Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
I suspect that this is just MS responding to their corporate customers' requests.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!
I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.
Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.
I can't complain about that; security is actually *really tough* to pull off.
Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.
The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.
Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.
However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
To put a slight twist on the normal definition, for the home user two-factor is defined as:
1) Something you can loose
2) Something you can forget
I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.
It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.
I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.
How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.
Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).
I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.
If you start with a known item like the time (time changes, but it's not a secret what time it is) then multiply it by another unchanging item like a PIN, all you've done is make a more complicated PIN number. You haven't implemented two factor authentication, you're just making it hard to log in.