MS to Trade Passwords for 2-Factor Authentication

Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."

Two Factor Authentication.

[pavon]

For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.

Re:A question worth asking

[Txiasaeia]

From the last link:

Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

What Is Two Factor Authentication?

[MBraynard]

To review, two-factor authentication consists of:

Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

Source.

Re:What Is Two Factor Authentication?

[crowemojo]

I see a lot of people get this wrong. Two factor authentication isn't necessarily "something you have" and "somethig you know". It's using two of the three possible forms (a lot of people seem to forget the "something you are" form).

Having a system that required smart-card and a fingerprint without ever having to provide a username or password would be another possible example of two-factor authentication.

"Something you know" (password, PIN, mothers maiden name, checking account activity) and "Something you have" (token, smart card, etc.)

This is the most common form of two factor authentication, but not the only form.

Re:A question worth asking

[Sycraft-fu]

A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)

It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

The point is not that TFA can fail...

[datastalker]

...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.

Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.

With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.

Re:A question worth asking

[ThJ]

Well, if this is anything like what my bank does, it works as the following:

1) You input your bank account number and a password into your bank's site.
2) You use a little calculator, you input a PIN into it, and it generates a unique number that you have to input into the page.
3) You're now authenticated.

Other schemes include having a little card with the numbers on it, and the site will request you to input code number N, and you do so, and it lets you in.

Two way authentication works today

[tliet]

Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.

After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.

This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.

Re:what's the bets...

[MarcQuadra]

Nope. It doesn't work that way.

Sure, they might drop NTLMv* authentication, but if you get a ticket from the KDC (usually an Active Directory Controller), you'll have access to what's yours.

This article has to do with authentication only, not the transport, however. They might drop CIFS for something else, which would mean that yes, we'd have re re-reverse engineer whatever file-transport MS uses next round.

I wouldn't worry much abou tit though, it's legal to reverse-engineer this sort of thing. They can't sue you for designing a compatible system, you only need to license stuff based on their implementation using THEIR code.