Slashdot Mirror

← Back to Stories (view on slashdot.org)

Authentication Tokens for Password-less Access?

Posted by Cliff on from the lose-your-keys-AND-your-passwords-at-the-same-time dept.

A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"

2 of 28 comments (clear)

  1. Keyring? by Phleg · · Score: 4, Interesting

    What's wrong with having a password protected virtual keyring, as opposed to some sort of physical media? Say what you want, but physical media are highly likely to be lost or stolen. With keys, the former isn't much of a problem; you can always have them remade. But how do you accomplish this virtually, over a website? Even worse, when a key (or keyring) is lost, the likelihood for damage is exceedingly low, because the odds of anyone finding what each key goes to is pretty unlikely. However, if you have a device with all your authentication tokens on it, the person just has to visit paypal.com, ebay.com, and so on until they have a match. I doubt it would take long.

    --
    No comment.
  2. Cost by Anonymous Coward · · Score: 5, Interesting

    USB tokens or anything similar are not a viable option when you have lots (and I mean LOTS) of users.

    What we use is that in order to log in, you have to enter your normal username and password and then you receive a token (via SMS) which you have to enter.

    That way no expensive tokens have to be distributed to end-users and even if a end-user's password is stolen, it's no good as long as you don't steal also his/her mobile phone.

    If such a thing happens that the end-user does not have a mobile phone (which here in Finland is _extremely_ rare) it's far more cheaper to give away a couple of mobile phones and accounts than to distribute tokens/usb keys/whatever to all users which then have to be renewed/get broken/are difficult to use.