Slashdot Mirror

← Back to Stories (view on slashdot.org)

Authentication Tokens for Password-less Access?

Posted by Cliff on from the lose-your-keys-AND-your-passwords-at-the-same-time dept.

A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"

6 of 28 comments (clear)

  1. Keyring? by Phleg · · Score: 4, Interesting

    What's wrong with having a password protected virtual keyring, as opposed to some sort of physical media? Say what you want, but physical media are highly likely to be lost or stolen. With keys, the former isn't much of a problem; you can always have them remade. But how do you accomplish this virtually, over a website? Even worse, when a key (or keyring) is lost, the likelihood for damage is exceedingly low, because the odds of anyone finding what each key goes to is pretty unlikely. However, if you have a device with all your authentication tokens on it, the person just has to visit paypal.com, ebay.com, and so on until they have a match. I doubt it would take long.

    --
    No comment.
  2. Passwords I might use for this page by hackwrench · · Score: 1, Interesting

    noitacitnehtuA
    todhsalsksa
    522361
    or some mix of the above with each other, doubled, etc.
    Another interesting password is:
    drowssapymyllaersisihteveilebt'nacI

  3. USBWiSec and AutoHotkey for Windows by zbuffered · · Score: 2, Interesting

    It ain't Linux, but...
    USBWiSec
    to control it,
    AutoHotkey to unlock it and automate authentication.

    --
    Synergy is your friend
  4. Even better, by SharpFang · · Score: 3, Interesting

    http://www.ibutton.com/ - free samples available.
    2.6.13 kernel has already some very decent support for it (.12 - sorry, not so decent...; .14-rc? seems even more promising, this is a very actively developed area) - now just wait for good userspace support software. It's in /sys already.

    iButtons are way more rugged than USB stick (think surviving in pockets of Indiana Jones, Gordon Freeman and Lara Croft), smaller and more comfortable in use and some are designed to be unlockable only with a password ;) One problem is the biggest one is 8 kilobytes, so if you plan using them to store MP3s, sorry. But PGP keys, password lists etc - why not?
    And if you're a Java freak, there's a java-based minicomputer in one of them :)

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Even better, by Nos. · · Score: 3, Interesting

      I've actually built a home alarm system that uses iButtons as the arm/disarm switch instead of a numeric code. I have about 15 iButtons which I store in a DB. When we need to lend a key to someone to check on the house, I put an iButton on the keychain, go into the database and activate it. Then, when that iButton touches the sensor pad by the door, it will arm/disarm the system.

      I've had it running for about 6 months now without a problem. I'm still adding features (the IR beam across a doorway insdie the house is almost ready) and I just need to find a better spot for the webcam.

      In case of the system detecting someone when the system is armed, it sends me an SMS, takes pictures through the webcam and sends them to my gmail account, etc. etc.

      A lot of fun to build, and I've got a couple people in my LUG working on building similar stuff

  5. Cost by Anonymous Coward · · Score: 5, Interesting

    USB tokens or anything similar are not a viable option when you have lots (and I mean LOTS) of users.

    What we use is that in order to log in, you have to enter your normal username and password and then you receive a token (via SMS) which you have to enter.

    That way no expensive tokens have to be distributed to end-users and even if a end-user's password is stolen, it's no good as long as you don't steal also his/her mobile phone.

    If such a thing happens that the end-user does not have a mobile phone (which here in Finland is _extremely_ rare) it's far more cheaper to give away a couple of mobile phones and accounts than to distribute tokens/usb keys/whatever to all users which then have to be renewed/get broken/are difficult to use.