Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
Two Factor Authentication, MS style (with apologies to Monty Python).
"What... is your name..."
"What... is your favourite colour?"
For all of us who are not tin foil wearing cryptography nuts, what the hell is two factor identification?
END COMMUNICATION
I suspect that this is just MS responding to their corporate customers' requests.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Does that mean I have to type in 'password' twice?
For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.
The second linked article, anyway:
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
My friend who used to work at some larger company (before he worked for an Even Larger Company) used a token generator to log into the company VPN. It would generate a random number, then hash that against his password, yielding a value which he actually put into the VPN password box. Nifty little doodad.
...The proposed 2-factor authentication involves both a blood and semen sample. It will be hard to foil.
It's the only way to be sure.
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
Source.
Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]
Instant, foolproof security with no hardware to deal with or passwords to remember.
Microsoft has invented the PEA machine: it's an external USB device that you pee in it. The device is able to extract your DNA and authenticate the user.
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.
Except they don't know how to spell "name" and "favourite colour." :-D
"What...is your login..."
"What...is your password?"
picpix image polls. create - share - vote. fun!
they'll have got some teeny, tiny aspect of the protocol patented so as to lock Samba out of the party...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I swear, all I hear from Bruce Schneier is how nothing works...blah, blah, This isn't the solution, blah, that isn't the savior.
How about giving us some ideas that *you* think will work.
...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.
Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.
With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.
Find out about the Lexus Rx400h Hybrid!
Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.
But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.
...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.
All kind of authentication is vulnerable to the same problem, the "user". I think microsoft wants to put any crazy idea to their new OS, just to say that they have the coolest features, they don't care if those "features" are usefull or not.
ajf
I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.
Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.
I can't complain about that; security is actually *really tough* to pull off.
Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.
The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.
Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.
However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
I'm sure it'll be something like the following:
"Please enter your login"
"Thank you, please enter your password"
"So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"
Kinda like AdSense, but much more intrusive...
First you give some blood, then you give a urine sample, then they know its you.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
MS to Trade Passwords for 2-Factor Authentication
They better not be trading my bloody passwords!
My father works for John Deere (yes the tractor company). They acutally use this 2 part system of authentication for remote access into the network, the specifics Im not going to get into, but it uses a constantly updating token, and pin combination. It cant take a little work to figure out, but once you get the basics, its pretty simple. Now, a swipe card or biomentric system would also work.
I don't know everything.
If you want the best security, hire the pessimist, not the optimist.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
From Bruce's article:
Two-factor authentication is not useless. It works for local log-in, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.
He cites two types of attack against two-factor authentication: Man in the middle, and a Sniffer Trojan. Password authentication is already suffering from these attacks, and increasing complexity will make such attacks at least slightly harder. He doesn't mean that two-factor authenticaion would be in any way worse than passwords, ever.
Most of Mr. Schneier's article was about how banks were trying to use this as a secuity panacea. This is certainly not the case, especially since there is money involved; Nothing keeps attackers from going that extra mile.
--Sean
Here are two new active attacks we're starting to see:
- Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
- ...
Back some decades: An attacker puts up a fake login screen on some mainframe. The innocent user logs in and is greeted with an error message indicating hat he has got his password wrong and after that logs in as usual, perhaps a little disturbed (but due to general overload, unsuspecting).Thus we do not see "new active attacks", but a variety of an old scheme.
I am too old.
CC.
TaijiQuan (Huang, 5 loosenings)
If you want two-factor authentication, you can already get it with Linux, either with a variety of tokens/devices, or with simple strike-out lists. The necessary packages are pre-packaged for Debian and probably lots of other distributions.
My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.
Whats the price tag going to be on this?
Last time I looked at RSA, it was somewhere around $40,000 for 100 people.
I have to use a password and token at work and it's a pain in the ass. Most people won't want to use this system because they don't want a new token for everything they do business with. In Microsoft's world view, I'll have to have one or two for work, four for the banks I do business with, one to check on my mortgage, one to log into my computer, one to check my e-mail, etc. Where the hell am I going to put all these tokens? There needs to be a "one token fits all" situation, or there'll be riots. I don't want to keep track of twenty tokens just to use my computer.
To put a slight twist on the normal definition, for the home user two-factor is defined as:
1) Something you can loose
2) Something you can forget
I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.
It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I think what he Mr Schneier is actually trying to get across is that it will need to be implemented as part of a whole not as "the" solution.
I see that often with firewalls. Companies deploy a strong perimeter defense, neglect internal auditing, internal security patches and then are shocked when some low level employee walks off with the candy store. "Why didn't the firewall save us?!"
Same holds true for two factor authentication. Is it an improvement? Yep. We use securID on all mission critical servers here.
Is it the end all, be all solution? Of course not.
Before microsoft can credibly deploy a two factor autentication system, they need to clean house on their server codebase. A autentication server that has multiple administrator exploits in a year is not going to help me sleep at night and will not have me trading in my Solaris SecurID box anytime soon.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.
I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.
How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.
Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.
Well, sir - the database with the signature hash for your retinal record was compromised, so we cannot regard your eyes as valid authentication tokens. Please consider your retinas revoked. Any attempt to continue in their use will be construed as an attempt to defraud, and will subject them to confiscation.
"Flyin' in just a sweet place,
Never been known to fail..."
My understanding is that two factor authentication generally means two of the following: something you know, something you have, something you are.
Could the "something you have" in this case be some physical artifact that comes with the media or machine and might thereby be difficult to duplicate, threby reducing the opportunity for unauthorized copying and use of the underlying software?
MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.
I'm not tense. I'm just terribly, terribly, alert.
Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.
After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.
This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.
So companies and individuals so NEVER rely upon it 100%.
Anyone who DOES rely upon any method, 100%, will be scammed, looted, etc.That is what he keeps saying.Again, the REAL problem is people who BELIEVE that it is 100% secure.
It isn't.
We know it isn't.
He knows it isn't.
And he's telling people that it isn't and to not trust it 100%. WHOA THERE!!!
You seem to believe that there's something WRONG with him telling people that such-and-such is NOT "a 100% perfect solution" and that people whould NOT trust it 100%.
I thinks he's doing a great job because the vendors selling those "solutions" will NOT be telling you about the problems.
Bruce is, once again, pointing out that security is a process, not an end item. You cannot be "secure" simply because you require two methods of authentication.
Read Bruce's paper on "attack trees" to see how he illustrates that. People focus too much effort on getting from 99.9% "secure" passwords to 99.95% "secure" passwords when other avenues of attack are wide open.
Unfortunately, MSFT has enough vulnerabilities
between the OS, IE, ActiveX, and Apps that even
multiple biometric tests would not protect their
OS (exception by being unplugged from the network
and internet).
I understand that MSFT does have a solution to
the rampant security holes in their product line,
which is foolproof. MSFT can embrace/extend the
Webster's Dictionary's definition of "security".
The Dubya regime has used similar tactics in the
definition of "crisis" and "WMD" and "freedom".
This tactic does appear to work in certain parts
of the world...