Slashdot Mirror
MS to Trade Passwords for 2-Factor Authentication
Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."
Two Factor Authentication, MS style (with apologies to Monty Python).
"What... is your name..."
"What... is your favourite colour?"
I suspect that this is just MS responding to their corporate customers' requests.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Does that mean I have to type in 'password' twice?
For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
Condemnant quod non intellegunt.
Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.
Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.
Source.
Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]
Instant, foolproof security with no hardware to deal with or passwords to remember.
Microsoft has invented the PEA machine: it's an external USB device that you pee in it. The device is able to extract your DNA and authenticate the user.
Early FCC testing showed that the device might have trouble identifying the user if the user has consumed large quantities of beer.
Except they don't know how to spell "name" and "favourite colour." :-D
"What...is your login..."
"What...is your password?"
picpix image polls. create - share - vote. fun!
A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
they'll have got some teeny, tiny aspect of the protocol patented so as to lock Samba out of the party...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.
Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.
With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.
Find out about the Lexus Rx400h Hybrid!
As far as I can tell, two factor identification is the dualization of the encryptable factorization process. When the vector based finglestrup is elongated to the point of dypstrontinazation, we find that standard passwords are, in a word, flangoozled. By dishappening the estronable bases, the possibility of grolingering becomes ziponified. All that said, I fully support two factor identification, and you should too.
Hopefully that helps...
I dunno, I've seen Mission Impossible II enough to know that we'll need about 10 factor authentication to be completely secure.
Well, largely unrelated. Schneier argues that there are two major classes of attacks that bypass the issues users encounter in the consumer space. And conversely, that the issues solved by 2 factor authentication aren't the ones encountered by real users.
But logging into your local computer or the LAN is different, and 2 factor authentication could be helpful. It wouldn't necessarily be helpful against trojan attacks; once an authenticated user infects their own system the attack can continue to run with the credentials of the user. But it should defeat some network attacks and enhance security of systems that are physically compromised.
...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.
Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!
I think his point is that it is better to implement no security policy than to come to depend on one that is fundementally flawed and discourages further investigation.
Most of the commentary I've read from him sounds pretty sane. He makes a point of pointing out misdirected security efforts that fail to secure real issues. Recognizing a mistake is a step toward finding a solution.
I can't complain about that; security is actually *really tough* to pull off.
Becuase he's one of those people who perpetually whines that the new solution isn't a total solution. He slams on things that are improvements because they don't completely and totally solve the problem. I see that from a lot of posters here as well.
The problem with security is there is no magic bullet, no perfect solution. There is no way that you can be 100% certian that a person is who they claim to be. Also, any proposed solution for computers has to be cheap and convenient. Yes, the military has much better security for nuclear weapons, one that's near impossible to break. However I don't really want to have to deal with called-in pre authorization, physically seperate computers, armed guard, etc just do get in yo my bank account.
Two factor authentication is a definite step in the right direction. It means that you can't just find out/guess someone's password and get access to their data. There's another step. Does that make it impossible? No, but it sure as hell makes it a lot tougher. It also seems to be reasonably cheap and easy to implement with current technology. Thus, it seems like a good idea.
However, there are those out there, and Schneier seems to be one of them, that just want to rip on anything that isn't a 100% perfect solution. I guess that's ok if that's your thing, but the world is an imperfect place and perfect solutions are the rare exception, not the rule.
I'm sure it'll be something like the following:
"Please enter your login"
"Thank you, please enter your password"
"So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"
Kinda like AdSense, but much more intrusive...
If you want the best security, hire the pessimist, not the optimist.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
thanx for answering that question.
gawd... i can jsut see it now, longhorn is also "for home users"
T: thank you for calling mircosoft
C: yesM i just got back from them there hospital, i done lost my finger in me JhonDeer 600GT riding lawnwoer
T: uhh.. yessss... and..
C: well they couldnt re-attach it ya see
T: riiiighhttt...
C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner
The More Knowledge you have the Luckier you Get- J.R. Ewing
If you want two-factor authentication, you can already get it with Linux, either with a variety of tokens/devices, or with simple strike-out lists. The necessary packages are pre-packaged for Debian and probably lots of other distributions.
My impression is that it's not very popular. But if Microsoft wants to force their users to use it, good for them. I prefer my OS to give me a choice, and I have had that choice for many years now.
So if we went to three-factor authentication (Semen, Urine, Faeces), all you would have to do each morning is rub your underwear on the keyboard to authenticate yourself.
I will never, ever, ever go to an internet cafe again.....
I both love to think about and hate to think about how the women will log in.
To put a slight twist on the normal definition, for the home user two-factor is defined as:
1) Something you can loose
2) Something you can forget
I thought it was already pretty adventerous of OS X to make users log in all the time, to also provide a user something they can loose... that seems like it will have issues.
It does seem like it should make resale of Windows easier to justify, as long as you are selling a security token of some sort with it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I applaud the effort to get two-factor authentication more widly deployed, I think there is a critical flaw in most (all?) of the hardware tokens currently in use.
I believe that current hardware tokens are all based on private key encryption algorithms. The key is stored in the device, as well as in the backend authentication server. This works fine within a single administrative domain, but is pretty much useless in cross domain situations.
How can I use my hardware token from work to authenticate to my bank? There are only two ways I know of. Either my bank and my employer both know the secret key for my fob, in which case either one can spoof me to the other one. Or my bank has my employer perform the authentication. Neither one of which is desirable. I suppose someone could start selling hardware tokens where the users can program multiple keys into it, and the user would then have to choose the proper key when logging in, but I've never seen one. Which still leaves the problem of how my bank and I communicate the secret key securely.
Ideally I think these hardware tokens would be public-key based. But as far as I know, there isn't any way to do a public-key authentication using a reasonable number of bits. As in, a type-able number of bits. No body is going to type in the 128 hex characters which result from a 1024-bit RSA key signature for example. Is there any way to get around this? Maybe, but I don't know of it. The other option is to use a USB interface (or something) so the user doesn't have to type the response.
Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)
It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.
On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).
I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.
MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.
I'm not tense. I'm just terribly, terribly, alert.
Well, if this is anything like what my bank does, it works as the following:
1) You input your bank account number and a password into your bank's site.
2) You use a little calculator, you input a PIN into it, and it generates a unique number that you have to input into the page.
3) You're now authenticated.
Other schemes include having a little card with the numbers on it, and the site will request you to input code number N, and you do so, and it lets you in.
Most decent references on authentication stick to something you have
Not really. Something you know can be extracted via extreme methods like torture, or with "truth serum" type drugs. They can be grabbed from a database and brute forced. They are information. Biometrics, on the other hand, are physical characteristics of your body. They are very, very hard to change, can't really be left behind, and are constantly exposed. Once captured, they are often easily faked. They are very dangerous to use as an authentication mechanism and are only really valid when carefully verified by a human observer. There is a trend towards biometrics right now, in the consumer space that will likely result in a net decrease in security. This is why they are rarely mentioned in a positive light by experts. They are cool and high-tech, however, so doubtless marketers will use them as a tool to separate you from both your security and your cash. They fit perfectly into MS modus operandi. They are ineffective, and a liability, but easy to use, whiz-bang, and easy to make proprietary and lock out competitors.
>>Something you are (a fingerprint, a voiceprint)
>This is just something you have, that you cannot easily change, and that is occasionally very painful when taken from you, and that you cannot leave at home.
I have a solution.
Use something that is debatably "something you are"; i.e. a sperm sample.
I take these from guys, and they definitely do not find it to be "very painful".
They cannot easily change it.
They could possibly leave "it" at home, and the HAX0R could find and then use the sample.
It is not easy for someone to extract this sample from you under duress. When you are stressed out, kidnapped, at gunpoint, you may find it difficult to produce a sample.
There is a drawback. If it is required to produce a sample in order to log in, then pr0n sites might see a sudden drop in their visitors. Login screens will need to support plug in modules; so that the pr0n sites can market their materials as "login assistants".
I'll see your senator, and I'll raise you two judges.
Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.
After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.
This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.
If you start with a known item like the time (time changes, but it's not a secret what time it is) then multiply it by another unchanging item like a PIN, all you've done is make a more complicated PIN number. You haven't implemented two factor authentication, you're just making it hard to log in.