MS to Trade Passwords for 2-Factor Authentication

Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."

MS version

Two Factor Authentication, MS style (with apologies to Monty Python).

"What... is your name..."
"What... is your favourite colour?"

Re:MS version

[Infinityis]

Bluescreen of death...no, Redha....auuggghhh!!!

Logging in

[consumer_whore]

Does that mean I have to type in 'password' twice?

Re:Logging in

[ragnar]

No, it means that you will need two post it notes on your monitor.

What Is Two Factor Authentication?

[MBraynard]

To review, two-factor authentication consists of:

Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

Source.

They're making this problem seem too hard

The computer industry should take a clue from the financial services sector. All you need for any system is a simple login screen:

Name:__________
Email address:_________
Birthdate:__________
Last four digits of SSN:________
Mother's maiden name:___________
[OK] [Cancel]

Instant, foolproof security with no hardware to deal with or passwords to remember.

Re:They're making this problem seem too hard

[Jherek+Carnelian]

I could crack this in 5 seconds with your pay stub on your desk, and your address book on your desktop.

But yet you still can't seem to crack the secret code known as humor.

They're already doing this!

[nathan+s]

Except they don't know how to spell "name" and "favourite colour." :-D

"What...is your login..."
"What...is your password?"

Re:A question worth asking

[Sycraft-fu]

A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)

It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

Re:A question worth asking

[Infinityis]

As far as I can tell, two factor identification is the dualization of the encryptable factorization process. When the vector based finglestrup is elongated to the point of dypstrontinazation, we find that standard passwords are, in a word, flangoozled. By dishappening the estronable bases, the possibility of grolingering becomes ziponified. All that said, I fully support two factor identification, and you should too.

Hopefully that helps...

MS ActiveButtPlug Technology...

...takes advantage of the fact that the folds in each user's rectum are unique to simultaneously provide secure authentication while promoting prostate health.

Re:A question worth asking

Two Factor Identification: A way for M$ to require every user has a dongle to reduce piracy, promote DRM/TCPA and marginalize competitors. Heil Microsoft!

Re:Reporting leaves something to be desired

[Infinityis]

I'm sure it'll be something like the following:

"Please enter your login"

"Thank you, please enter your password"

"So far so good. Now, reading over the last few emails you've replied to, it appears you have some trouble 'getting it up'. As a final verification, please confirm the date of your most recent order of Viagra"

Kinda like AdSense, but much more intrusive...

Re:A question worth asking

[nine-times]

A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)

It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

On a side note, although the idea of biometrics and keycards sounds cooler than a password, there's a reason why computer security has been using the "something you know" for so long. Of the three, it's generally hardest to steal, hardest to fake, and easiest to change (in case someone else does gain access).

I'm not arguing that using 2 (or 3) factors won't be generally more secure than using 1, but people do tend to be quick to jump on the bandwagon of shiney new things, and the fact is that a good password is a good start to a good security setup.

Microsoft's Response

[The+Angry+Mick]

C: well sonny how can i log on to my internet box and email my friends to let them know what ive gone and done if i cant log on with this here finger scanner

MS Tech Support: Well, I'm afraid Sir that since your copy of Windows had it's product activation linked to that one finger, you're no longer legally licensed to use it. If you'd like, I can make a direct withdrawal from your checking account to purchase a new copy of Windows, complete with Internet Explorer 7.01 that you can activate with any of your remaining digits, or, some other body part that you'd be less likely to be careless with.