Slashdot Mirror

← Back to Stories (view on slashdot.org)

Testing Commercial 2-Factor Authentication Systems?

Posted by Cliff on from the shouldn't-trust-security-to-a-usb-key dept.

Fry-kun asks: "I recently became interested in setting up a 2-factor authentication system for my laptop. With that in mind, I bought a fairly inexpensive USB key. Although it seems to work, I can't bring myself to trust it completely: Kensington claims that the system is secure, but there is no independent security lab analysis of the product. In other words, for all I know, there may be a gaping hole in their security setup. Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. How would you go about making sure that a security product does what it claims to?"

3 of 56 comments (clear)

  1. Testing doesn't matter, security is about blame by Gothmolly · · Score: 2, Insightful

    Corporate security drives innovation in this area. Who else is going to place an order for 10,000 of these units?
    Corporate security is more concerned with blame and 'due diligence' than actual security.
    Thus, if CompanyX makes a "secure" product, CorporationY will buy it, and deal with a breach by suing CompanyX.

    --
    I want to delete my account but Slashdot doesn't allow it.
  2. Backdoors and disclosure by MotorMachineMercenar · · Score: 3, Insightful

    It's made by a US company so you can bet your first-born that there's a backdoor - probably "protected" with a password some idiot would have in their luggage. How many government agencies and People That Are Out To Get You know about this backdoor is anybody's guess. And its full protocol hasn't been disclosed so you can't be sure regardless of how many assurances you get from the company.

    --
    "We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
  3. Re:RTFQ by MarcoAtWork · · Score: 4, Insightful

    having a physical USB token with a TC volume (esp. the kind that stores things in a steganographic way) is in my opinion practically equivalent security-wise to the article's 2-factor authentication if you're smart enough to have your token on your keychain or something (a lot more likely than somebody will steal your laptop than your token IMHO).

    In any case if you want to increase the security of what I proposed nothing forbids you from getting TWO usb tokens, create truecrypt volumes on both of them, and then create an overlaid raid-0 striped partition on both of them: in this case an attacker would need to steal BOTH tokens and BOTH passwords to gain access to your files.

    Schemes like these make it also very easy to mandatorily have multiple people there to open the files (say, all the directors, etc.). If you do things like RAID-5 you could also make it so that you could still access the information with N-1 USB tokens (in case one is lost).

    I do think that these solutions are safer than trusting a random crypto vendor, also this is why I have all my sensitive things (tax returns etc.) strictly on TC volumes.

    --
    -- the cake is a lie