Slashdot Mirror

← Back to Stories (view on slashdot.org)

Authentication Tokens for Password-less Access?

Posted by Cliff on from the lose-your-keys-AND-your-passwords-at-the-same-time dept.

A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"

28 comments

  1. Modality by poopdeville · · Score: 3, Informative

    A password is an authentication token. Each modality of authentication has its own weaknesses (e.g. passwords are weak against keyloggers on untrusted systems). The question as to whether a particular modality is safe depends essentially on the specifics of the circumstance in which it is to be used. Is the machine you're working with otherwise secure? Trusted? If untrusted, can you ensure that the modality doesn't depend on any untrusted resources? Answer these questions and you'll have your answer.

    --
    After all, I am strangely colored.
  2. A few starting points by subreality · · Score: 3, Informative

    None of these is a complete solution, but they may help you.

    http://www.schneier.com/passsafe.html Password safe - This uses strong encryption with a master password to store all your other passwords. You still have to cut'n'paste them everywhere, though. Keep it on a USB key with the encrypted passwords.

    https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=670 Password Composer - Takes the md5 of your master password and the hostname of a site to generate a unique password for each site. It's available as a Firefox extension, or as a bookmarklet. The method is simple, so you can get your password back with nothing more than echo and md5sum on the command line, so you're not at the software's mercy. However, there's not a good way to change either your master password or a site password if they're compromised. And it's only good for the web. But it's still a good improvement for handling tons of sites that don't need the very highest security.

    http://web.mit.edu/kerberos/ Kerberos - Use a password to log in once, and then you're authenticated for all the services you need. This works great, but it has to be supported by each site that uses it. It's great for intranets, but it doesn't help for random web sites.

    1. Re:A few starting points by Daengbo · · Score: 1

      Since 4 out of the 5 comments on the Firefox extension are negative, including ones which state that they can't use it to reliably log into a site, I'd say to avoid it.

      --
      Put identity in the browser.
  3. Keyring? by Phleg · · Score: 4, Interesting

    What's wrong with having a password protected virtual keyring, as opposed to some sort of physical media? Say what you want, but physical media are highly likely to be lost or stolen. With keys, the former isn't much of a problem; you can always have them remade. But how do you accomplish this virtually, over a website? Even worse, when a key (or keyring) is lost, the likelihood for damage is exceedingly low, because the odds of anyone finding what each key goes to is pretty unlikely. However, if you have a device with all your authentication tokens on it, the person just has to visit paypal.com, ebay.com, and so on until they have a match. I doubt it would take long.

    --
    No comment.
  4. Passwords I might use for this page by hackwrench · · Score: 1, Interesting

    noitacitnehtuA
    todhsalsksa
    522361
    or some mix of the above with each other, doubled, etc.
    Another interesting password is:
    drowssapymyllaersisihteveilebt'nacI

  5. 3 tenets of security by joeslugg · · Score: 3, Informative

    1. Who you are
    2. What you know
    3. What you have

    The general consensus that I'm aware of is that if you can give proof that you are indeed the individual requesting access on your own behalf (perhaps through biometrics), if you can prove you have knowledge of some piece of secret data (a password), and finally if you also have in your possession some item or object required to gain access (like the token you mentioned), then the system can be reasonably sure you're legit. Thwarting all of these simultaneously would be quite difficult.

    1. Re:3 tenets of security by Sockatume · · Score: 1

      Well put. In fact, having any two of those in combination greatly improves security.

      --
      No kidding!!! What do you say at this point?
  6. Other Means! by TheCarlMau · · Score: 1

    Even the most complex passwords (retina scan, finger print?) can be stolen by adding a logging program of some sort. We shouldn't worry about how to store passwords, but how passwords are transfered - that needs to be the most secure.

    One of my passwords is 15 character digits long, containing upper and lower case, digits, and special characters. I really doubt that it could be easily cracked (before the attacker died of old age). I think the attacker would spend time trying to break in through other means.

    Think of security as a great wall. Your 'password' is made of pure steel, 100 feet thick and a mile high. But now, what if there is an unlocked back door? The attacker won't go through your great wall, but just open the door and walk in. This is very similar to how computer security works.

    1. Re:Other Means! by dr_leviathan · · Score: 3, Informative

      The blackdog USB computer solves this problem.

      http://www.projectblackdog.com/product.html

      Its security is as good as a fingerprint and SSH encryption.
      You can even use it on a host machine with a keyboard logger
      as long as you are accessing stuff that accepts your SSH key
      -- you wouldn't want to ever have to type in your password
      for a remote service.

      --
      Religion is poison to rationality, and we lose sight of that at our own peril. -- Lurker2288
  7. iButton with encryption? by rthille · · Score: 1

    Store your passwords on a Java based iButton. You still need to trust the computer you plug it into, but it should be relatively secure.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  8. USBWiSec and AutoHotkey for Windows by zbuffered · · Score: 2, Interesting

    It ain't Linux, but...
    USBWiSec
    to control it,
    AutoHotkey to unlock it and automate authentication.

    --
    Synergy is your friend
    1. Re:USBWiSec and AutoHotkey for Windows by Stinking+Pig · · Score: 1

      Google will show you that someone wrote a kernel driver and PAM module... still, I'm waiting for the RFID version. I don't want a big old battery-powered blinkenlight in my pocket, how about it just picks up the RFID card in my wallet?

      --
      "Nothing was broken, and it's been fixed." -- Jon Carroll
  9. Cryptocard by plsuh · · Score: 2, Informative

    There's a company called Cryptocard that produces a product similar to what you're looking for:

    http://www.cryptocard.com/index.cfm?PID=464&PageNa me=UB-1%20USB%20Token

    They support Windows, Mac OS X, and Linux.

    http://www.cryptocard.com/index.cfm?PID=376&PageNa me=CRYPTO-Server

    --Paul

  10. Just do what I do by kbielefe · · Score: 3, Funny

    i keep all My webSite logiN PASSWORDs In my slaShbox, So they are alWays clOse at hand. when i want real security, i employ a top secRet steganography technique insiDe of a comment. iF security through obscurIty iS good enough for commercial software, it is certainly good enougH for me.

    --
    This space intentionally left blank.
    1. Re:Just do what I do by xsonofagunx · · Score: 1

      LMAO...

      this was far funnier than you got credit for. Simple, but funny.

  11. Even better, by SharpFang · · Score: 3, Interesting

    http://www.ibutton.com/ - free samples available.
    2.6.13 kernel has already some very decent support for it (.12 - sorry, not so decent...; .14-rc? seems even more promising, this is a very actively developed area) - now just wait for good userspace support software. It's in /sys already.

    iButtons are way more rugged than USB stick (think surviving in pockets of Indiana Jones, Gordon Freeman and Lara Croft), smaller and more comfortable in use and some are designed to be unlockable only with a password ;) One problem is the biggest one is 8 kilobytes, so if you plan using them to store MP3s, sorry. But PGP keys, password lists etc - why not?
    And if you're a Java freak, there's a java-based minicomputer in one of them :)

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Even better, by Nos. · · Score: 3, Interesting

      I've actually built a home alarm system that uses iButtons as the arm/disarm switch instead of a numeric code. I have about 15 iButtons which I store in a DB. When we need to lend a key to someone to check on the house, I put an iButton on the keychain, go into the database and activate it. Then, when that iButton touches the sensor pad by the door, it will arm/disarm the system.

      I've had it running for about 6 months now without a problem. I'm still adding features (the IR beam across a doorway insdie the house is almost ready) and I just need to find a better spot for the webcam.

      In case of the system detecting someone when the system is armed, it sends me an SMS, takes pictures through the webcam and sends them to my gmail account, etc. etc.

      A lot of fun to build, and I've got a couple people in my LUG working on building similar stuff

  12. Cost by Anonymous Coward · · Score: 5, Interesting

    USB tokens or anything similar are not a viable option when you have lots (and I mean LOTS) of users.

    What we use is that in order to log in, you have to enter your normal username and password and then you receive a token (via SMS) which you have to enter.

    That way no expensive tokens have to be distributed to end-users and even if a end-user's password is stolen, it's no good as long as you don't steal also his/her mobile phone.

    If such a thing happens that the end-user does not have a mobile phone (which here in Finland is _extremely_ rare) it's far more cheaper to give away a couple of mobile phones and accounts than to distribute tokens/usb keys/whatever to all users which then have to be renewed/get broken/are difficult to use.

  13. Things can be lost....or fried by chivo243 · · Score: 1


    In the password juggle, I have a core password, and then some other crap attached based on the need for the password. Works for me, that's enough.

    --
    Sig Hansen?
  14. What server? by Anonymous Coward · · Score: 0

    What server software do you use to enable the issuing and authentication of the tokens? You describe an excellent idea but, without the backend server, it's no help.

  15. PAM-USB by PlasticMonkey · · Score: 1

    Can't you do this with PAM_USB in Linux? (http://www.pamusb.org/)

    I only managed to get it working with Login, but it apparently (quoting the projects site) it works with any PAM enabled program, such as (Login), su, gdm/kdm/xdm, xlock et-cetera.

    Check the site out.

    - Phileeep.

    1. Re:PAM-USB by Anonymous Coward · · Score: 0

      Wow, (as the AC top-level poster) this is exactly what I was looking for... (mod parent up)!

        - Unix/Linux Support (in this case, with a pam_module)
        - Uses a generically mountable device (ie: usb flash disk) and monitors dmesg for automated proceedure
        - Works with login (kdm)

      Thank you!

  16. biometrics on a usb stick? by Batman64 · · Score: 1

    I like the idea of having a usb mem stick and having a biometrics thumb print scan such as the one on the newer IBM laptops. You can keep all of your passwords on there but the trick would be that only your 'the owners' thumb scan would turn on the stick. This would make it more secure then a tradional door key as some people have pointed out, an obvious flaw.. and also another thing that could be done would be dock it when you get home, all pwds would be synced (in case of loss/damage/explosion!) then just purchase a new biometrics usb, set the thumbprint, upload info from the doc and you are ready to party again. Let me know if there is something like this out right now and I would luv to purchase it.

    -

    I ammmmmmmmmmmm Batman64

  17. Smartcards by MeanMF · · Score: 2, Insightful

    There are plenty of USB-based Smartcards out there. Not sure about Linux drivers, but they work great with Windows.

    The problem with Biometrics is that if somebody does manage to forge your credentials, it's very difficult to change your "password" (fingerprint/retina/etc).

  18. A Suggestion For Microsoft... by Anonymous Coward · · Score: 0

    ...Maybe, Microsoft, and many other OS vendors could incorporate strong one way hash encryption algorithms into their kernel, or whatever in their OS would receive the password call directly, then use that same algorithm with the USB authentication key, which in turn, will allow for secure password transfer from the USB token to the computer. But as far as security, anything that man can create (EX>encryption algorithms), man can destroy, so security can always be defeated.

  19. How about OTP? by Anonymous Coward · · Score: 0

    Doesn't require extra hardware,
    tokens expire once used so it can even be used where there is a possible keylogger.
    It's fairly easy to set up, and you can pre-print the next few passwords or use a PDA/smartphone to generate them as needed

  20. An authentication solution for Linux by GCsoftware · · Score: 1

    I have just written a masters thesis where I designed an authentication solution for Linux using plain old USB flash drives, Linux kernel level encryption and PGP. If there's any interest I might release the sources of a proof of concept in Python under a nice FOSS license, and/or put the thesis itself up on my website so any interested party could implement the system by themselves.

    Email me at locust (at) sampsa (dot) com if you're interested.

  21. GetLogin.com by Anonymous Coward · · Score: 0

    Why I use to avoid remembering, and by the way, registering passwords is using GetLogin.com . It is not needed to remember logins and passwords, it's just so easy like performing a search for the website you want to access. At least this is really useful for web sites.