Slashdot Mirror
Is Battery-Free 2-Factor ID Secure?
An anonymous reader writes "There was a television program in Australia last week about Matthew Walker's visual battery-less two-factor authentication system called PassWindow. Essentially, you hold the clear plastic window up to the apparently random pattern on the screen of your computer, revealing a one-time PIN to type in for authentication. The plastic window has many advantages: difficult to copy or view over the shoulder, etc. Because there is no electronics, chip or battery, the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems. However, I don't know about the security of the system. The apparently random pattern of lines in the PassWindow is analogous to a one-time pad, using a different subset of the one-time pad every time a PIN is needed. Is this a useful level of security for logging in to a bank account?"
I used to have some Simpsons trading cards that were like that. There was what looked like static on a TV screen, which, when another plastic panel was put in front of it, would show a de-scrambled image. I can't see how it is secure though, because the plastic descramblers are all the same. Someone could still take a photo and use a similar plastic window elsewhere.
I'm gonna need a spec.
If I understand TFS correct:
The scrambled password is sent to the user through the same network connection where it is going to be used. So anyone pretending to be the user will also recieve the scrambled password.
The scrambling is worth nothing. If you can see the password using a colored filter, you can also see it using a filter in software.
Let's see. Worst case scenario, you set up a camera that does about 30fps, with rotating filters in front, and use OCR to look for text in each frame. 30 passwords per second is a lot faster than 1 password + delay, 2 password + longer delay, 3 password + get account re-enabled.
Aside from that brute force method, I suspect the system is pretty vulnerable to more sophisticated attacks, like quickly narrowing down what window people have by analysing the more obvious features (number of lines, angle of lines, ratio of vertical lines to horizontal waves, etc.) of an on-screen pattern, for instance.
Basically... donotwant.
Lenslok, hated by 8-bit gamers everywhere.
libguestfs - tools for accessing and modifying virtual machine disk images
the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems.
Taxation is legalized theft, no more, no less.
A lot of these sorts of schemes assume some sort of fixed pixel size such as 96 dpi, a fantasy that hasn't been true since, well, ages. Some LED screens have up to 150 dpi resolution, others as low as 72dpi. If the scale is wrong, then the pixels won't line up and the decoder is then useless.
Now, I admit it's possible that the creator of this scheme might have solved this, but I doubt it. A colour filter like those games whose clues are read through a red plastic foil viewer would be far too easy to crack, for example.
I can't escape the impression that this is just security theatre and not serious security after all.
Looking at how it works, my guess is that you could brute force someone's "passwindow" card with just a handful of inputs. There are only 7 different elements for each digit, and you should be able to figure out which spots are filled in pretty quickly and what numbers they represent.
I read the internet for the articles.
couldn't you get a plastic filter for a camera and see the password that way?
Its not my fault, someone put a wall in my way.
Please make sure you are using a 19" flat screen monitor with the resolution set to exactly 1024x768.
Anyone who's broken into your PC and has spyware installed can fairly easily observe several login attempts with this, and then derive what your PassWindow is. This is worse than poor security, as it gives people an illusion that it is something that it isn't.
Ugh, he says a simple cheap solution...it sounds like it's going to cost just as much to implement it in the background for any companies who chose to use it. Plus they'll have to maintain a copy of what your unique key is, as well as maintain further IT staff in case of errors, which god knows seems to happen a lot on banking websites. Sounds like a way for him to make some fast cash if he can get organizations to take this up.
Please RTFA and the website. The filter is opaque. THe user is sent gibberish as a password, and it only makses sense if you have the opaque window to create letters and numbers from the gibberish.
It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
If the authors claims are accurate (that it is possible to create tens of thousands of throwaway passwords per window before they need to be replaced) then this is an ideal authentication method IMO.
From what I saw, this system might be able to protect you from a single compromisation of your security. This would depend on a few factors, though. Given you can see both the pattern and the code, from a single session you could make some assumptions about what the code would be with a different pattern. It might take a few tries to generate the correct code. If the attacker can partially log in multiple times without being locked out, he may be able to choose a pattern that has fewer possible permutations for the code.
There's also a potential problem in that, if an attack is made on an account and the account is locked out, the card would have to be replaced. Otherwise, if the account is re-enabled without replacing the card, the attacker would be able to continue to make attempts to log in. I suppose you could also alert the customer to change their password due to a security breach.
I don't think this will protect very well against a customer's own system being compromised, with an attacker being able to monitor multiple log-ons. There are simply too few possible permutations in those 7-segment displays.
I'd also like to mention there's a potential problem if the monitor's resolution is too high. If, for instance, the user wants to log on via a netbook, the code displayed may be too small to match up with the code on the card, making logging in impossible.
And this is less secure than existing passwords how?
With existing passwords spyware just grabs the keystrokes.
With this method the spyware would have to do OCR on the password image and then do a sophisticated algorythm comparing what you typed, and do this many times before it could be sure it had the whole image.
It is much more complicated. Sure it is still vulnerable but it is a vast improvement over most password systems.
Mostly because your "key" is static and only offers a very limited amount of possible configurations (WAY less than the average 2048 bit key, think more along the lines of an 8 bit key). It's trivial to have software calculate all the possibilities (all you need is one or maybe two arbitrary keys, "lenses", to figure out the process), adjust the picture to match what you'd "see", then throw it at OCR software and you'll end up with very few reasonable ("legible") configurations.
After a few, maybe even after the first, sample you know what configuration his lenses have and you have it cracked.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is easily rectified in any software by compensating for the DPI by scaling up or down the image.
Heck you can do this in CSS:
IMG.passwordWindow { width: 2in, height: 1in }
This image is going to be scaled to be the exact same size on the screen in any web browser.
Also, this has nothing to do with color filters.
I swear to god every poster on this thread so far has not gone to the website: http://www.passwindow.com/
This is actually a very novel idea that has been thought out thoroughly.
It's better than nothing.
The trick is that yes, it does leak information- each time you use it, an eavesdropper gets a little more information, perhaps enough to "get in". Or perhaps not.
On the other hand, the server end knows what cells may or may not have been compromised and can optimize around that.
The beauty of such grilles (and they have been known for centuries) is that they are _cheap_ and it's not unreasonable for the server end to predict when a grille's private information has been used up and sends you a new one well before that time.
So- not new, but not bad, either.
So you are worried about crackers breaking into your house and setting up spy cams to steal your banking password?
If they have already broken into your house why would they bother with that? Why not just steal your statements?
Or just use the spy cams to record all your online activity?
Talk about paranoid. This is a pointless argument against the system that holds no merit at all.
The transaction looks like this: 1) user chooses which kind of credit card he/she has 2) user gets a screen where he/she can specify the cc nr and de-scramble the code 3) user's browser sends the cc nr and de-scrambled code back to the server 4) server replies: all is well, congratulations If the fraudster is able to intercept just 1 of these transactions then he can already narrow the number of possible "PassWindow" combinations down to lets say a few hundred. But if he can intercept for example 3 or more of the transactions made with the same card then he can easily narrow the possibilities down to fewer than ten combinations. There exists no mechanism that would prevent the fraudster from trying out all of these 10 or fewer combinations. The most secure way to handle cc transactions would be to confirm every transaction with the cc holder. It could work with e-mail, sms, telephone, im or any other means of communication that the cc holder has chosen and believes is secure enough for him/her. That of course would create significant delays that many current cc systems would be unable to handle since atm they expect instant replies from the cc issuer. Which means that this system would only work with credit cards meant for online payments. In physical stores the 'pin code' is still the best solution at least until the confirmation delays come down to a few seconds.
This is sort of like one of Chaum's voting system reciepts. those are provably secure for single use.
however having watched the video, it's obvious this one is weakly secure for a single use and rapidly insecure for multiple uses.
given a series of challenges one should be able to apply a process of elimination to determine the missing elements.
the alternative would seem to be to choose the challenge from a restricted pallet of challenges that assures some ambiguity. in this case intercepting a bunch of challenges will simply reduce the number of possible choices.
for example, if the ambiguity could be maintained at 3 choices per digit then 7 digits provides 2187 possiblilites.
that's actually not hideous. it's comparable to a bicycle lock. thus the key to making that low number useful is to prevent someone from rapidly trying the challenges exhaustively.
e.g. if you are only allowed 2 challenges per 30 minutes, or more deviously, if the challenger denies access with say 10% probability even when you type in the right pass code.
this will make such 2- factor while not government grade probably not worth the attackers time.
Some drink at the fountain of knowledge. Others just gargle.
The system is no better than having a normal credit card CVV.
The LCD-like half-images are the secret. Take a photo of that and you're totally compromised.
The battery systems (like RSA SecurID) are better because they protect the secret inside the deviceand only give a derived value every 60 seconds.
Nice try however.
This idea is completely crackable and you don't have to be a psychic genius here folks.
You take the image, and run a digital filter on the image -- creating thousands of new "images" which emulate the possibilities for the plastic window.
You then interpret the results (A simple OCR of the resulting images should do), and you try those passwords.
Yes, it's brute force -- but it's no safer than a non-image password.
By the way, my E*Trade RSA digital passkey is a great system of 3 point password protection. Why isn't everyone using that?
------ The best brain training is now totally free : )
Most of the comments here are aimed at high-security applications where the assumption is that there are people looking to crack the security and will do whatever it takes to do so. This invention isn't targeted at that application however. You've missed the point.
This security is like a standard car door lock or home door lock. It won't prevent someone from breaking in but it will deter them enough to make it a less attractive. This certainly shouldn't be used to protect your bank account but it could be used the authenticate you on a variety of websites that do not hold any sensitive information (you'd still need your CC number to make a purchase) or as a guest key to get access to a wireless connection at a cafe.
As a light security measure this is a fairly good option... just like a key/lock as described in the video.
The big point is that a criminal would have to work fairly hard to get access to an account, without knowing if the amount of work involved will be rewarded and this amount of work would have to be repeated for each account.
A fool throws a stone into a well and a thousand sages can not remove it.
When I moved into my new house, the digital readout on my microwave oven got bumped around, and 2/3 of the LED segments stopped working.
Basically, my microwave's clock is now a PassWindow system for which I don't have the cool transparent keycard.
But since I know what I'm looking at is numbers, it didn't take me long to figure out which LED segments were dead, and now I can read the display just fine even though it's busted.
The same is true for Passwindow. I bet that with 5-10 instances of ciphertext and the knowledge that the cleartext is a numeric code, you could work out the key.
(PS: Yes, I could take my microwave apart and fix the LED display, but I'm not real excited about doing that because IT'S A FREAKING MICROWAVE.)
But it's not a one time pad. It's an every time pad, as the plastic filter never changes. All it is is an acetate window with parts of a seven segment display printed on it in black. The computer displays other segments, and when the plastic window is aligned with the computer screen, these segments form a number. It would be easy to copy, and may even be fairly easy to crack without the card, since certain segment patterns will only occur in certain numbers.
When our name is on the back of your car, we're behind you all the way!
How is this more secure than a key? Like an honest-to-goodness, metal-object-you-stick-in-a-lock, physical key? Thread consensus seems to be that you could copy a PassWindow, just like you can copy a key. And if you steal someone's PassWindow, you can access all the things that are tied to that PassWindow. Unless I'm missing the essential element that ties you to your specific piece of plastic.
Haven't there been tons of discussions about why using flash drives to store passwords is a really bad idea, simply because the risk to your physical media being stolen is much higher than the risk of your passwords being divulged? Sure, it might be an interesting concept for "unhackable" encryption (though this thread appears to have disputed that pretty readily), but does it do anything to prevent social engineering the way a strong password or PIN does?
Two problems.
First, "Is it secure?" is not a sensible question. It depends on the threats, and on what else is involved in the system.
Second, the summary displays a horribly mistaken interpretation of the meaning of "one-time pad." A one-time pad derives its security from the fact that the same information is never used more than once (it's right there in the name). The instant your system reuses a single bit of information from the key, you do not have a one-time pad. "Different subsets" of the key is NOT the same thing unless they are DISJOINT subsets. One-time pads must necessarily be at least the same size as the data they will be used to hide. Don't let "almost" or "like" or "sort of" a one-time pad give you a false sense of security - nothing is more secure than a properly used one-time pad, but few things are less secure than a re-used one-time pad. The pattern of lines is analogous to the key in a shared-key encryption system, not to a one-time pad.
The solution is simple this, build a passkey alike system that will light up in the apropioate microwave oven. Nobody will tamper with it because "IT'S A FREAKING MICROWAVE"
1. The security card is extremely cheap, looks it, and like all such cheap security measures, easy to crack. It was designed to be built into a MasteCard (at basically less than $1 per card), not built into your top secret government code-key.
2. It is not intended as the kind of super-secret security. It is CHEAP security - like one of those chains you put on your front door. It doesn't keep the mafia out, it keeps the obnoxious delivery boy out.
3. If used properly, it can prevent the kind of fraud it is intended to prevent - when Amazon mistakenly sells a hard drive full of your credit card numbers that the morons forgot to encrypt, they will skip your credit card number because it is NOT worth the trouble to deal with the code, especailly when a bunch of other credit card companies don't use the security.
4. This is a great form of CHEAP security, and if all you want is CHEAP security, then it is well worth it.
excitingthingstodo.blogspot.com
There's nothing two-factor about this solution.
Someone just has to steal (or take) the plastic thingie from you and now they can get in but you can't.
If you first had to login normally (using a memorized password) and second hold the plastic up to see the one time pad then you could say it was two-factor.
A two-factor key cannot be allowed to have just a single point of failure.
Then there is the recovery problem afterward. At least after a stolen housekey you can just bust in and then fix your door.
What do you do when the plastic thingie goes missing?
Do you need a back door? And how secure would that be?
Or can you get another plastic thingie exactly the same? Only to use it once to get in so you can then register another (uncompromised) one.
Not to mention that if you can get a replacement plastic thingie exactly the same, then maybe somebody else can too.
The power source should not be considered in the security question. That is a reliability and availability issue. With "soft tokens" that can be safely operated from phones and USB thumbdrives, there are already solutions to the perceived problem.
Now, to address the question of security for this new "token", you need to focus on the PIN generation algorithm, and the security of the delivery channel.
Unfortunately in this little PR video, there's not enough technical implementation information to make any deeper analysis of the specific solution. But we can speculate on this type of system, in general.
Obviously, the SecureID type token - where no secret is transmitted to generate the secret - is always more secure than a scheme where a remote display of a secret is generated. The channel can be intercepted enroute, if valuable enough to warrant the effort. There is also the possibility of TEMPEST type attacks on monitor emissions. These have to be evaluated, but I expect they are low-risk, and with the one-time use of the secret, probably not worth the trouble.
More troubling? This is being generated and displayed on demand, when regular credentials are first supplied. That means that an attacker with the regular password can request a new PIN many times, regardless of thier location. They can do this many times, and analyze output well enough to craft an attack on the scheme.
Ultimately, I would view this as a replacement for CAPTCHA technology, which it more closely resembles, than I would an improvement on OTP tokens. Unfortunately, I don't see the value of CAPTCHA justifying the cost and effort in this "passive" OTP.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
This is an innovative approach, but the current implementation outlined on his website would not be effective for sections of the population and in some uses (e.g. in stores, etc). That said, this could be effectively deployed with an opt-in system and branded as an "online only" credit card. That said, I would be more interested to see the math behind the "one time password" approach. How exactly does this system work? Does this require the card company to issue some code to vendors for each transaction? Interesting, but is that practical?
Deja vu all over again.
The little blue "resize" arrow clearly visible in the video says you're wrong. I'm guessing you line up the top-left arrows then drag the arrow until the bottom-right arrows overlap.
Even the old Sinclair/Times Spectrum "lenslok" protection had a resize function. Duh!
No sig today...
Let us say I willing to put up with some hassle, but I want really good security. What is the best choice? Like I register a cell phone number with the bank. Bank texts a new passcode everytime I want to login to my phone. Would it be secure?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Printing companies have been using this method of authentication and reading of confidential material for years. They print patterns like this on boxes or products hidden and have people go into stores to verify that the store is selling an authentic product. Colgate started doing this after a Chinese company was importing toothpaste under the Colgate brand. It is also used just for sending secure messages where only the reader has a window that will work to read the printed code.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
So what happens if someone uses a screen which uses a different DPI to the one intended by the creator of this device?
Nothing will line up and you won't get any readable output from it unless you resize the image on screen to the appropriate size...
On a system which automatically works out your DPI, this could work... However the majority of systems (windows, osx) don't...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Please RTFA and the website. The filter is opaque. THe user is sent gibberish as a password, and it only makses sense if you have the opaque window to create letters and numbers from the gibberish.
It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
It's not a one-time-pad if you use it twice.
It's probably better than nothing, but not by much.
I think it all sounds like a quite good idea. Granted it has some obvious wekanesses, and the "OTP" security factor might be greatly overstated.
Just replacing the static "passwindow image" with an dirt-cheap translucent LED display and suddenly the system would be more than reasonably secure.
Have the card change it's pattern every-so-often and most of the security issues with the card would be gone, as would most of the price benefit for that matter.
But seriously, why such an elaborate scheme to solve a problem that has already been solved by OTP (One Time Passwords) print-out cards?
The point the GP was trying to make is that a one time pad is not just a normal encryption key that you use once. A one time pad is where you never reuse any part of the encryption key at all even during the same act of encrypting a message. Therefore the one-time pad must be equal in size to the message itself. The reason this is considered unbreakable is because without any re-use of data, there's no crypotgraphic analysis to be done. With a properly random pad, you can use the most brain-damaged encryption methods, i.e.:
for(long i = 0; i
and bam, you're done.
But this isn't a one-time pad, because it does not generate a new random number for every byte of data you are sending. It's just 2-factor authentication using a random number at the end of a normal password. It's a low-budget way of doing SecurID (which uses synchronized PRNGs). It seems to have some additional weaknesses over Securid, but the principle works and it is a cheap way to get multi-factor authentication which is at least much better than single factor.
The enemies of Democracy are
Once you know how it works, it's easy to assign a numeric value for each LCD window. Conveniently there are 7 panes that make up an LCD, with each one either on or off. Huh, seems very similar to ASCII. You come up with a standard representing that (maybe there is one?), and now I can use ASCII to describe which of the lines are on or off. Using top-to-bottom, left-to-right the one in the video could be described as:
0110010 _ 0011000 0100010 _ 0011001 0010100
2_chr(24) "_â â
OK, so it's not perfect, but still, it would be easy to convert to an easily storable value. Once that is done, you can go further to decode the challenge with a script, and voila, you have all the stuff you need to use the card fraudulently. It would take a bit more work, but once you have it, you're toast.
Not only that, but it would be fairly easy to reverse engineer. Now it WOULD make it harder for people to steal the database and use the card, since that's not stored by any of the merchants who accept cards, so a DB dump from an ecommerce site would result in less fraud if this were widely implemented. Recurring transactions would be problematic though; how could I rebill a credit card each month for a dynamic number without the cardholder entering in the code? And who is generating the challenge? Me? The credit card purveyor? How? Are they sending me an image, or just numbers and I have to generate the image?
A unique idea, and it does solve the problem of stealing credit card databases. And it is cheap and easy to put on a card, it's the whole backend system that is the biggest challenge. Though if Payflow Pro (PayPal) and Authorize.net implemented it, it would probably do a lot of damage to the card fraud industry.
TossableDigits.com: Temporary Phone Numb
and bam, you're done.
Lol, where's that preview button again?
for(size_t i = 0; i < len; i++) { crypted[i] = plaintext[i] + onetimepad[i];}
The enemies of Democracy are
Lets analyze....
5 character code - 0-99999 = 100,000 possible codes.
5 characters with 7 lines each = 35 possible "line" locations. The card in the video has 14 lines. The challenge code on the computer "ALSO" has 14 lines.
This solution simply has the appearance of security. There are MAJOR design flaws.
If one were to analyze the incomplete code from the video you begin to notice that there is an enumeration flaw.
The first character is blank, 0-9. The second character can either be a 0, 6 or 8. The third character can either be a 0, 5 or 8. The fourth character can only be a 0, 2, 3, 8 or 0. The fifth character can only be a 0 or 8.
This only leaves 900 possibilities. Much easier then 100,000 possibilities.
If I calculated each of these 900 possible codes I could then determine which of these 900 codes utilize 14 characters! This would allow me to determine all possible "card codes" within a 99% accuracy. If I was able to receive multiple challenges from the server, I would repeat the process and cross compare results. This would allow me to determine the key on the card within an almost 100% accuracy.
Increasing the keyspace, utilizing [A-Z0-9] and randomizing the number of challenge characters would limit my ability to enumerate as easily.
This solution currently provides no security against a motivated attacker.
Banks could mail these out by the millions. Cheaply. A win, mostly.
I'll call it 1.2-factor authentication. The user still has to be in possession of this gizmo, and it's fairly easy to crack, but it's better than a plain old password.
I worked at a large bank that mailed out RSA fobs by the thousands. Effective, but expensive as hell. About 10 people full time just to mail out the things and deal with dead ones, and when you get a batch they all preset to fail on the same date, thousands of them.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
http://en.wikipedia.org/wiki/Card_Security_Code ... which is its main competitor.
How is this more secure than a key? Like an honest-to-goodness, metal-object-you-stick-in-a-lock, physical key?
It's not. It's not really trying to be. It is, in fact, supposed to be the online equivalent of a key, a physical device which you have to possess in order to gain access to something.
Haven't there been tons of discussions about why using flash drives to store passwords is a really bad idea, simply because the risk to your physical media being stolen is much higher than the risk of your passwords being divulged?
The idea here is to use both -- "something you know" in your password, and "something you have" in the PassWindow, and you combine your password plus the random number into a single larger password. The idea is that if one component is compromised, that still doesn't give them the other. Imagine you had both a keyed dead bolt and a combination lock on the door to your house. To get in, someone would have to snoop you entering in the code, and then steal your keys. If you dropped your key and someone picked it up, you wouldn't have to worry about them getting in if they hadn't seen your passcode, and vice versa.
but does it do anything to prevent social engineering the way a strong password or PIN does?
Strong passwords don't prevent social engineering, they prevent dictionary and other simpler-than-brute-force attacks. But if someone lures you to a malicious website that looks like the one you want to log in to, and you type in your password, you're hosed. With this and SecurID style multi-factor authentication, this risk is still there. If you type in your password+random# combo into the evil web page, then they have access for as long as that random # remains valid.
The enemies of Democracy are
This is just a CAPTCHA implemented with a secret decoder ring. All is takes to crack is a motivated individual to create an optical simulation to process the image into something that can be OCRed. That final step will be easier that what they have to do today since the text can't be distorted too heavily without the risk of too many failures from legitimate users.
I am becoming gerund, destroyer of verbs.
You're quite right, and this is good for the bank. Criminals will target other banks first.
The question is, I suppose, what are the compromise rates and costs? If the bank has 100,000 customers holding up a plastic card to their screen each several times a week and they're stopping 6 account compromises a year, they're really just doing massive cost-shifting to their customers. The customers may in fact be better served by a six basis point shift to the banks' favor on their accounts.
Tuning those three knobs may yield wildly different conclusions. We can secure anything, but sometimes the costs just aren't worth it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
My father designed a device similar to this 20 to 30 years ago, on which he had a patent.
It was used in the wallpaper industry, to decode product numbers in catalogs. Yes, there was a "pirate" industry of fake resellers getting hold of catalogs and ordering wallpaper with this back in the days. This clearly isn't an issue anymore nowadays, with huge databases and ERPs and so on, but it was back then.
The device was simple, basically a plastic card with a few transparent "holes", and on the back of each pattern in the catalog you had a big square full of numbers. I think different resellers could have different cards and it would read out their vendor specific customized part numbers and so on.
So in SOME cases, cheap security can be useful. Of course you wouldn't replace battery powered tokens to your super secret VPN with this!
This looks like this is designed as a credit card scheme. Indeed the site stresses that this can be done.
Its an extra level of authentication. Alas, its worthless and no different from
holding a secret that you tell the someone ( ie the three digits on the back of your credit card).
The point of two factor authentication is to be better than a password. Mainly this comes in
the form of if you trick me into authentication myself to you, I would not have given
you the ability to authenticate as me later.
Since I can easily derive the pattern on the card from either a couple of quires or watching a bunch of traffic(
keep in mind that all the attacks on credit card number guessing will also apply since these things are printed in mass
and thus are not likely random), this is not much better. It also does not even come close
to solve the problem of verifying you physically have the credit card, since this is
trivially copied.
In general, there were cryptographically secure human decodable schemes that used images. However, these were onetime use.
If you saw multiple messages intended to be read with the same key, you could deduce the key. One
time schemes are clearly worthless.
This scheme is rather weak and certainly not nearly as secure as powered actual cryptographic two factor schemes
using say a password token and a prng.
You could have a "pin" by simply having a 4 digit number the user remembers and adds onto the resulting number. It would require some mental math, however.
We thought that you'd encrypted that bit!
well not 'good'.
Main problems that sprang to mind - you can copy it.
Somebody sees it, jots down the lines and they've cloned your key - and you're none the wiser.
Secondly, it's just not very secure. Can't be bothered out working the maths, but from merely what's on the screen you can rule out a large number of possible numbers and massively increase the change of brute force.
Simple extension of the idea (if not part of current pitch, I claim it NOW) is that the display should just have a single alignment arrow in one corner. That way the card could be flipped around 2-axis (i.e. invert it, or flip, or flip and invert) - not going to make it secure, but massively increases the areas that could be masked, and therefore reduces exposure to brute force guesses.
Use much longer number/masks, put an offset arrow on it etc etc - oh it could be improved - but you're still just polishing a turd.
I don't think any modern version of Windows will let you do direct hardware access without using a driver. Sure, you could do it with Windows 9x, but NT won't let you.
I don't think any modern version of Windows will let you do direct hardware access without using a driver. Sure, you could do it with Windows 9x, but NT won't let you.
That's why a window system is supposed to provide an API to query each screen on the display server. Google says the appropriate function in Windows is called GetDeviceCaps. But is the HORZSIZE guaranteed to be accurate, even if the end user has logged in remotely or tweaked the "horizontal size" and "vertical size" knobs of a monitor?
When it comes to authentication, or any security scheme for that matter, I'll take the "as proven as it gets" mechanism, whose weaknesses are known and more easily mitigated. When someone proposes something new like this, my inclination is to wonder how long until it is hacked and beaten.
I totally agree. I think I might have sounded negative in my original post, but basically bike lock security is great when you compare it to the alternatives of a fixed PIN or an expensive smart card.
I think of it as "the Club", like the automobile lock. it works mainly because it really does present a formidable obstacle to most (dumb) theives and even the clever ones who could bust it won't be bothered because the next car over does not have one and is just as tasty.
Some drink at the fountain of knowledge. Others just gargle.
You can use your Personal PIN Number at the Automated ATM Machine. If you can do this at UMB Bank, you have hit the trifecta.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
It looks like their demo patterns, see http://www.passwindow.com/security.html, hold 50 and 98 bits of information respectively. The guy at the end must read out distinct numbers or he will know it is a trick, so you can only probe so many bits at a time. None the less it is possible to explore the patterns without even submitting them with some local malware. Just shove some JS in the web page that is displaying the pad, and don't even submit the request to the server, just keep probing the pad. It could be rather passive, generating on BS code per time it actually passes you the code from the server. Over time, I can steal your one time pad.
One of the other posters made an excellent point that this protects data theft at the other end, i.e. if Amazon's CC records are stolen.
why not use real OTP? something like a narrow strip of paper perforated every 1/4 inch, with a different password printed on each strip. every time you log in, tear off a strip and throw it away. if you used thin paper, you could probably fold about 1000 into the volume of a credit card.
404: sig not found.
This provides a little bit of protection against key logging attacks, since there's a set of challenges and their associated responses, but it provides no protection at all against phishing or other man in the middle attacks, because it's all in the same communication channel. If I can intercept your user name and password, I can present the site's challenge image and intercept your response, then do what I will once authenticated. And I can do this with no special knowledge of this system, or any other, by simply presenting the original site's original login page as-is, and passing through everything you supply, then taking the free ride on the cookie or whatever token I get back.
Given we're post-Kaminsky and pre-DNSSEC, phishing attacks are the ones to defend against. Give me out of band, or don't waste my time.
No, I am not the inventor, just someone who has followed this for a while.
Things people dont seem to understand about this:
1.You cant easily photocopy, photograph or video tape the window contains tinting. It will only become visible when you actually hold it up against a back lit display (i.e. computer monitor).
2.There would still be a username and password associated with this (e.g. if its a bank site) so just stealing the card isn't enough to let you in.
3.Each time you visit a site or enter an incorrect, it issues a NEW challenge (with a NEW response number). Brute forcing the challenge (i.e. trying every possible PassWindow layout matched up with that challenge and trying everything that shows up a valid code) WONT work because as soon as you input the first code, it generates a NEW challenge.
4.The PassWindow pattern is highly resistant to social engineering tricks (e.g. fake bank/store employees trying to convince you to hand over your credit card number)
5.The PassWindow challenge image is resolution independent (it has a simple sizing arrow that the user uses to resize the image to be the correct size)
6.It is resistant to hardware keystroke loggers as they would be unable to steal the challenge images.
7.It is resistant to viruses and other software keystroke loggers as the keystroke loggers would need to somehow steal the challenge images AND the typed responses. Even then, due to how it works, you would need quite a few pairs of challenge/response pairs to identify the pattern of the PassWindow (remember that a given challenge can contain segments that are also present in the PassWindow pattern). Remember that every site/bank/card issuer/whatever will have different URLs for the challenge image generator so you cant just steal it via a filter that examines every accessed URL. And you have no way to know when the user is in fact accessing their PassWindow to know when to take a screenshot (which would include the challenge image)
Big problem seems to be how easy it is to copy. I can copy your card with phone camera, without you even knowing about it - or at least with a reasonable zoom lens. BTW there are 5 bits per digit, except the final one, since two are shared between each digit.