Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Authentication Scheme Proposed

Posted by Soulskill on from the more-secure-less-portable dept.

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

5 of 102 comments (clear)

  1. And within a month by dreamchaser · · Score: 1, Insightful

    And within a month, someone will figure out a way to crack it. It's inevitable.

  2. This would NEVER work out by brunes69 · · Score: 2, Insightful

    It is a cool idea, that is for sure, but it would never leave the lab. Why? Because these guys are obviously not usability engineers. The idea that the function of a button changes based on some random event, and the system will tell you which button means what before you click it, is not usable.

    I would like to see a formal usability study done on this thing I don't think it would get very far. I see they had some informal study going on where they had participation and error rates, but no data on what kind of users.

  3. Overly complicated by ddrichardson · · Score: 3, Insightful

    The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

    I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

    --
    A thistle is a fat salad for an ass's mouth...
  4. The problem with authentication is authentication by naasking · · Score: 2, Insightful

    Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

    --
    Higher Logics: where programming meets science.
  5. Re:The problem with authentication is authenticati by Psiren · · Score: 3, Insightful

    Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything. How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.