser.
I go to Cafe. Bring up IE. Visit my server. Log in, using a password. Now server sends my browser a Java Applet. The browser runs this, and it connects back to my server using a secure connection directly from the Applet back to my server. Now, all interaction with my server is via. my Applet, which is MY code, that I can somewhat trust. My Applet can then prompt me for the Phone PIN, which I get from my cell phone (which might further have been obtained via. additional phone and server interaction).
The Java Applet in the browser, can in fact, be a "remote pixel viewer", such as the VNC applet. But with custom (or just "obscure") protocol negotiation.
The only trust that I place in the untrusted IE browser is that it can correctly execute a Java Applet. Part of the negotiation between my Applet and my server could include the Applet sending a (function of) a checksum of the Applet classes (from the loaded in-memory classes) back to the server.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
It is a stupid ideal. I had to use one of those rsa cards to log into the dial in at work. It was a pain in the ass to use but I used it. They paid me to use it. Now mickysoft is going to require me to use one when I log on to MY computer at my house? I don't think so.
Joe Sixpack hates passwords and login's on his machine at home. The good part is this can be disabled. Now they are going increase the login process and make it harder? I don't think so.
More security doesn't always equal better security.
Supporting World Peace Through Nuclear Pacification
So companies and individuals so NEVER rely upon it 100%.
Anyone who DOES rely upon any method, 100%, will be scammed, looted, etc.That is what he keeps saying.Again, the REAL problem is people who BELIEVE that it is 100% secure.
It isn't.
We know it isn't.
He knows it isn't.
And he's telling people that it isn't and to not trust it 100%. WHOA THERE!!!
You seem to believe that there's something WRONG with him telling people that such-and-such is NOT "a 100% perfect solution" and that people whould NOT trust it 100%.
I thinks he's doing a great job because the vendors selling those "solutions" will NOT be telling you about the problems.
Bruce is, once again, pointing out that security is a process, not an end item. You cannot be "secure" simply because you require two methods of authentication.
Read Bruce's paper on "attack trees" to see how he illustrates that. People focus too much effort on getting from 99.9% "secure" passwords to 99.95% "secure" passwords when other avenues of attack are wide open.
OK - I know how stupid some users are with passwords.
I know people that have their passwords on post-its, I know people that use the precicely one password for every single website/logon they are ever faced with. I also know people who have passwords 16-24 letters long, including no english words, and at least 2 each of lower case, upper case, numbers, and punctuation.
And you know what? I don't ANYONE who's had their password cracked or guessed. I know plenty of people of who have been 0wnz0r3D by spyware, and trojans, and diallers, and people who's corporate networks have been hacked, and had bots installed on them. But I've NEVER even MET anyone who said, in response to the question 'Hacked eh? How'd they get in?', the words 'Oh, they guesssed/cracked my password'.
The fact is, there are easier ways in - as long as your password isn't 'password', '123456', or 'toor' - people will get sick of trying to guess it very rapidly, and just exploit the latest BoF instead.
Do we really need TFA? in the future, maybe - but right now, not on your nelly.
Bit late on the first idea... http://www.paynacea.com/ (Uses phone for authentication).
This will work wonders in the business world. No more leaked alphas, no more incriminating evidence leaked by disgruntled ex-employees.
Awesome.
That's just the fact of the matter.
So, the appropriate response would be to LIMIT the possible damage by limiting the functions/transactions allowed.
From their FAQ it doesn't sound like quite the same idea. I was thinking of the server sending you an SMS or e-mail with some PIN that you enter via. the computer. Their product seems to require that they call your phone, and you then enter at least a portion of the login via. the phone keypad.
Also, I was thinking of the usefulness of being able to run a Java Midlet in YOUR cell phone. Every modern cell phone that I've seen in the last couple years can install and run Java Midlets. Even the cheapo phones that they give away for free with service activation.
It would be possible to customize the Java Midlet per-user's phone. I was thinking of the phone as a check Key Frob. Instead of paying RSA a $$$BUNDLE$$$ for key frobs, use Midlets inside of common cell phones.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
The folks at M$ aren't too bright.
Supporting java apps on various phone types is a nightmare. (I know, I've had to do it, I don't do it anymore, Me happy now).
Different phones have different install mechanisms, requirements etc.
It's hard enough supporting a customer who can't power on their machines. How in hell are you going to get them to setup midlets on their phone?
OK. As things stand today, I can create accounts all over the place that are not in any way tracable back to me.
If the OS REQUIRES an additional token to establish an account and that token can only be acquired by regestering (with MSFT?) to get it, Microsoft is saying that we will no longer be able to access computers w/o leaving an audit trail that points back to our actual identity.
Naturally, the encrypted partition is empty because I can't think of any sensitive data I'd want to hide. Most of the time, the linux prompt scares all my collegues away and that's good enough security for my (legal!) MP3s they might want to listen... :-)
P.
Why not have financial service providers, banks, and places like eBay encrypt their email using PGP or S/MIME? When you sign up for these providers, you would give them your public key, and they would generate a public/private key pair just for transactions with you, and give you the public key to add to your keychain. From then on, all communications to your email address would be signed/encrypted by them, and that could be checked to the key on your computer. Furthermore, if you wanted to do a secure transaction, they could verify your identity by requesting a signed/encrypted email from you.
A system like that would be easy enough to implement without having to deal with biometrics/daily codes/dongles/etc. However, the main problem would be getting people to install PGP or GnuPG on their computers and learning how to use it. I have enough problems getting my friends to encrypt! Maybe if you gave it a slick name, people would install it... something like PhishFarm... or Gator...
If you want the best business, hire the realist, not the obstructionist.
> Don't forget "something you are", as in biometrics.
---First day of work, sometime in the near future.
Manager: "Okay this is your workstation. Notice the biometric interface."
*new guy notices*
Manager: "Now try it out"
New guy: "Try what out? It looks like someone forgot to insert something in there. Like a CD drive or something."
*Manager whistles, looks up at the ceiling, and whispers something to the new guy*
New guy: "You want me to put my what in where?"
Manager: "You want this job or not, kid? Windows aint loading without your weenie."
Your post is legible.
Your sig and bofh link say otherwise.
You are retarded.
Do you love freedom??? Do you love freedom!!! DO YOU LOVE FREEDOM!!!!!!!!
This is a play to keep the U.S. Government as their customer. Microsoft has a bunch of API's for handling smart cards for a really long time, so this isn't new.
The U.S. Government (NIST) is creating a standard for identification and authentication and any vendor wanting to keep those government contracts going will need at least the appearance of compliance. The NIST url is http://csrc.nist.gov/piv-project/
A related comment:
I agree with another post that the smart card is a good way to make some kind of super-DRM, but the cost of a USB dongle would be prohibitive and not very marketable and I don't think the mobo makers would play Microsoft's game by allowing a surface mounted smart card module on the mobo that *only* Microsoft controls.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
You know, if you are going to use a biometric-and-password system, how will you log into a remote system? You could scan yourself locally and send the result by network, but that is only as secure as the encryption. Anyone who can read that data now has your biometric information in convenient electronic form.
Just a thought, it may not even have any merit, but I thought it was worth bringing up.
Klingon programs don't timeshare, they battle for supremacy.
"two factor authentication can fail us."
So can passwords....
My voice is my passport. Verify me.
...that Microsoft has essentially blown off the Liberty Alliance. And that there is no sign that if they tie the authentication scheme into AD, that they intend to use SAML for SSO.
Windows Web SSO uses Kerberos under the covers now, so when you pass NTLM authentication to one IIS server, and that IIS server is part of a Windows domain, it can pass your authentication to AD, which is acting as the KDC, and you get a TGT. Wow, that's a lot of acronyms.
But, what MS should be doing, is moving away from Kerberos and towards SAML. And by blowing off the Liberty Alliance, they are saying, hey we may develop standards for authenticating a user via our new fingerprint reader keyboard to AD, but we'll publish how that protocol works, and it probably won't be SAML based, so go fuck yourself.
It's brash and really not in keeping with the way Microsoft has been handling authentication. They've been bullys in many areas, but when it came to authentication, they were on standards. Microsoft's IAS is a fine RADIUS server, supports many EAP types, and works well.
Schneier knows that overall security is imporved simply by the process of weeding out poor solutions in a public forum. Willingness to go through harsh peer review is what makes the scientific method so successful at explaining the physical world, and the same process should be applied to security. This is why openbsd or linux is more secure then Microsoft windows.
Schneier has also made significant contributions to security products that DO work including the blowfish/twofish encryption algorithm.
------ Take away the right to say fuck and you take away the right to say fuck the government.
What the hell? Go read his monthly newsletter, it is full of things that he's excited about and that MIGHT improve security. He gives praise where praise is due, and he points out flaws that are easily apparrant to a security expert that non-experts may overlook.
Schneier is all about incremental steps and small improvements, with security being a multi-teired model (as demonstrated in his books).
His newsletter:
sorry to reply to my own post, but the link didn't work, here it is again:
http://www.schneier.com/crypto-gram-current.html
You goto your banks website, and type in your account number and the ATMcard number/id. A new screen will have an 8 digit code and an input field.
..
...
Next, you stick your ATM card in a device, you have to enter your personal 4 digit PIN number, then it's ready. You enter the 8 digit code into the device, and it returns a 6 digit code. You enter that in your browser, and you're in.
That means:
- you have to have access to the card
- you have to know the pincode
- sniffing is out of the question (every login gives a new 8 digit code with new 6 digit reply)
The devices are cheap, and not personal. Seems like quite a nice solution imho.
ps: PIN = personal identification number afaik, main advantage is it's short, and my (i think more) bank(s) allow you to change it to something you can remember easily
... that can only think of one way to spell a word.
So the old quote goes...
You understood what I meant obvisouly, so you are just being anal. I can't help but notice that any critiques have all been posted AC so we can't see your brilliant spelling at work in other posts.
Ahh, it is so easy to throw stones from the ranks of the AC!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Almost _ALL_ organizations would rather do something stupid this afternoon, than think about what they should do. Finally, almost none of them have read Schneier's books.
As I suspect you havn't either
I happen to believe "Secrets and Lies" is up there in the top 10 most-useful Computing books ever written, right up there with Fred Brooks: The Mythical Man Month.
How about giving us some ideas that *you* think will work.
Here's one: Don't get complacent.
That's what he's saying. You can't afford to believe for a minute that X (say two-factor) is going to make your system radically more secure. He's saying "Don't assume that it isn't the weakest link in your security."
I think you just told us a little too much about YOUR underwear. Step away from the keyboard.
Unfortunately, MSFT has enough vulnerabilities
between the OS, IE, ActiveX, and Apps that even
multiple biometric tests would not protect their
OS (exception by being unplugged from the network
and internet).
I understand that MSFT does have a solution to
the rampant security holes in their product line,
which is foolproof. MSFT can embrace/extend the
Webster's Dictionary's definition of "security".
The Dubya regime has used similar tactics in the
definition of "crisis" and "WMD" and "freedom".
This tactic does appear to work in certain parts
of the world...
Dont forget, biometric is not revokable.
Once stolen, never usable again.
Kinda makes you an unperson, uh?
http://shit.slashdot.org/article.pl?sid=05/03/16/1 820248
What Bruce Schneier mentioned about phishing sites and bank websites...
In real life (I know internet is real too) what would you do to make sure that the building you are walking into is the real bank? You check the signboard and the shirt tag of the guard at the gate.
So why not display a random number on the website everytime you go there, and the number is same as the token given to you by the bank.
Agreed a trojan can sign in with you. But it cannot create a payee to syphon your money or do a transaction, because you will need to authorise those with a code which the bank will send through another channel (e.g sms)
Somthing you know...
Well, besides "What is your password?", you get something like:
"What is your favorite number?"
(for demonstration, actual ones will be [hopefully] more complex)
Now, let's say I put "Cerulean!".
What if:
I misspell it "cerulian", repeatedly
I keep thinking blue, sky blue, etc.
I forget the exclamation point.
I forget capitalization.
So, then I call tech support, people so tired of their job and eager to get over whatever it is, ie, give me "my" information back/reset it.
And relying only on what I am and/or possess seems to be really cumbersome.
Biometrics are expensive, and they don't always work.
Any key [or generation] device can be lost/taken/destroyed.
I like to laugh at the retards frum slashdot cuz they want to bash M$ cuz they are jealous. Its like they are the dweebs in school talking about the popular kids behind their back and complaining cuz the popular guys are banging all the hot and chics in school that wont give them the time of day. Its just the Dumb Hot Chics are the average consumer. And they dweebs hate the fact of layin in the bed alone at night all sad wishin for the girl while the Real Man is givin it to her. They have all the control cuz they are popular..wahhhh wahhhh...She needs someone who will be good to her and not treat her like that jerk does. Why does she love him. I would be so good for her. Why dont she want me? All he does is BainWash her Cry Cry Cry ..... Maybe they got they way cuz they are better than you and play the game better. Some ppl got it and the ones that dont want to hate the person that has what they want. Turns the stomach. If your better. Take over, make the dumb girl (Average User)see why your better. dont cry and say M$ is a Jock Football player they are bigger than me...and those weggies hurt .... Thats the world And u can never admin that cuz u kno would have to admit what a loser u are and we cant have that. Can we....Now flame on and whine about how your better ...if only she would just give you a chance. Thats all you need rite ... Go Kick their ass and take over, prove me wrong OR and prove everything i said and lay down, take it in the ass and post all your lil comments about how stupid it is and your so much better but the lil consumer just aint smart enough to see how good u are.. :) ..... Sorry if that brings back those repressed childhood memories .... But its the same thing. .... Beat Their Ass or STFU :-)~
I had forgot you could do that, I always preferred to log in so I left it that way.
Actually, I like the way it is as a default. It also helps people remember the admin passwords which they might need from time to time.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But I wonder if this system is going to work all nice and cross-platform, or if it's going to be another one of those ways MS throws it's weight around. Anyone know any information regarding that?
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
So, now half the companies I deal with will want to send me their secure ID card... what's that, like 15 cards at least? No friggin way.
So, then Microsoft comes along and says "We have this thing called Passport, so your customers can use a single secure ID card to sign on to everything.".
Pretty soon, every site uses Passport and you have to get a Passport account to get anything done.
I think we've seen this strategy before from MS, let's see if it works this time.
Here are two new active attacks we're starting to see:
Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
To summarize the logic here, there are two new attack forms that can bypass two-factor authentication. Hence it doesn't solve "anything".I don't quite understand that logic. It's like we're the equivalent of a bunch of Victorian prudes discussing security virginity. Ie, if an attack can get in some conceivable way, then the system is impure and worthless. The question here should be whether the costs of implementing two-factor authentication are outweighed by the benefits. Frankly, it sounds like breaking in requires more work for the intruder than a system without such authentication. Even Schneier admits that two-factor does make the target more difficult (which incidentally is the point).
Finally a security policy, good or bad, doesn't "discourage" investigation or the implementation of better security policies down the road. What's really going on here is that we have parties that have little interest in providing security (eg, Microsoft) because that costs them. So they provide as little security as they can afford to get away with. Even banks are notorious for stupid things like freezing an account after a person goofs a password three times in a row. In that light, Schneier makes some sense.
Ultimately though, I think Schneier suffers from the same trap he supposedly fights. Reducing security to saying a security strategy doesn't work because there's a conceivable way that intruders can bypass it, ignores that proper security is intended above all to raise the cost of intrusions to a level above the benefit gained from the intrusion not to prevent all intrusions. He is just another misdirected security effort.
I have always been very curious to see if voting would ever happen across the internet in the US. The ideas discussed by Schneier on identity theft, two-factor authentication, etc. got me thinking about how this could affect the whole possibilty of voting online. Two factor authentication may not be the ultimate solution, but the idea of using public and private keys may have some viability in the solution.
Since there are several public "keys" that most state agencies already use today to validate users, I started pondering the possibility of using those keys to create a private key to allow individual authentication for voting purposes. Below are my musings. This is strictly intended to start generating some discussion, feedback, issues, concerns, etc.
--
Voting Electronically:
Person requests ability to vote electronically (similar to voter registration) online.
IP address of requesting registrar logged.
During request to vote electronically: person gives Legal Name, SSN, DOB.
Person told current mailing address on record w/ State (some agency - State Tax?).
Person requested to verify current address:
- if correct address: person will get sent unique key for logging in to vote
- if incorrect address: person will need to correct current address w/ agency prior to getting mailed the key. In person / fax of legal drivers licence / etc.
- once correct address - person re-requests e-voting - all is confirmed - then mailed unique key to verified physical address.
- person can request unique key up to 3 times then denied e-voting for current year.
The unique key could be an MD5 hash w/ various attributes, including name, SSN, etc. Some WORM compliant magnetic media use MD5 hash algorithms today to form unique identifiers for documents, so this seemed like it might be fitting.
At the time of voting. Person still has oportunity to vote electronically or in person. If voting electronically, person goes to voting website and logs into https: gives all valid information: Legal Name, SSN, DOB, and mailed key. All validated, person votes. IP address loged of voter.
After polls close. All e-votes compared to physical registration area for voter or absentee ballot. If duplicate vote exists, physical location takes precedence and e-vote not counted.
Other checks and balances can be put into the registration and voting process that would flag potential fraudulent registrations or votes. These flagged items would be followed up and confirmed or denied by an individual or committee.
--
This obviously doesn't address any possible issues with the security on the backend of the data, but it does seem to give at least a starting point for a viably possible authentication solution to e-voting.
Thoughts? Thanks.
If not bundled, it's always been readily available for free download from the RSA website, and probably from other vendors too.
RSA's One-Time Password (OTP) apps allow any Windows Mobile device to emulate a SecurID (pinpad) token, accept the tapped input of a user-memorized PIN, and then generate the appropriate series of 6-8 digit SecurID passcodes. (Also available for free download from RSA are similar "soft token" apps for the Palm OS, Blackberry, Windows desktops, or any one of several mobile phones.)
Of course, to actually register one of these devices with an RSA authentication server, someone will have to buy an RSA-signed "seed" that the RSA server will recognize, associate with a registered SecurID token-holder, and subsequently provide authentication support services for.
These "soft-tokens" -- from RSA or one of its competitors -- are a funny breed of OTP authenticators. They offer something more than "something known," but something less than the full dimension of "something held" that is exemplified by a hand-held token, a sealed dedicated authentication device designed as a personal authenticator.
A personalized physical "token," by its very nature, makes illicit delegation very difficult. A physical token can only be in one place at a time. OTOH, the integrity of a "soft-token" can only be assured if the token-holder can prove physical security and responsible handling -- again, a degree of oversight much higher than than required from someone who carries a sealed hand-held personal authentication token.
Like any RSA SecurID, one of these "soft tokens" generates a two-factor time-based 6-8 digit token-code every 60 seconds. Each one of these token-codes can only be used "now," and can only be used once, to authenticate a token-holder to an RSA authentication server (where some responsible party has already registered this user's ID and privileges, and associated that user ID with the seed that personalized that SecurID application.)
Actually, a pass phrase isn't necessarily more secure than a password. There's an in depth analysis on Microsoft's site (saw the articles on technet flash) but don't have the link handy. A brute force attack may or may not be harder to launch against a pass phrase based on the characters used, number of words in the phrase, word dictionary size, etc. Remember, phrases use real words put together generally in meaningful ways. That limits the entropy.
Here are the links...
Part 1
Part 2
Part 3