Slashdot Mirror
Moving Beyond Passwords For Security
Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process.
"The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."
The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.
I would suggest just piggy backing whatever initiate this is on the existing concept we use called certificates, it's well established and used for similar things already... no sense reinventing things but I haven't RTFA either.
isn't it obvious?
always post as an Anonymous Coward!
That almost sounds like a....password...
Really, this is an article about using things instead of passwords....which function like passwords....and using passwords when those wouldn't be secure enough. What a stupid fucking article.
Velociraptor = Distiraptor / Timeraptor
Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.
My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.
In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
http://www.dontclick.it/
It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.
I like that slashdot hides your password if you accidently type it into a comment.
Look: **********
Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.
OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.
I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
...and we must enforce their strength and use like bastards.
Let us not be pussies about this, short of submitting a biometric signature every time I want to authenticate just how else can a machine tell I am me?
But doesn't this restrict people to using secure sites only from their own machines? I have encountered situations where I was at friends' houses, relatives' houses or even a work computer where I want to do something somewhat security-sensitive like checking e-mail. Wouldn't this sort of security measure make that far more difficult?
http://twitter.com/OLDTELEGRAM
Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.
Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.
Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.
Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.
Obama is a twitter sock puppet
OpenID does not required the use of password as the way for human to authentication oneself to the system.
It's just up to the OpenID signatory to use whatever technology to authenticate someone. This human interface is decoupled with the underlying authentication.
Although most public signatory currently use username+password, but it could be change. Say you could implement your own, using PKI to recognize your own certificate stored on removable media. If you gone crazy enough, nothing stop you from implementing One-time password + Biometric + whatever-you-can-think-of to authenticate yourself to your own signatory.
Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
I seem to recall a rather high profile company introduce a hardware token to assist with account security, it was greeted with much enthusiasm by it's customers. Yet before long, it too, failed .
On the Oregon Cost born and raised, On the beach is where I spent most of my days
i have trouble keeping track of all my usernames and passwords like everyone else
so i put it in passwords.txt in my shared emule folder, so i can access it anywhere in the world ;-)
smart, huh?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
With Kerberos, your password never leaves your machine.
The machine you're trying to log on to sends you a random string that is encrypted with your password.
Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.
Your password never goes across the wire.
As long as you use at least 200 random alpha-numeric characters. No geek worth his salt would chose a password with anything less.
It takes about five hours to learn such a string, then all you do is append/prepend/insert different ordinary words into it for different sites and usages.
In South Africa, everyone with a bank account by law has to undergo a KYC process (know your client). This basically means that you as a client have to verify your ID at a branch (in person) with ID documents and some of your monthly bills. Your cellphone number is then captured to which all notifications of activity on your accounts are sent.
The Digitag is used during online authentication. As a further backup, a one time pin (OTP) is send to your cellphone. This OTP is required for certain transactions like once off payments.
Granted the system is not perfect (there is still human stupidity), but I would like to hear your comments on these tpye of systems, as they are becoming more and more part of our lives.
Need an ISP in South Africa?
I felt I had to respond to your article about passwords. It's been Slashdotted here:
http://it.slashdot.org/article.pl?sid=08/08/10/186203
But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.
OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.
But more importantly:
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.
Nothing about OpenID requires a password.
I'll say that again: NOTHING about OpenID requires a password.
What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.
Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.
One single-point-of-failure is better than N single-point-of-failure.
You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.
If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.
So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.
Don't thank God, thank a doctor!
Although the password is still there, many OpenID providers are moving towards advanced multi-factor authentication. For example, when I (or anyone else) attempt to log in to my OpenID account, the account provider calls my cellular phone. I must answer the call and confirm (by pressing the # key) in order to log in. This means that in order for an intruder to gain access to my account, they must have my password and my mobile phone, and if anyone else tries to log in to my account the unexpected call will alert me to this fact. I also know that other OpenID providers support the hardware key popularized by PayPal that generates a one-time password for each login. Other OpenID providers (including mine) support authentication via SSL certificates. There's a whole range of alternative and multi-factor authentication schemes offered by today's OpenID providers, and over time more and more methods are being introduced. OpenID allows users to choose an authorization service based on the security that they offer rather than based on what website they want to log in to.
I might be stupid, but that's a risk we're going to have to take.
MyOpenID allows you to use a phone call to log in. When you try to login, they call, you, and you press hash, it logs you in. Free too.
-- Lattyware (www.lattyware.co.uk)
You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".
Right?
Anal prints. Like finger prints, only instead of your finger it's your anus. Nobel Prize, please!
I've been doing that for years with SSH. Funny, that.
There seems to be a slight misconception in the NY Times article around OpenID being tied to passwords. OpenID does not specify the authentication mechanism for the user to their OpenID Provider which means that we've seen many companies (including Microsoft) experiment with alternative authentication mechanisms atop OpenID. The big benefit OpenID then provides them is that they're instantly able to start letting users use their new authentication mechanism at any site which accepts OpenID logins. More about this over at http://openid.net/2008/08/10/challenges-facing-openid/.
At my university, they were trying an experimental password alternative that comp-sci students could opt-in for.
Basically, we were presented with an image; this particular image was a bunch of cars in a parking lot, with people walking or standing around. I think it was a 400 by 400 pixel image. To set your pattern, you had to click and memorize five or six arbitrary points in the image, and also memorize the order you click them in. The idea was that it was supposed to be a lot easier to remember than an equally powerful password. Some people liked the new system, while others had a lot of trouble remembering the exact position of each of their clicks. I fell into the latter group.
What's the value of information that you don't know?
Jesus. When will people understand that OpenID leaves authentication entirely to the provider? If you think requiring the user to fart in your head is more secure than typing in passwords, then set up an OP which requires users to fart in your head on login. It's as simple as that.
All these OpenID critics think they are so fucking smart in security, but none of them seem to have bothered reading the specification or a basic tutorial.
Isn't this what OpenID does? TFA obviously doesn't understand the point of OpenID, which is to completely abstract from the details of the method the user uses to authenticate. The OpenID specification doesn't care whether you use password or some special hardware token to authenticate with your OpenID provider. It's just the fact that most OpenID providers use web-based password authentication that gives it the bad reputation. There certainly are a few that use public key cryptography, and you can always setup your own using whatever you consider the most secure.
Encryption using public and private keys has its place, but can only identify machines, as the keys can't (reasonably) be memorized by humans, thus, at some point, humans will always have to be in the loop.
Take a look at vidoop They present you with some pictures - you pick out the ones that fall into the catagories that you picked earlier (picture A is a space-station, Picture E is a Dog, Picture F is a car. so you can enter A, E and F in any order The letters and pictures change next time but one will still be of a space-station, one of a Dog, one of a Car.
When you log into my bank account, you must know my userid & my password and then be able to duplicate how I type in this information. They are using keystroke dynamics to verify it is me loggin in based on my typing rythem which you can not duplicate. Cool feature so even if my password is compromised it is still secure because of this technology. I think the company they are using is www.admitonesecurity.com
Solutions based on technology have a simple but critical flaw: When they break, they're broken and exploitable despite anything you could do. The human factor is not only a security risk, it can also be a security asset. Humans are far better at plausibility checking, if they have proper training, of course.
Modern machines, no matter how resilent the technology behind them, offer inherently such a variety of possible attack vectors, that nobody can say with certainty that no attack can be performed. I would at the very least allow a human to pull the emergency break should he find something that's highly suspicious.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
E.g., Trustbearer is an OpenID provider that will leverage smartcard-based PKI keys for authentication. Best of both worlds.
https://openid.trustbearer.com/
The way this works is by something called "key continuity management" (KCM). Users of SSH RSApubkey authentication will recognize how KCM works. Everyone else should read Simson Garfinkle's "Johnny 2" paper:
http://www.truststc.org/pubs/5.html
In short, KCM works by establishing trust with a specific key, ideally by an out-of-band channel. If you establish trust this way you don't need certificates or authorities. On he downside, when you get a new key you have to re-establish trust.
-- Cerebus
firstly you NEVER type your password into anothers site with openid
you type your openid into their site
{then you are re-directed to your openid providers login page, ONLY IF NOT ALREADY LOGGED INTO YOUR OPENID }
then you are asked by your openID provider {on their site} do you wish to authorise the remote site to verify your identity {this time, always, not this time, never}
then you {and the result} are passed back to the openID enabled site that redirected you to YOUR OWN provier
any other implementation IS NOT OPENID its phishing
Passwords identify people.
Public/private keys don't.
Private keys are installed on a computer or on a removable card, so they only identify the device that they're installed upon.
If you want to get rid of passwords, then you need to replace them with something that also identifies people, otherwise you've fundamentally changed the problem to be solved.
Discussing PKI is fine if you want to change the problem to be solved. But don't pretend that it solves the same problem as passwords do, otherwise you'll just end up creating confusion.
The entire article seems to be predicated on just this confusion.
Smoke and mirrors.
Keeping passwords, pins, any kind of digital token, on a general purpose computer is just asking to catch a virus.
What about this:
The server has the public keys of all the users, and encrypts (with the public key) a one-time string for a logging in user to decrypt. When the user has decrypted the string, they enter that as the password, and get access to the system.
For users who do not have a stored key (or have an invalid key), the server would transmit a random string and not allow any entered string to work. The error message would be something like "invalid passphrase or user not known" [or just the usual "login incorrect"].
Ask me about repetitive DNA
gestures are symbols.
Symbols are tokens, like passwords are tokens. (No, I'm not talking about physical tokens, physical tokens are also tokens.)
It doesn't change the essential nature of the problem to just use a different kind of token.
The people at your workplace who know you are a fundamentally different method of authentication than passwords/passcodes/tokens/etc.
Watch where you wave that big brush you're painting things. You might miss something important.
And the absolute standard dumps us in the world of monoculture.
Ideally, you'd have an ethernet connector on your cell-phone, in addition to (a better form of) wireless (than we currently have, see the Freescale option iNTEL squelched in the UWB debacle).
When you need real security, you'd plug the cellphone into the ethernet jack provided by (for example) your bank.
But, of course, you wouldn't want your cellphone to be running random games downloaded from who-knows-where.
The fundamental problem here is conflicting requirements.
That is, it would be if a few conditions can be met:
First, can everyone who needs a bank account afford a cell phone?
Second, can you load arbitrary games and other software on your cellphone? (Yeah, the race could be brutal, but if one blackhat wins it once, everyone is going to have problems.)
Third, can you make sure everyone always has their cell phone with them? What happens when someone needs to use the bank and doesn't have his cell phone? Is there an alternate route, even, perhaps just meeting the case that you're at home and your cell phone is not charged?
Fourth, is there some way around the evil Smart Card connection?
The problem here is multiple conflicting requirements.
Maybe it makes it easier for some to remember, especially if they know someone in the picture.
(Hey, that's me! and that's {somebody I have a crush one}. There are two people that'll be easy to remember!)
Actually, even if you choose the picture, I don't see how it would be fundamentally different from a password. In the end, it's just a string of symbols, and a static one at that.
I got a tatoo of my private key on the back of my hand!
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Thanks for the note. I have received similar notes from others who wish to back off of any claim that OpenID should be tied to any particular authentication methodology. That sure doesn't come across in the message that OpenID presents to the curious user.
I've pasted this here because I saw nothing in his reply that suggested he wanted confidentiality -- or even that it was directed at me, given that he addressed very little of what was in my email. (The mention of "similar notes from others" suggests a form letter.)
Yet, curiously, I see no updates about this in the article, nor any mention of this outside a private email -- no blog posts, no followup articles, nothing.
Apparently, it's enough that "OpenID" somehow misrepresents itself -- wait, how? Googling for "OpenID password" lists other forms of authentication in the Google summary, no more than the fifth link or so.
But assuming that this has happened, it's good enough that there is confusion -- never mind that you're contributing to it? After all, who cares about the truth, as long as this lie is inflammatory enough to drive traffic?
He's not quite as bad as Dvorak... yet.
Don't thank God, thank a doctor!
I thought I'd point out a misleading bit in the summary for those not familiar with OpenID
You don't type your password into "someone else's website"
The only "someone else" is your OpenID provider. You get redirected to their page, authenticate in *some undefined manner* (could be a a client side certificate, or a password...)
You enter your OpenID into the website you want to 'log in' to, that's it. The site determines what OpenID provider to talk to, and eventually gets back a nod about your given identity.
"Strangers have the best candy" -Me
While working on a .NET project previously, I have done some exploring on InfoCard or Windows CardSpace which is one of the WinFX technologies.
It has an interesting concept like our typical wallet membership card. When we signup for a website, the site gives us a signed InfoCard. When every we need to logon, we just choose the card stored in the machines cardstore to be presented to the site. I believe this is an intereting concept but the problem is that is is a closed Microsoft thing which kinda kills off any widespead adoption.
The solution is to put a chip in each of us and use that as an identifier for absolutely everything.
that this is FUD paid for by Microsoft.
A Swiss company has of late been appearing in various publications which suggests their product is production ready.
It uses biometrics, but only to make sure you are you (no central Big Brother database that can be hacked) with a clever trick to ensure that detached fingers and copied fingerprints don't work (you "name" your fingers, so if it asks for finger "f" you will need to provide the right one), it uses symmetric encryption (your average token uses none, or is one sided) and from what I've heard they have even solved the "how do I know it's actually the bank" problem when the bank or credit card company calls you - if you think about it, all the gadgets you get only ever serve the bank, not you.
Next problem? :-)
All you need is to be on good terms with Bruce Schneier... for we all know he knows our private keys.
The saddest poem
I work for an agency under DoD and have had what they call a Common Access Card (CAC) for more than three years.
Leaving my CAC at home has never happened to me but I imagine the experience would be fairly uncomfortable as the CAC is also used for building access - someone would have to sign me into the facility if I forgot my smartcard. I don't imagine I'd have to be embarrassed that way more than eight or ten times for it to sink in that I need to keep my smartcard with me ;-)
Humans (at least most adult humans) are conditioned to carry their driver's license with them when they operate a vehicle so learning to carry a smartcard with you wouldn't be all that difficult. To address the issue of requiring a keyboard and display (and a smartcard reader) there are contactless smartcards available and I *think* the technology's compact enough to include in a cell phone or other device.
IM frequently less than HO physical security will always be paramount - a physical token requires a user to have both the token and the PIN to that token to access a protected resource. In this agency there have been a few misplaced smartcards but there hasn't been one instance of a protected resource compromised because a bad guy had both the user's CAC and the PIN to it.
People tend to write down "what they know" if it's fairly complex - which compromises physical security. All I have to remember is an eight character PIN. My PC will lock my CAC after three unsuccessful PIN entries, which requires me to visit the card issuer to have my PIN reset.
All in all it's been fairly secure and easy to use. The transition to smartcards hasn't been completely painless but these days I use the card for building access (I have access to the raised floor area in the basement), to the network (smartcard authentication to the network is mandatory), to secure websites hosted on the network that use CAC authentication and to government-only applications that ping your smartcard to see if you're supposed to be running that application.
All in all it's been a pretty good thing and I was originally one of the naysayers on the project.
we see things not as as they are, but as we are.
-- anais nin
Estonians can use a smart card (ID-cart) authentication for banks, government transactions etc. You have to update Your certs once in while, have smart card reader and know the secret password.