Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
Condemnant quod non intellegunt.
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
Source.
A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.
Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.
With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.
Find out about the Lexus Rx400h Hybrid!
My father works for John Deere (yes the tractor company). They acutally use this 2 part system of authentication for remote access into the network, the specifics Im not going to get into, but it uses a constantly updating token, and pin combination. It cant take a little work to figure out, but once you get the basics, its pretty simple. Now, a swipe card or biomentric system would also work.
I don't know everything.
From Bruce's article:
Two-factor authentication is not useless. It works for local log-in, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.
He cites two types of attack against two-factor authentication: Man in the middle, and a Sniffer Trojan. Password authentication is already suffering from these attacks, and increasing complexity will make such attacks at least slightly harder. He doesn't mean that two-factor authenticaion would be in any way worse than passwords, ever.
Most of Mr. Schneier's article was about how banks were trying to use this as a secuity panacea. This is certainly not the case, especially since there is money involved; Nothing keeps attackers from going that extra mile.
--Sean
In case its still not clear to you, a common form of two-factor authentication is through the use of a small hand-carried device that uses a time-sensitive algorithm to generate a series of numbers. Time senesitive means that this number series changes over time.
In the industry, this is commonly called a "token" and there are multiple vendors that sell them :
RSA Security
ActivCard
Vasco
[etc.]
Typically the "two-factorness" of the authentication is a description of the relative strength of the authentication process. The process itself is one which authenticates users based on several criteria :
- Something you know [passwords]
- Something you have [tokens]
- Something you are [biometrics]
When Microsoft says its going to use "two-factor" authentication, they are really saying, "We are going to require users to authenticate using one-time number generators and also by knowing a password".Is this a good thing? Most people say, guardedly, "yes". But only because its better than just merely using passwords.
There is no such think as completely secure. That is the first think these analysis those understand.
/.er, expect they will screwup. But thats another issue.
Yes, two factor is not perfect. But it is better than the password-only method. It is also (somewhat) cost-effective.
Since banks are used as an example for this, lets consider that, if the protection method is not cost-effective, it is cheaper for the bank to just accept the frauds, with or without ensurance.
Biometrics isn't perfect either. Even something that is widely considered perfect for security these days will show itself flawed in the future.
So just bashing an idea because it is not perfect or foolproof is just plain stupid.
At least on paper, Microsoft's plans are good. Of course I, as much as any other
morcego
Hey, FYI two-factor authentication has been available in the MS space for years as well. Most don't like it simply because they are cheap. It cost money for a fingerprint or smartcard reader or a secureid.
I don't think you understand the technology.
You act like you can't reuse your fingerprint for more than one service! It's not like you change your password every 90 days PLUS cut a finger off!
Settle down. This is technology to be used for authentication into your Windows computer. It's possible to store other security tokens on your computer in an encrypted format and use them for other purposes. Do you really have to provide an e-mail password to check your email? Why don't you just encrypt that password with your network logon (or public key) and store it?
There are a variety of ways to do authentication. Your password+token at work is one way but it wouldn't be very practical for every account you need to get into.
Please don't riot. Thanks!
With an RSA Key Fob.
wdd
Well, if this is anything like what my bank does, it works as the following:
1) You input your bank account number and a password into your bank's site.
2) You use a little calculator, you input a PIN into it, and it generates a unique number that you have to input into the page.
3) You're now authenticated.
Other schemes include having a little card with the numbers on it, and the site will request you to input code number N, and you do so, and it lets you in.
Suggested apporaches included: The user would be presented say 5 rows of ten photos, and asked to pick one photo in each row. Each time the logon is done the order of the photos changes. An alternative (better) approach would be to present a photo of a collection of objects and the user must click on several of the object in the photo in a certain order.
perhaps MS aims to combine this with a password to avoid making the photo selection have to have too many layers for combinatorics?
Of course this only works for graphical sign on. Handling text based remote login would require smartcards or something. But then again are there any text based devices left? I mean if you can pull up an ssh-terminal these says you nearly always can pull up a full browser window that could handle the pictogrpaphic interface.
Some drink at the fountain of knowledge. Others just gargle.
Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.
After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.
This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.
Nope. It doesn't work that way.
Sure, they might drop NTLMv* authentication, but if you get a ticket from the KDC (usually an Active Directory Controller), you'll have access to what's yours.
This article has to do with authentication only, not the transport, however. They might drop CIFS for something else, which would mean that yes, we'd have re re-reverse engineer whatever file-transport MS uses next round.
I wouldn't worry much abou tit though, it's legal to reverse-engineer this sort of thing. They can't sue you for designing a compatible system, you only need to license stuff based on their implementation using THEIR code.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails