Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Authentication Scheme Proposed

Posted by Soulskill on from the more-secure-less-portable dept.

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

4 of 102 comments (clear)

  1. Re:And within a month by morgan_greywolf · · Score: 2, Informative

    And within a month, someone will figure out a way to crack it. It's inevitable. Obvious. It's vulnerable to some of the same techniques that passwords are vulnerable -- sniffing (assuming no encryption was also used), man-in-the-middle, keyboard (mouse) sniffer, malicious code, etc.
    --
    My blog
  2. 3 factor authentication and one time pad by Depili · · Score: 2, Informative

    Why oh why develop new fancy ways to authenticate that still rely on a one factor (the image portfolio) when 3 factor authentication (eg. username + password + one time pad with challenge and response codes) just works, as snooping the username and pw doesn't give you the one time pad with challenges and responses, and stealing the pad doesn't give you the username and pw.

    That is the principal method of authentication used by web banks atleast in Finland and other sensible countries :)

    1. Re:3 factor authentication and one time pad by Anonymous Coward · · Score: 2, Informative

      Wouldn't that only be two factor authentication? Username and password only count as one factor (something you know) and the pad is the second factor (something you have.) In order to be three factor you would also need something you are.

  3. Re:The problem with authentication is authenticati by naasking · · Score: 3, Informative

    How can your authorize something, unless you know who you're authorizing?

    You've asked the right question. You can find an intro here. That article links to arguably the best authorization scheme: capability-based security, where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.

    --
    Higher Logics: where programming meets science.