Slashdot Mirror
Moving Beyond Passwords For Security
Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process.
"The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."
The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.
That almost sounds like a....password...
Really, this is an article about using things instead of passwords....which function like passwords....and using passwords when those wouldn't be secure enough. What a stupid fucking article.
Velociraptor = Distiraptor / Timeraptor
Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.
My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.
In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
http://www.dontclick.it/
It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.
I like that slashdot hides your password if you accidently type it into a comment.
Look: **********
Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.
OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.
I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.
But doesn't this restrict people to using secure sites only from their own machines? I have encountered situations where I was at friends' houses, relatives' houses or even a work computer where I want to do something somewhat security-sensitive like checking e-mail. Wouldn't this sort of security measure make that far more difficult?
http://twitter.com/OLDTELEGRAM
Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.
Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.
Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.
Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.
Obama is a twitter sock puppet
OpenID does not required the use of password as the way for human to authentication oneself to the system.
It's just up to the OpenID signatory to use whatever technology to authenticate someone. This human interface is decoupled with the underlying authentication.
Although most public signatory currently use username+password, but it could be change. Say you could implement your own, using PKI to recognize your own certificate stored on removable media. If you gone crazy enough, nothing stop you from implementing One-time password + Biometric + whatever-you-can-think-of to authenticate yourself to your own signatory.
i have trouble keeping track of all my usernames and passwords like everyone else
so i put it in passwords.txt in my shared emule folder, so i can access it anywhere in the world ;-)
smart, huh?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
With Kerberos, your password never leaves your machine.
The machine you're trying to log on to sends you a random string that is encrypted with your password.
Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.
Your password never goes across the wire.
In South Africa, everyone with a bank account by law has to undergo a KYC process (know your client). This basically means that you as a client have to verify your ID at a branch (in person) with ID documents and some of your monthly bills. Your cellphone number is then captured to which all notifications of activity on your accounts are sent.
The Digitag is used during online authentication. As a further backup, a one time pin (OTP) is send to your cellphone. This OTP is required for certain transactions like once off payments.
Granted the system is not perfect (there is still human stupidity), but I would like to hear your comments on these tpye of systems, as they are becoming more and more part of our lives.
Need an ISP in South Africa?
I felt I had to respond to your article about passwords. It's been Slashdotted here:
http://it.slashdot.org/article.pl?sid=08/08/10/186203
But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.
OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.
But more importantly:
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.
Nothing about OpenID requires a password.
I'll say that again: NOTHING about OpenID requires a password.
What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.
Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.
One single-point-of-failure is better than N single-point-of-failure.
You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.
If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.
So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.
Don't thank God, thank a doctor!
Although the password is still there, many OpenID providers are moving towards advanced multi-factor authentication. For example, when I (or anyone else) attempt to log in to my OpenID account, the account provider calls my cellular phone. I must answer the call and confirm (by pressing the # key) in order to log in. This means that in order for an intruder to gain access to my account, they must have my password and my mobile phone, and if anyone else tries to log in to my account the unexpected call will alert me to this fact. I also know that other OpenID providers support the hardware key popularized by PayPal that generates a one-time password for each login. Other OpenID providers (including mine) support authentication via SSL certificates. There's a whole range of alternative and multi-factor authentication schemes offered by today's OpenID providers, and over time more and more methods are being introduced. OpenID allows users to choose an authorization service based on the security that they offer rather than based on what website they want to log in to.
I might be stupid, but that's a risk we're going to have to take.
MyOpenID allows you to use a phone call to log in. When you try to login, they call, you, and you press hash, it logs you in. Free too.
-- Lattyware (www.lattyware.co.uk)
We already tried that. It's called 4chan.
It did not work that well though...
You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".
Right?
Right. Moreover, given a good hacksaw, biometrics can easily move from "something you are" to "something I have."
Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
There seems to be a slight misconception in the NY Times article around OpenID being tied to passwords. OpenID does not specify the authentication mechanism for the user to their OpenID Provider which means that we've seen many companies (including Microsoft) experiment with alternative authentication mechanisms atop OpenID. The big benefit OpenID then provides them is that they're instantly able to start letting users use their new authentication mechanism at any site which accepts OpenID logins. More about this over at http://openid.net/2008/08/10/challenges-facing-openid/.
At my university, they were trying an experimental password alternative that comp-sci students could opt-in for.
Basically, we were presented with an image; this particular image was a bunch of cars in a parking lot, with people walking or standing around. I think it was a 400 by 400 pixel image. To set your pattern, you had to click and memorize five or six arbitrary points in the image, and also memorize the order you click them in. The idea was that it was supposed to be a lot easier to remember than an equally powerful password. Some people liked the new system, while others had a lot of trouble remembering the exact position of each of their clicks. I fell into the latter group.
What's the value of information that you don't know?
Still, punishment for murder is much greater than punishment for breaking into a computer system. Which means, the degree of effectiveness of a retina-scan biometrics is still formidable.
Now that I come to think of it, I also see that a password can be known by torturing the person who knows it, while the point of torturing a person for retina-scan or retina-sample is rather moot, I suppose. I am not sure what is more "pleasant" - to be dead or to be tortured.
....The complexity of cloning security tokens varies....
Who needs to clone or copy anything? Nobody has ever car-jacked a vehicle by sticking a gun in the owner's ribs and demanding the ORIGINAL key? Nobody has ever robbed a "secure" vault by kidnapping the person who has legitimate access to that vault, key, combination or both?
Anyone who can come up with a security system that uses NEITHER what you have nor what you know would win a Nobel Prize and become extremely rich.
All theory is gray
I got a tatoo of my private key on the back of my hand!
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
But it's not smoke and mirrors, IF you're looking at the realm of threats to your data/transactions on the internet.
What makes your password so valuable today is that the password alone is sufficient to unlock access to all your online data.
A two factor auth mechanism renders the password effectively useless, especially if the smart card implementation is competent. At a minimum, it raises the bar for the attacker dramatically higher than it is today.
It's not possible to have perfect security. All you can do is to make it harder for an attacker.
If I had a choice between using strong passwords (with the knowledge that strong passwords either (a) get re-used often or (b) get written down) or using 2 factor auth, I'd take 2 factor auth in a heartbeat. It's dramatically better than simple passwords.
Please note that there are other schemes that use a PIN that are NOT 2 factor auth that ARE smoke and mirrors. For instance if you use a keylocker application that requires a pin to access the actual keys, the security provided by the keylocker IS smoke and mirrors, the if bad guy can steal your password they can then use it to retrieve your passwords and it's game over.
But proper 2 factor auth relies on the CPU on the smart card (that's why it's called a smart card) for every auth sequence. If you don't have both the card AND the pin, it's worthless.
I work for an agency under DoD and have had what they call a Common Access Card (CAC) for more than three years.
Leaving my CAC at home has never happened to me but I imagine the experience would be fairly uncomfortable as the CAC is also used for building access - someone would have to sign me into the facility if I forgot my smartcard. I don't imagine I'd have to be embarrassed that way more than eight or ten times for it to sink in that I need to keep my smartcard with me ;-)
Humans (at least most adult humans) are conditioned to carry their driver's license with them when they operate a vehicle so learning to carry a smartcard with you wouldn't be all that difficult. To address the issue of requiring a keyboard and display (and a smartcard reader) there are contactless smartcards available and I *think* the technology's compact enough to include in a cell phone or other device.
IM frequently less than HO physical security will always be paramount - a physical token requires a user to have both the token and the PIN to that token to access a protected resource. In this agency there have been a few misplaced smartcards but there hasn't been one instance of a protected resource compromised because a bad guy had both the user's CAC and the PIN to it.
People tend to write down "what they know" if it's fairly complex - which compromises physical security. All I have to remember is an eight character PIN. My PC will lock my CAC after three unsuccessful PIN entries, which requires me to visit the card issuer to have my PIN reset.
All in all it's been fairly secure and easy to use. The transition to smartcards hasn't been completely painless but these days I use the card for building access (I have access to the raised floor area in the basement), to the network (smartcard authentication to the network is mandatory), to secure websites hosted on the network that use CAC authentication and to government-only applications that ping your smartcard to see if you're supposed to be running that application.
All in all it's been a pretty good thing and I was originally one of the naysayers on the project.
we see things not as as they are, but as we are.
-- anais nin