Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Un-Authentication

Posted by CmdrTaco on from the gimme-back-my-keys dept.

Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"

3 of 336 comments (clear)

  1. Reauthenticate when suspicious by Geoffrey.landis · · Score: 3, Interesting
    Requiring re-authentication whenever a logged-in user does something suspicious-- i.e., tranferring large amounts of money, installing a keylogger, sending out ten thousand e-mail messages, scanning networks for open ports, etc.-- might be useful.

    If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.

    --
    http://www.geoffreylandis.com
  2. This is De-Authorizing, not De-Authenticating by zentechno · · Score: 4, Interesting

    One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.

    --
    âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
  3. Re:Effective way to keep screens locked by AmiMoJo · · Score: 4, Interesting

    You can get little RFID tokens that you keep in your pocket. When you move out of range of the RFID reader on the PC (about 3m away) it automatically locks the workstation and can either require a password to unlock or simply having the token back in range.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC