Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Authentication Scheme Proposed

Posted by Soulskill on from the more-secure-less-portable dept.

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

9 of 102 comments (clear)

  1. For increased portability... by sakdoctor · · Score: 5, Funny

    ...I suggest a booth with a dance dance revolution mat inside.
    When the user is asked to enter their password they enter the booth, shut the door and strut their funky password.

  2. Keypad by mpickut · · Score: 5, Interesting

    I've seen keypads with digital readout on the keys used in jails (my job takes me in and out of jails frequently). The keypad scrambles the digits each time and there is a prism-type covering over the keys so that unless you are looking directly at it you cannot see the numbers on each key. In order to see the numbers you need to stand in such a way that no one else can see them (your head blocks their view from the only angle the numbers are readable from).

    I tried to get the code by watching as the guards let me in and out, just to see how effective it was, and can say that I never succeeded in even getting close. What was even better is that from talking to the offenders I learned that they thought they knew the codes by watching the patterns the keys were pressed by the guards -- I didn't have the heart to tell them that using the pattern they had watched would actually punch in a different code than the one the guards used. I did make sure one of the guards knew about it though.

    --
    Sigs are for losers.
    1. Re:Keypad by anothy · · Score: 5, Funny

      my job takes me in and out of jails frequently
      yeah, that and the early burnout are the two big problems with a career in the narcotics trade.

      on the upside, you get to set your own hours.
      --

      i speak for myself and those who like what i say.
    2. Re:Keypad by mpickut · · Score: 4, Funny

      Don't you dare call me a lawyer! We heroin addicts have enough of a image problem without being linked to those soulless drains upon society. At least if you made heroin legal we would stop stealing and stay to ourselves.

      --
      Sigs are for losers.
  3. Re:The classic Encryption communication turned aro by thomasdz · · Score: 3, Funny

    Aww crap... sorry... I thought TFA was about Encryption, not Authentication... so instead of a potential +5 Funny, I get a -1 Irrelevant.
    That's what I get for posting at 5:30am before I've had my caffeine.

    --
    Karma: Excellent. 15 moderator points expire sometime.
  4. Overly complicated by ddrichardson · · Score: 3, Insightful

    The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

    I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

    --
    A thistle is a fat salad for an ass's mouth...
  5. Yeah, but the real question is... by Prototerm · · Score: 4, Funny

    Would I be able to still fit my password on that yellow sticky note I keep on the monitor?

    --
    "My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
  6. Re:The problem with authentication is authenticati by Psiren · · Score: 3, Insightful

    Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything. How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.
  7. Re:The problem with authentication is authenticati by naasking · · Score: 3, Informative

    How can your authorize something, unless you know who you're authorizing?

    You've asked the right question. You can find an intro here. That article links to arguably the best authorization scheme: capability-based security, where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.

    --
    Higher Logics: where programming meets science.