Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS to Trade Passwords for 2-Factor Authentication

Posted by timothy on from the something-borrowed-something-blue dept.

Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."

27 of 449 comments (clear)

  1. A question worth asking by LordZardoz · · Score: 2, Insightful

    For all of us who are not tin foil wearing cryptography nuts, what the hell is two factor identification?

    END COMMUNICATION

    1. Re:A question worth asking by Anonymous Coward · · Score: 5, Insightful

      Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!

    2. Re:A question worth asking by fm6 · · Score: 2, Insightful
      So they're not really abandoning passwords -- they're just requiring an additional authentication. Yeah, I know, a password doesn't have to be one of the two authentications. But you know almost everybody will use it.

      Basically, this story is about Microsoft announcing vague plans to improve login authentication. If we had specifics (smartcard support? biometrics?), then there'd be a story.

    3. Re:A question worth asking by nine-times · · Score: 5, Insightful
      A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

      Something you have (a key, a smartcard)
      Something you know (a password, a PIN)
      Something you are (a fingerprint, a voiceprint)

      It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

      On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).

      I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.

    4. Re:A question worth asking by 99BottlesOfBeerInMyF · · Score: 3, Insightful

      Most decent references on authentication stick to something you have

      Not really. Something you know can be extracted via extreme methods like torture, or with "truth serum" type drugs. They can be grabbed from a database and brute forced. They are information. Biometrics, on the other hand, are physical characteristics of your body. They are very, very hard to change, can't really be left behind, and are constantly exposed. Once captured, they are often easily faked. They are very dangerous to use as an authentication mechanism and are only really valid when carefully verified by a human observer. There is a trend towards biometrics right now, in the consumer space that will likely result in a net decrease in security. This is why they are rarely mentioned in a positive light by experts. They are cool and high-tech, however, so doubtless marketers will use them as a tool to separate you from both your security and your cash. They fit perfectly into MS modus operandi. They are ineffective, and a liability, but easy to use, whiz-bang, and easy to make proprietary and lock out competitors.

    5. Re:A question worth asking by crowemojo · · Score: 2, Insightful

      On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).

      Actually you are giving much more credit here then is due. The reason it has been passwords for so long is because they have been the cheapest and easiest to implement. Also, I would argue it's much easier to steal a password (social engineering or brute forcing in some cases) then it would be a token or a biometric. Only the password can be stolen from across the globe using minimal effort and without any prior knowledge about who are stealing it from. (aside from perhaps their phone number and email address)

    6. Re:A question worth asking by RapmasterT · · Score: 4, Insightful
      This is the kind of thinking I have to fight every day at work. A simple lack of understanding of the concept makes a useless solution seem perfectly reasonable. I don't mean to be as insulting as that sounds, this is just a good example of how easy it is to be completely wrong.


      If you start with a known item like the time (time changes, but it's not a secret what time it is) then multiply it by another unchanging item like a PIN, all you've done is make a more complicated PIN number. You haven't implemented two factor authentication, you're just making it hard to log in.

    7. Re:A question worth asking by filmsmith · · Score: 2, Insightful

      What a shockingly appropriate username you have right now...

  2. It has its uses... by winkydink · · Score: 4, Insightful
    Two-factor authentication is not useless. It works for local login, and it works within some corporate networks.

    I suspect that this is just MS responding to their corporate customers' requests.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  3. what's the bets... by advocate_one · · Score: 3, Insightful

    they'll have got some teeny, tiny aspect of the protocol patented so as to lock Samba out of the party...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    1. Re:what's the bets... by disposable60 · · Score: 2, Insightful

      Teeny, tiny my ass! They'll TRY to separately patent every comma in the spec.

      --
      You're looking for quotes? See my journal.
  4. Bruce Schneier. The anti solution. by cheese_wallet · · Score: 2, Insightful

    I swear, all I hear from Bruce Schneier is how nothing works...blah, blah, This isn't the solution, blah, that isn't the savior.

    How about giving us some ideas that *you* think will work.

  5. Re:Bruce Schneier. The anti solution. by GMFTatsujin · · Score: 4, Insightful

    I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.

    Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.

    I can't complain about that; security is actually *really tough* to pull off.

  6. That's why much of /. likes him by Sycraft-fu · · Score: 4, Insightful

    Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.

    The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.

    Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.

    However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.

    1. Re:That's why much of /. likes him by Sheetrock · · Score: 2, Insightful
      I didn't get the impression from Applied Cryptography or his newsletter that he wants to shitcan imperfect technology; indeed, he talked about the concept of trading off security for feasibility in a not entirely unfavorable way.

      What he is doing here is putting the concept of two factor authentication in its place. He has expressed dissatisfaction in the past with "snake oil" cryptography and if he seems preoccupied with the shortcomings of security approaches it is IMHO because the benefits are usually much more obvious than the flaws. This is beneficial because it provides a more complete picture to those that care about adequately implementing security and can balance the features of various algorithms to create a solution, but is irrelevant (or even irritating) to those who just want to implement a fancy gimmick; in other words, it's a matter of precision.

      --

      Try not. Do or do not, there is no try.
      -- Dr. Spock, stardate 2822-3.




  7. Re:Bruce Schneier. The anti solution. by Sheetrock · · Score: 3, Insightful

    If you want the best security, hire the pessimist, not the optimist.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  8. Your Bank Card and PIN at an ATM. by AzrealAO · · Score: 1, Insightful

    Something you have, something you know.

  9. Price Tag??? by 8400_RPM · · Score: 2, Insightful

    Whats the price tag going to be on this?
    Last time I looked at RSA, it was somewhere around $40,000 for 100 people.

  10. This won't work with keys or tokens by cerebud · · Score: 2, Insightful

    I have to use a password and token at work and it's a pain in the ass. Most people won't want to use this system because they don't want a new token for everything they do business with. In Microsoft's world view, I'll have to have one or two for work, four for the banks I do business with, one to check on my mortgage, one to log into my computer, one to check my e-mail, etc. Where the hell am I going to put all these tokens? There needs to be a "one token fits all" situation, or there'll be riots. I don't want to keep track of twenty tokens just to use my computer.

  11. What two factor means for the home user by SuperKendall · · Score: 4, Insightful

    To put a slight twist on the normal definition, for the home user two-factor is defined as:

    1) Something you can loose
    2) Something you can forget

    I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.

    It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Re:They're making this problem seem too hard by mrtroy · · Score: 2, Insightful

    Name:__________
    Email address:_________
    Birthdate:__________
    Last four digits of SSN:________
    Mother's maiden name:___________

    I could crack this in 5 seconds with your pay stub on your desk, and your address book on your desktop.

    I think the whole point of a 2 factor authentication is to improve security past text, into text AND biometrics or text AND a passcard, etc.

    --
    [I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
  13. Re:Bruce Schneier. The anti solution. by Minupla · · Score: 2, Insightful

    I think what he Mr Schneier is actually trying to get across is that it will need to be implemented as part of a whole not as "the" solution.

    I see that often with firewalls. Companies deploy a strong perimeter defense, neglect internal auditing, internal security patches and then are shocked when some low level employee walks off with the candy store. "Why didn't the firewall save us?!"

    Same holds true for two factor authentication. Is it an improvement? Yep. We use securID on all mission critical servers here.

    Is it the end all, be all solution? Of course not.

    Before microsoft can credibly deploy a two factor autentication system, they need to clean house on their server codebase. A autentication server that has multiple administrator exploits in a year is not going to help me sleep at night and will not have me trading in my Solaris SecurID box anytime soon.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  14. Only Useful in Corporate Environments by BeBoxer · · Score: 4, Insightful

    While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.

    I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.

    How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.

    Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.

    1. Re:Only Useful in Corporate Environments by imadork · · Score: 2, Insightful
      How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication.

      There's a third way, of course -- get a trusted third party to do the authenticating. Like, say, a particular software company that we all know that has months and months of experience in Trusted Computing....

  15. Erm... focus elsewhere? by d03boy · · Score: 1, Insightful

    Passwords dont seem to be the security flaw most of the time I would think...

  16. I think you are fundamentally mistaken. by khasim · · Score: 2, Insightful
    Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem.
    Rather, he keeps pointing out how NOTHING is 100% reliable.

    So companies and individuals so NEVER rely upon it 100%.

    Anyone who DOES rely upon any method, 100%, will be scammed, looted, etc.
    The problem with security is there is no magic bullet, no perfect solution.
    That is what he keeps saying.
    Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher.
    Again, the REAL problem is people who BELIEVE that it is 100% secure.

    It isn't.
    We know it isn't.
    He knows it isn't.
    And he's telling people that it isn't and to not trust it 100%.
    However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution.
    WHOA THERE!!!

    You seem to believe that there's something WRONG with him telling people that such-and-such is NOT "a 100% perfect solution" and that people whould NOT trust it 100%.

    I thinks he's doing a great job because the vendors selling those "solutions" will NOT be telling you about the problems.

    Bruce is, once again, pointing out that security is a process, not an end item. You cannot be "secure" simply because you require two methods of authentication.

    Read Bruce's paper on "attack trees" to see how he illustrates that. People focus too much effort on getting from 99.9% "secure" passwords to 99.95% "secure" passwords when other avenues of attack are wide open.
  17. Re:Two Factor Authentication. by Finuvir · · Score: 2, Insightful
    They should use four factors: Something old, Something new, something borrowed, something blue.

    Easy. That's Internet Explorer (not significantly updated in years), whatever new vaporware they're talking about today, the Windows interface ("borrowed" from Apple), and the Screen of Death

    --
    Why is anything anything?