Slashdot Mirror
Is Battery-Free 2-Factor ID Secure?
An anonymous reader writes "There was a television program in Australia last week about Matthew Walker's visual battery-less two-factor authentication system called PassWindow. Essentially, you hold the clear plastic window up to the apparently random pattern on the screen of your computer, revealing a one-time PIN to type in for authentication. The plastic window has many advantages: difficult to copy or view over the shoulder, etc. Because there is no electronics, chip or battery, the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems. However, I don't know about the security of the system. The apparently random pattern of lines in the PassWindow is analogous to a one-time pad, using a different subset of the one-time pad every time a PIN is needed. Is this a useful level of security for logging in to a bank account?"
I used to have some Simpsons trading cards that were like that. There was what looked like static on a TV screen, which, when another plastic panel was put in front of it, would show a de-scrambled image. I can't see how it is secure though, because the plastic descramblers are all the same. Someone could still take a photo and use a similar plastic window elsewhere.
I'm gonna need a spec.
Let's see. Worst case scenario, you set up a camera that does about 30fps, with rotating filters in front, and use OCR to look for text in each frame. 30 passwords per second is a lot faster than 1 password + delay, 2 password + longer delay, 3 password + get account re-enabled.
Aside from that brute force method, I suspect the system is pretty vulnerable to more sophisticated attacks, like quickly narrowing down what window people have by analysing the more obvious features (number of lines, angle of lines, ratio of vertical lines to horizontal waves, etc.) of an on-screen pattern, for instance.
Basically... donotwant.
Lenslok, hated by 8-bit gamers everywhere.
libguestfs - tools for accessing and modifying virtual machine disk images
the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems.
Taxation is legalized theft, no more, no less.
A lot of these sorts of schemes assume some sort of fixed pixel size such as 96 dpi, a fantasy that hasn't been true since, well, ages. Some LED screens have up to 150 dpi resolution, others as low as 72dpi. If the scale is wrong, then the pixels won't line up and the decoder is then useless.
Now, I admit it's possible that the creator of this scheme might have solved this, but I doubt it. A colour filter like those games whose clues are read through a red plastic foil viewer would be far too easy to crack, for example.
I can't escape the impression that this is just security theatre and not serious security after all.
Looking at how it works, my guess is that you could brute force someone's "passwindow" card with just a handful of inputs. There are only 7 different elements for each digit, and you should be able to figure out which spots are filled in pretty quickly and what numbers they represent.
I read the internet for the articles.
couldn't you get a plastic filter for a camera and see the password that way?
Its not my fault, someone put a wall in my way.
Anyone who's broken into your PC and has spyware installed can fairly easily observe several login attempts with this, and then derive what your PassWindow is. This is worse than poor security, as it gives people an illusion that it is something that it isn't.
Please RTFA and the website. The filter is opaque. THe user is sent gibberish as a password, and it only makses sense if you have the opaque window to create letters and numbers from the gibberish.
It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
If the authors claims are accurate (that it is possible to create tens of thousands of throwaway passwords per window before they need to be replaced) then this is an ideal authentication method IMO.
This is easily rectified in any software by compensating for the DPI by scaling up or down the image.
Heck you can do this in CSS:
IMG.passwordWindow { width: 2in, height: 1in }
This image is going to be scaled to be the exact same size on the screen in any web browser.
From what I saw, this system might be able to protect you from a single compromisation of your security. This would depend on a few factors, though. Given you can see both the pattern and the code, from a single session you could make some assumptions about what the code would be with a different pattern. It might take a few tries to generate the correct code. If the attacker can partially log in multiple times without being locked out, he may be able to choose a pattern that has fewer possible permutations for the code.
There's also a potential problem in that, if an attack is made on an account and the account is locked out, the card would have to be replaced. Otherwise, if the account is re-enabled without replacing the card, the attacker would be able to continue to make attempts to log in. I suppose you could also alert the customer to change their password due to a security breach.
I don't think this will protect very well against a customer's own system being compromised, with an attacker being able to monitor multiple log-ons. There are simply too few possible permutations in those 7-segment displays.
I'd also like to mention there's a potential problem if the monitor's resolution is too high. If, for instance, the user wants to log on via a netbook, the code displayed may be too small to match up with the code on the card, making logging in impossible.
And this is less secure than existing passwords how?
With existing passwords spyware just grabs the keystrokes.
With this method the spyware would have to do OCR on the password image and then do a sophisticated algorythm comparing what you typed, and do this many times before it could be sure it had the whole image.
It is much more complicated. Sure it is still vulnerable but it is a vast improvement over most password systems.
Mostly because your "key" is static and only offers a very limited amount of possible configurations (WAY less than the average 2048 bit key, think more along the lines of an 8 bit key). It's trivial to have software calculate all the possibilities (all you need is one or maybe two arbitrary keys, "lenses", to figure out the process), adjust the picture to match what you'd "see", then throw it at OCR software and you'll end up with very few reasonable ("legible") configurations.
After a few, maybe even after the first, sample you know what configuration his lenses have and you have it cracked.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is easily rectified in any software by compensating for the DPI by scaling up or down the image.
Heck you can do this in CSS:
IMG.passwordWindow { width: 2in, height: 1in }
This image is going to be scaled to be the exact same size on the screen in any web browser.
Also, this has nothing to do with color filters.
I swear to god every poster on this thread so far has not gone to the website: http://www.passwindow.com/
This is actually a very novel idea that has been thought out thoroughly.
It's better than nothing.
The trick is that yes, it does leak information- each time you use it, an eavesdropper gets a little more information, perhaps enough to "get in". Or perhaps not.
On the other hand, the server end knows what cells may or may not have been compromised and can optimize around that.
The beauty of such grilles (and they have been known for centuries) is that they are _cheap_ and it's not unreasonable for the server end to predict when a grille's private information has been used up and sends you a new one well before that time.
So- not new, but not bad, either.
So you are worried about crackers breaking into your house and setting up spy cams to steal your banking password?
If they have already broken into your house why would they bother with that? Why not just steal your statements?
Or just use the spy cams to record all your online activity?
Talk about paranoid. This is a pointless argument against the system that holds no merit at all.
Only if the user has correctly configured his system to know the correct physical resolution (dpi) of the screen, or the OS was able to get correct information from the screen automatically (DDC); this will only be true for some users.
There. Fixed it for you.
"The urge to save humanity is almost always a false front for the urge to rule it."
- H. L. Mencken
The transaction looks like this: 1) user chooses which kind of credit card he/she has 2) user gets a screen where he/she can specify the cc nr and de-scramble the code 3) user's browser sends the cc nr and de-scrambled code back to the server 4) server replies: all is well, congratulations If the fraudster is able to intercept just 1 of these transactions then he can already narrow the number of possible "PassWindow" combinations down to lets say a few hundred. But if he can intercept for example 3 or more of the transactions made with the same card then he can easily narrow the possibilities down to fewer than ten combinations. There exists no mechanism that would prevent the fraudster from trying out all of these 10 or fewer combinations. The most secure way to handle cc transactions would be to confirm every transaction with the cc holder. It could work with e-mail, sms, telephone, im or any other means of communication that the cc holder has chosen and believes is secure enough for him/her. That of course would create significant delays that many current cc systems would be unable to handle since atm they expect instant replies from the cc issuer. Which means that this system would only work with credit cards meant for online payments. In physical stores the 'pin code' is still the best solution at least until the confirmation delays come down to a few seconds.
This is sort of like one of Chaum's voting system reciepts. those are provably secure for single use.
however having watched the video, it's obvious this one is weakly secure for a single use and rapidly insecure for multiple uses.
given a series of challenges one should be able to apply a process of elimination to determine the missing elements.
the alternative would seem to be to choose the challenge from a restricted pallet of challenges that assures some ambiguity. in this case intercepting a bunch of challenges will simply reduce the number of possible choices.
for example, if the ambiguity could be maintained at 3 choices per digit then 7 digits provides 2187 possiblilites.
that's actually not hideous. it's comparable to a bicycle lock. thus the key to making that low number useful is to prevent someone from rapidly trying the challenges exhaustively.
e.g. if you are only allowed 2 challenges per 30 minutes, or more deviously, if the challenger denies access with say 10% probability even when you type in the right pass code.
this will make such 2- factor while not government grade probably not worth the attackers time.
Some drink at the fountain of knowledge. Others just gargle.
The system is no better than having a normal credit card CVV.
The LCD-like half-images are the secret. Take a photo of that and you're totally compromised.
The battery systems (like RSA SecurID) are better because they protect the secret inside the deviceand only give a derived value every 60 seconds.
Nice try however.
This idea is completely crackable and you don't have to be a psychic genius here folks.
You take the image, and run a digital filter on the image -- creating thousands of new "images" which emulate the possibilities for the plastic window.
You then interpret the results (A simple OCR of the resulting images should do), and you try those passwords.
Yes, it's brute force -- but it's no safer than a non-image password.
By the way, my E*Trade RSA digital passkey is a great system of 3 point password protection. Why isn't everyone using that?
------ The best brain training is now totally free : )
Most of the comments here are aimed at high-security applications where the assumption is that there are people looking to crack the security and will do whatever it takes to do so. This invention isn't targeted at that application however. You've missed the point.
This security is like a standard car door lock or home door lock. It won't prevent someone from breaking in but it will deter them enough to make it a less attractive. This certainly shouldn't be used to protect your bank account but it could be used the authenticate you on a variety of websites that do not hold any sensitive information (you'd still need your CC number to make a purchase) or as a guest key to get access to a wireless connection at a cafe.
As a light security measure this is a fairly good option... just like a key/lock as described in the video.
The big point is that a criminal would have to work fairly hard to get access to an account, without knowing if the amount of work involved will be rewarded and this amount of work would have to be repeated for each account.
A fool throws a stone into a well and a thousand sages can not remove it.
When I moved into my new house, the digital readout on my microwave oven got bumped around, and 2/3 of the LED segments stopped working.
Basically, my microwave's clock is now a PassWindow system for which I don't have the cool transparent keycard.
But since I know what I'm looking at is numbers, it didn't take me long to figure out which LED segments were dead, and now I can read the display just fine even though it's busted.
The same is true for Passwindow. I bet that with 5-10 instances of ciphertext and the knowledge that the cleartext is a numeric code, you could work out the key.
(PS: Yes, I could take my microwave apart and fix the LED display, but I'm not real excited about doing that because IT'S A FREAKING MICROWAVE.)
But it's not a one time pad. It's an every time pad, as the plastic filter never changes. All it is is an acetate window with parts of a seven segment display printed on it in black. The computer displays other segments, and when the plastic window is aligned with the computer screen, these segments form a number. It would be easy to copy, and may even be fairly easy to crack without the card, since certain segment patterns will only occur in certain numbers.
When our name is on the back of your car, we're behind you all the way!
How is this more secure than a key? Like an honest-to-goodness, metal-object-you-stick-in-a-lock, physical key? Thread consensus seems to be that you could copy a PassWindow, just like you can copy a key. And if you steal someone's PassWindow, you can access all the things that are tied to that PassWindow. Unless I'm missing the essential element that ties you to your specific piece of plastic.
Haven't there been tons of discussions about why using flash drives to store passwords is a really bad idea, simply because the risk to your physical media being stolen is much higher than the risk of your passwords being divulged? Sure, it might be an interesting concept for "unhackable" encryption (though this thread appears to have disputed that pretty readily), but does it do anything to prevent social engineering the way a strong password or PIN does?
The solution is simple this, build a passkey alike system that will light up in the apropioate microwave oven. Nobody will tamper with it because "IT'S A FREAKING MICROWAVE"
1. The security card is extremely cheap, looks it, and like all such cheap security measures, easy to crack. It was designed to be built into a MasteCard (at basically less than $1 per card), not built into your top secret government code-key.
2. It is not intended as the kind of super-secret security. It is CHEAP security - like one of those chains you put on your front door. It doesn't keep the mafia out, it keeps the obnoxious delivery boy out.
3. If used properly, it can prevent the kind of fraud it is intended to prevent - when Amazon mistakenly sells a hard drive full of your credit card numbers that the morons forgot to encrypt, they will skip your credit card number because it is NOT worth the trouble to deal with the code, especailly when a bunch of other credit card companies don't use the security.
4. This is a great form of CHEAP security, and if all you want is CHEAP security, then it is well worth it.
excitingthingstodo.blogspot.com
There's nothing two-factor about this solution.
Someone just has to steal (or take) the plastic thingie from you and now they can get in but you can't.
If you first had to login normally (using a memorized password) and second hold the plastic up to see the one time pad then you could say it was two-factor.
A two-factor key cannot be allowed to have just a single point of failure.
Then there is the recovery problem afterward. At least after a stolen housekey you can just bust in and then fix your door.
What do you do when the plastic thingie goes missing?
Do you need a back door? And how secure would that be?
Or can you get another plastic thingie exactly the same? Only to use it once to get in so you can then register another (uncompromised) one.
Not to mention that if you can get a replacement plastic thingie exactly the same, then maybe somebody else can too.
The power source should not be considered in the security question. That is a reliability and availability issue. With "soft tokens" that can be safely operated from phones and USB thumbdrives, there are already solutions to the perceived problem.
Now, to address the question of security for this new "token", you need to focus on the PIN generation algorithm, and the security of the delivery channel.
Unfortunately in this little PR video, there's not enough technical implementation information to make any deeper analysis of the specific solution. But we can speculate on this type of system, in general.
Obviously, the SecureID type token - where no secret is transmitted to generate the secret - is always more secure than a scheme where a remote display of a secret is generated. The channel can be intercepted enroute, if valuable enough to warrant the effort. There is also the possibility of TEMPEST type attacks on monitor emissions. These have to be evaluated, but I expect they are low-risk, and with the one-time use of the secret, probably not worth the trouble.
More troubling? This is being generated and displayed on demand, when regular credentials are first supplied. That means that an attacker with the regular password can request a new PIN many times, regardless of thier location. They can do this many times, and analyze output well enough to craft an attack on the scheme.
Ultimately, I would view this as a replacement for CAPTCHA technology, which it more closely resembles, than I would an improvement on OTP tokens. Unfortunately, I don't see the value of CAPTCHA justifying the cost and effort in this "passive" OTP.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
This is an innovative approach, but the current implementation outlined on his website would not be effective for sections of the population and in some uses (e.g. in stores, etc). That said, this could be effectively deployed with an opt-in system and branded as an "online only" credit card. That said, I would be more interested to see the math behind the "one time password" approach. How exactly does this system work? Does this require the card company to issue some code to vendors for each transaction? Interesting, but is that practical?
The little blue "resize" arrow clearly visible in the video says you're wrong. I'm guessing you line up the top-left arrows then drag the arrow until the bottom-right arrows overlap.
Even the old Sinclair/Times Spectrum "lenslok" protection had a resize function. Duh!
No sig today...
Let us say I willing to put up with some hassle, but I want really good security. What is the best choice? Like I register a cell phone number with the bank. Bank texts a new passcode everytime I want to login to my phone. Would it be secure?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Printing companies have been using this method of authentication and reading of confidential material for years. They print patterns like this on boxes or products hidden and have people go into stores to verify that the store is selling an authentic product. Colgate started doing this after a Chinese company was importing toothpaste under the Colgate brand. It is also used just for sending secure messages where only the reader has a window that will work to read the printed code.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
So what happens if someone uses a screen which uses a different DPI to the one intended by the creator of this device?
Nothing will line up and you won't get any readable output from it unless you resize the image on screen to the appropriate size...
On a system which automatically works out your DPI, this could work... However the majority of systems (windows, osx) don't...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Assuming the OS knows and uses the screen DPI... X11 has done this for years, but i dont think windows does.
And aside from that, not all screens are capable of reporting their DPI, and this will also break where you have a multi screen setup using 2 different size screens.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Please RTFA and the website. The filter is opaque. THe user is sent gibberish as a password, and it only makses sense if you have the opaque window to create letters and numbers from the gibberish.
It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.
It's not a one-time-pad if you use it twice.
It's probably better than nothing, but not by much.
The point the GP was trying to make is that a one time pad is not just a normal encryption key that you use once. A one time pad is where you never reuse any part of the encryption key at all even during the same act of encrypting a message. Therefore the one-time pad must be equal in size to the message itself. The reason this is considered unbreakable is because without any re-use of data, there's no crypotgraphic analysis to be done. With a properly random pad, you can use the most brain-damaged encryption methods, i.e.:
for(long i = 0; i
and bam, you're done.
But this isn't a one-time pad, because it does not generate a new random number for every byte of data you are sending. It's just 2-factor authentication using a random number at the end of a normal password. It's a low-budget way of doing SecurID (which uses synchronized PRNGs). It seems to have some additional weaknesses over Securid, but the principle works and it is a cheap way to get multi-factor authentication which is at least much better than single factor.
The enemies of Democracy are
Once you know how it works, it's easy to assign a numeric value for each LCD window. Conveniently there are 7 panes that make up an LCD, with each one either on or off. Huh, seems very similar to ASCII. You come up with a standard representing that (maybe there is one?), and now I can use ASCII to describe which of the lines are on or off. Using top-to-bottom, left-to-right the one in the video could be described as:
0110010 _ 0011000 0100010 _ 0011001 0010100
2_chr(24) "_â â
OK, so it's not perfect, but still, it would be easy to convert to an easily storable value. Once that is done, you can go further to decode the challenge with a script, and voila, you have all the stuff you need to use the card fraudulently. It would take a bit more work, but once you have it, you're toast.
Not only that, but it would be fairly easy to reverse engineer. Now it WOULD make it harder for people to steal the database and use the card, since that's not stored by any of the merchants who accept cards, so a DB dump from an ecommerce site would result in less fraud if this were widely implemented. Recurring transactions would be problematic though; how could I rebill a credit card each month for a dynamic number without the cardholder entering in the code? And who is generating the challenge? Me? The credit card purveyor? How? Are they sending me an image, or just numbers and I have to generate the image?
A unique idea, and it does solve the problem of stealing credit card databases. And it is cheap and easy to put on a card, it's the whole backend system that is the biggest challenge. Though if Payflow Pro (PayPal) and Authorize.net implemented it, it would probably do a lot of damage to the card fraud industry.
TossableDigits.com: Temporary Phone Numb
and bam, you're done.
Lol, where's that preview button again?
for(size_t i = 0; i < len; i++) { crypted[i] = plaintext[i] + onetimepad[i];}
The enemies of Democracy are
Lets analyze....
5 character code - 0-99999 = 100,000 possible codes.
5 characters with 7 lines each = 35 possible "line" locations. The card in the video has 14 lines. The challenge code on the computer "ALSO" has 14 lines.
This solution simply has the appearance of security. There are MAJOR design flaws.
If one were to analyze the incomplete code from the video you begin to notice that there is an enumeration flaw.
The first character is blank, 0-9. The second character can either be a 0, 6 or 8. The third character can either be a 0, 5 or 8. The fourth character can only be a 0, 2, 3, 8 or 0. The fifth character can only be a 0 or 8.
This only leaves 900 possibilities. Much easier then 100,000 possibilities.
If I calculated each of these 900 possible codes I could then determine which of these 900 codes utilize 14 characters! This would allow me to determine all possible "card codes" within a 99% accuracy. If I was able to receive multiple challenges from the server, I would repeat the process and cross compare results. This would allow me to determine the key on the card within an almost 100% accuracy.
Increasing the keyspace, utilizing [A-Z0-9] and randomizing the number of challenge characters would limit my ability to enumerate as easily.
This solution currently provides no security against a motivated attacker.
Banks could mail these out by the millions. Cheaply. A win, mostly.
I'll call it 1.2-factor authentication. The user still has to be in possession of this gizmo, and it's fairly easy to crack, but it's better than a plain old password.
I worked at a large bank that mailed out RSA fobs by the thousands. Effective, but expensive as hell. About 10 people full time just to mail out the things and deal with dead ones, and when you get a batch they all preset to fail on the same date, thousands of them.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
How is this more secure than a key? Like an honest-to-goodness, metal-object-you-stick-in-a-lock, physical key?
It's not. It's not really trying to be. It is, in fact, supposed to be the online equivalent of a key, a physical device which you have to possess in order to gain access to something.
Haven't there been tons of discussions about why using flash drives to store passwords is a really bad idea, simply because the risk to your physical media being stolen is much higher than the risk of your passwords being divulged?
The idea here is to use both -- "something you know" in your password, and "something you have" in the PassWindow, and you combine your password plus the random number into a single larger password. The idea is that if one component is compromised, that still doesn't give them the other. Imagine you had both a keyed dead bolt and a combination lock on the door to your house. To get in, someone would have to snoop you entering in the code, and then steal your keys. If you dropped your key and someone picked it up, you wouldn't have to worry about them getting in if they hadn't seen your passcode, and vice versa.
but does it do anything to prevent social engineering the way a strong password or PIN does?
Strong passwords don't prevent social engineering, they prevent dictionary and other simpler-than-brute-force attacks. But if someone lures you to a malicious website that looks like the one you want to log in to, and you type in your password, you're hosed. With this and SecurID style multi-factor authentication, this risk is still there. If you type in your password+random# combo into the evil web page, then they have access for as long as that random # remains valid.
The enemies of Democracy are
This is just a CAPTCHA implemented with a secret decoder ring. All is takes to crack is a motivated individual to create an optical simulation to process the image into something that can be OCRed. That final step will be easier that what they have to do today since the text can't be distorted too heavily without the risk of too many failures from legitimate users.
I am becoming gerund, destroyer of verbs.
You're quite right, and this is good for the bank. Criminals will target other banks first.
The question is, I suppose, what are the compromise rates and costs? If the bank has 100,000 customers holding up a plastic card to their screen each several times a week and they're stopping 6 account compromises a year, they're really just doing massive cost-shifting to their customers. The customers may in fact be better served by a six basis point shift to the banks' favor on their accounts.
Tuning those three knobs may yield wildly different conclusions. We can secure anything, but sometimes the costs just aren't worth it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
And aside from that, not all screens are capable of reporting their DPI, and this will also break where you have a multi screen setup using 2 different size screens.
And some screens just flat out get their DPI wrong - I've seen some code which hard-codes certain screens. Probably somebody copy & pasted an EDID between models or something.
Recent xorg X seems to get multi-screen DPI right - at least my fonts look right on varying displays.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You could have a "pin" by simply having a 4 digit number the user remembers and adds onto the resulting number. It would require some mental math, however.
well not 'good'.
Main problems that sprang to mind - you can copy it.
Somebody sees it, jots down the lines and they've cloned your key - and you're none the wiser.
Secondly, it's just not very secure. Can't be bothered out working the maths, but from merely what's on the screen you can rule out a large number of possible numbers and massively increase the change of brute force.
Simple extension of the idea (if not part of current pitch, I claim it NOW) is that the display should just have a single alignment arrow in one corner. That way the card could be flipped around 2-axis (i.e. invert it, or flip, or flip and invert) - not going to make it secure, but massively increases the areas that could be masked, and therefore reduces exposure to brute force guesses.
Use much longer number/masks, put an offset arrow on it etc etc - oh it could be improved - but you're still just polishing a turd.
I don't think any modern version of Windows will let you do direct hardware access without using a driver. Sure, you could do it with Windows 9x, but NT won't let you.
That's why a window system is supposed to provide an API to query each screen on the display server. Google says the appropriate function in Windows is called GetDeviceCaps. But is the HORZSIZE guaranteed to be accurate, even if the end user has logged in remotely or tweaked the "horizontal size" and "vertical size" knobs of a monitor?
Windows has provided the ability to tell it a screen's exact dpi since Win 95 or earlier. Display Properties | Settings | Advanced.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
When it comes to authentication, or any security scheme for that matter, I'll take the "as proven as it gets" mechanism, whose weaknesses are known and more easily mitigated. When someone proposes something new like this, my inclination is to wonder how long until it is hacked and beaten.
I totally agree. I think I might have sounded negative in my original post, but basically bike lock security is great when you compare it to the alternatives of a fixed PIN or an expensive smart card.
I think of it as "the Club", like the automobile lock. it works mainly because it really does present a formidable obstacle to most (dumb) theives and even the clever ones who could bust it won't be bothered because the next car over does not have one and is just as tasty.
Some drink at the fountain of knowledge. Others just gargle.
You can use your Personal PIN Number at the Automated ATM Machine. If you can do this at UMB Bank, you have hit the trifecta.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
why not use real OTP? something like a narrow strip of paper perforated every 1/4 inch, with a different password printed on each strip. every time you log in, tear off a strip and throw it away. if you used thin paper, you could probably fold about 1000 into the volume of a credit card.
404: sig not found.
This provides a little bit of protection against key logging attacks, since there's a set of challenges and their associated responses, but it provides no protection at all against phishing or other man in the middle attacks, because it's all in the same communication channel. If I can intercept your user name and password, I can present the site's challenge image and intercept your response, then do what I will once authenticated. And I can do this with no special knowledge of this system, or any other, by simply presenting the original site's original login page as-is, and passing through everything you supply, then taking the free ride on the cookie or whatever token I get back.
Given we're post-Kaminsky and pre-DNSSEC, phishing attacks are the ones to defend against. Give me out of band, or don't waste my time.
No, I am not the inventor, just someone who has followed this for a while.
Things people dont seem to understand about this:
1.You cant easily photocopy, photograph or video tape the window contains tinting. It will only become visible when you actually hold it up against a back lit display (i.e. computer monitor).
2.There would still be a username and password associated with this (e.g. if its a bank site) so just stealing the card isn't enough to let you in.
3.Each time you visit a site or enter an incorrect, it issues a NEW challenge (with a NEW response number). Brute forcing the challenge (i.e. trying every possible PassWindow layout matched up with that challenge and trying everything that shows up a valid code) WONT work because as soon as you input the first code, it generates a NEW challenge.
4.The PassWindow pattern is highly resistant to social engineering tricks (e.g. fake bank/store employees trying to convince you to hand over your credit card number)
5.The PassWindow challenge image is resolution independent (it has a simple sizing arrow that the user uses to resize the image to be the correct size)
6.It is resistant to hardware keystroke loggers as they would be unable to steal the challenge images.
7.It is resistant to viruses and other software keystroke loggers as the keystroke loggers would need to somehow steal the challenge images AND the typed responses. Even then, due to how it works, you would need quite a few pairs of challenge/response pairs to identify the pattern of the PassWindow (remember that a given challenge can contain segments that are also present in the PassWindow pattern). Remember that every site/bank/card issuer/whatever will have different URLs for the challenge image generator so you cant just steal it via a filter that examines every accessed URL. And you have no way to know when the user is in fact accessing their PassWindow to know when to take a screenshot (which would include the challenge image)
Big problem seems to be how easy it is to copy. I can copy your card with phone camera, without you even knowing about it - or at least with a reasonable zoom lens. BTW there are 5 bits per digit, except the final one, since two are shared between each digit.
To tell it, it doesn't try to work out that information by itself like X11 does (and has for many years, sgi machines used to know what monitor they had connected).
Also, most apps are designed for the default dpi setting so some things break when you modify the setting, X11 is more resilient because there is more variety of different values for the dpi.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
SGI supported a handful of monitor models when there were only a handful of monitor models manufactured.
Windows supports thousands of monitor models with new ones introduced every day. It deals with a huge array of monitor aspect ratios and resolutions without user involvement by assuming 96dpi, which, on the vast majority of monitors, is close enough for non-technical applications.
Although some applications misbehave if you change the default font-size, changing dpi is transparent to all but the most poorly designed code (I have yet to run into an example personally). For code to work in inches and override the dpi setting is hard evidence that it was written by someone who'll make a lot of other really stupid mistakes; you don't want to use their product.
I don't know where you get X11 is more resilient because there is more variety of different values for the dpi, since Windows lets you set the dpi to anything you want and even provides an on-screen ruler that you can match up with a real ruler to get a precise value.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
SGI machines were able to determine the size from Sun and IBM monitors too, not just the SGI ones...
Code *should* work in inches, it's code that works in pixels which overrides the dpi setting... Code has no way to know how many pixels are required to represent an inch without knowing the screen dpi.
Most modern monitors are capable of reporting their DPI to the host system, yet windows ignores that and assumes 96 unless you explicitly tell it otherwise... X11 also lets you manually override the detected DPI if you wish, and it also handles non square pixels correctly (a single figure dpi value has no way to specify the shape of pixels).
Mine is very slightly off square:
screen #0:
dimensions: 1600x1024 pixels (373x241 millimeters)
resolution: 109x108 dots per inch
and measuring the visible area of the screen by hand, that's spot on and required no intervention from me to configure it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!