Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
Two Factor Authentication, MS style (with apologies to Monty Python).
"What... is your name..."
"What... is your favourite colour?"
Does that mean I have to type in 'password' twice?
...The proposed 2-factor authentication involves both a blood and semen sample. It will be hard to foil.
It's the only way to be sure.
Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]
Instant, foolproof security with no hardware to deal with or passwords to remember.
Microsoft has invented the PEA machine: it's an external USB device that you pee in it. The device is able to extract your DNA and authenticate the user.
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.
Except they don't know how to spell "name" and "favourite colour." :-D
"What...is your login..."
"What...is your password?"
picpix image polls. create - share - vote. fun!
As far as I can tell, two factor identification is the dualization of the encryptable factorization process. When the vector based finglestrup is elongated to the point of dypstrontinazation, we find that standard passwords are, in a word, flangoozled. By dishappening the estronable bases, the possibility of grolingering becomes ziponified. All that said, I fully support two factor identification, and you should too.
Hopefully that helps...
I dunno, I've seen Mission Impossible II enough to know that we'll need about 10 factor authentication to be completely secure.
...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.
I'm sure it'll be something like the following:
"Please enter your login"
"Thank you, please enter your password"
"So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"
Kinda like AdSense, but much more intrusive...
First you give some blood, then you give a urine sample, then they know its you.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
MS to Trade Passwords for 2-Factor Authentication
They better not be trading my bloody passwords!
thanx for answering that question.
gawd... i can jsut see it now, longhorn is also "for home users"
T: thank you for calling mircosoft
C: yesM i just got back from them there hospital, i done lost my finger in me JhonDeer 600GT riding lawnwoer
T: uhh.. yessss... and..
C: well they couldnt re-attach it ya see
T: riiiighhttt...
C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner
The More Knowledge you have the Luckier you Get- J.R. Ewing
You have to type in Factor twice!
If you want real authentication, take a page from Pournelle and Niven's book.
"Hi. Your name?"
"Kevin James Renner."
"Do you eat live snails?"
"I'll eat anything."
"Where were you born?"
"Dionysius."
"Are you alone?"
"Quite alone."
"What's the word?"
"Hollyhocks."
"Are you sure?"
"Sure I'm sure, you stupid machine!"
"Let's try it again. What's the word?"
"Hollyhocks."
"Sure it's not rosebuds?"
"Hollyhocks."
"My instructions are to be sure you are calm and uncoerced."
"Damn, I AM calm and uncoerced!"
"Right. If you'll attach me to the message cube recorder..."
Follow this with a 7-minute brain scan.
Of course, if you use Windows, you can just tell it to "Remember my script and brainwave pattern" so you don't have to go through that every time.
End of lesson. You may press the button.
Right, which means not only will users forget passwords, but they will also lose their smardcard (which aren't cheap).
Hurray for increasing IT costs! Good job MS, you always come through in that dept.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Well, sir - the database with the signature hash for your retinal record was compromised, so we cannot regard your eyes as valid authentication tokens. Please consider your retinas revoked. Any attempt to continue in their use will be construed as an attempt to defraud, and will subject them to confiscation.
"Flyin' in just a sweet place,
Never been known to fail..."
Now speak the following phrase clearly into the microphone:
"When tweedle beetles battle, it's called a tweedle beetle battle
and when they battle in a puddle, it's called a tweedle beetle puddle battle
AND
when beetles battle beetles with paddles in a puddle, THIS is what they call...
a tweedle beetle puddle paddle battle
AND
when the beetle puddle paddle battle is a battle in a bottle THIS is what they call...
a tweedle beetle bottle battle puddle paddle muddle!"
Voiceprint recorded. Please repeat for verification...
"Flyin' in just a sweet place,
Never been known to fail..."
MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.
I'm not tense. I'm just terribly, terribly, alert.
Easy solution to that problem. Instead of using your index finger to authenticate, give Microsoft the middle finger.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
>>Something you are (a fingerprint, a voiceprint)
>This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home.
I have a solution.
Use something that is debatably "something you are"; i.e. a sperm sample.
I take these from guys, and they definitely do not find it to be "very painful".
They cannot easily change it.
They could possibly leave "it" at home, and the HAX0R could find and then use the sample.
It is not easy for someone to extract this sample from you under duress. When you are stressed out, kidnapped, at gunpoint, you may find it difficult to produce a sample.
There is a drawback. If it is required to produce a sample in order to log in, then pr0n sites might see a sudden drop in their visitors. Login screens will need to support plug in modules; so that the pr0n sites can market their materials as "login assistants".
I'll see your senator, and I'll raise you two judges.
Tomorrow: give me your finger, or i shoot!
Except that it's two-factor. They'll need your wallet AND your finger.