Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
The second linked article, anyway:
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
My friend who used to work at some larger company (before he worked for an Even Larger Company) used a token generator to log into the company VPN. It would generate a random number, then hash that against his password, yielding a value which he actually put into the VPN password box. Nifty little doodad.
Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.
But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.
All kind of authentication is vulnerable to the same problem, the "user". I think microsoft wants to put any crazy idea to their new OS, just to say that they have the coolest features, they don't care if those "features" are usefull or not.
ajf
Here are two new active attacks we're starting to see:
- Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
- ...
Back some decades: An attacker puts up a fake login screen on some mainframe. The innocent user logs in and is greeted with an error message indicating hat he has got his password wrong and after that logs in as usual, perhaps a little disturbed (but due to general overload, unsuspecting).Thus we do not see "new active attacks", but a variety of an old scheme.
I am too old.
CC.
TaijiQuan (Huang, 5 loosenings)
If you want two-factor authentication, you can already get it with Linux, either with a variety of tokens/devices, or with simple strike-out lists. The necessary packages are pre-packaged for Debian and probably lots of other distributions.
My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.
No, I suspect that MS is just pushing harder for license compliance. Coming soon: Microsoft Windows SC Home edition (for a family of 4. Larger families can buy extra smartcards/user licenses in packs of 10).
And if the optimist is wrong, and by going with the optimist you think everything is happy and sunshiney when in fact your system is actively being used to process stolen CC numbers, are you better off than the person who went with the pessimist?
And why would I want this on my workstation? How *I* choose to authenticate myself is my business, not Microsoft's.
My understanding is that two factor authentication generally means two of the following: something you know, something you have, something you are.
Could the "something you have" in this case be some physical artifact that comes with the media or machine and might thereby be difficult to duplicate, threby reducing the opportunity for unauthorized copying and use of the underlying software?
In this particular case, both the citation in the story and your complaint do not match what he's said. Yes, he does say, "See how two-factor authentication doesn't solve anything?", but he's talking about web phishing, and he's right w.r.t. web phishing.
He also says "Two-factor authentication is not useless. It works for local login, and it works within some corporate networks." which is exactly what it sounds like MS is talking about using two-factor authentication for.
He says his complaints do not apply here.
There are no trails. There are no trees out here.
Im not sure where you live or work, but the whole statement that: "Most businesses require a badge" is just ridiculousness.
m l
Most large corporations require a badge. However, most businesses are small family-oriented businesses, not large corporations. These businesses have less than 50 employees, and rarely have advanced IT systems. To assume that this wont increase their costs is silly. It most certainly will -- assuming they decide to put it into place at all.
For more info:
http://www.census.gov/epcd/www/smallbus.ht
Unfortunately, MSFT has enough vulnerabilities
between the OS, IE, ActiveX, and Apps that even
multiple biometric tests would not protect their
OS (exception by being unplugged from the network
and internet).
I understand that MSFT does have a solution to
the rampant security holes in their product line,
which is foolproof. MSFT can embrace/extend the
Webster's Dictionary's definition of "security".
The Dubya regime has used similar tactics in the
definition of "crisis" and "WMD" and "freedom".
This tactic does appear to work in certain parts
of the world...
" There is no such think as completely secure."..Well there is "think" but there isn't "thing" :)
Two factor is not better than one unless that second factor is also very hard to break. Combine something like a PIN and RSA key Fob with Digital Certificates (OK, that's three factors but two come from the user) and you are very secure. With a unique digital certificate issued by the bank that is verified by a special plug-in for your browser that adds security. Also what about using a pass PHRASE instead of a password, that adds complexity and makes things harder to crack. The good Dr. S has a point but I think the examples he gave are not good illustrations. If you run a good Spyware/Malware/AV check you'll catch the Trojans. With those tools becomes integrated into the OS and working behind the scences it's getting less likely you will be phished by a Trojan.