Slashdot Mirror
Authentication Tokens for Password-less Access?
A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"
A password is an authentication token. Each modality of authentication has its own weaknesses (e.g. passwords are weak against keyloggers on untrusted systems). The question as to whether a particular modality is safe depends essentially on the specifics of the circumstance in which it is to be used. Is the machine you're working with otherwise secure? Trusted? If untrusted, can you ensure that the modality doesn't depend on any untrusted resources? Answer these questions and you'll have your answer.
After all, I am strangely colored.
None of these is a complete solution, but they may help you.
p ?application=firefox&id=670 Password Composer - Takes the md5 of your master password and the hostname of a site to generate a unique password for each site. It's available as a Firefox extension, or as a bookmarklet. The method is simple, so you can get your password back with nothing more than echo and md5sum on the command line, so you're not at the software's mercy. However, there's not a good way to change either your master password or a site password if they're compromised. And it's only good for the web. But it's still a good improvement for handling tons of sites that don't need the very highest security.
http://www.schneier.com/passsafe.html Password safe - This uses strong encryption with a master password to store all your other passwords. You still have to cut'n'paste them everywhere, though. Keep it on a USB key with the encrypted passwords.
https://addons.mozilla.org/extensions/moreinfo.ph
http://web.mit.edu/kerberos/ Kerberos - Use a password to log in once, and then you're authenticated for all the services you need. This works great, but it has to be supported by each site that uses it. It's great for intranets, but it doesn't help for random web sites.
1. Who you are
2. What you know
3. What you have
The general consensus that I'm aware of is that if you can give proof that you are indeed the individual requesting access on your own behalf (perhaps through biometrics), if you can prove you have knowledge of some piece of secret data (a password), and finally if you also have in your possession some item or object required to gain access (like the token you mentioned), then the system can be reasonably sure you're legit. Thwarting all of these simultaneously would be quite difficult.
The blackdog USB computer solves this problem.
http://www.projectblackdog.com/product.html
Its security is as good as a fingerprint and SSH encryption.
You can even use it on a host machine with a keyboard logger
as long as you are accessing stuff that accepts your SSH key
-- you wouldn't want to ever have to type in your password
for a remote service.
Religion is poison to rationality, and we lose sight of that at our own peril. -- Lurker2288
There's a company called Cryptocard that produces a product similar to what you're looking for:
a me=UB-1%20USB%20Token
a me=CRYPTO-Server
http://www.cryptocard.com/index.cfm?PID=464&PageN
They support Windows, Mac OS X, and Linux.
http://www.cryptocard.com/index.cfm?PID=376&PageN
--Paul