I was thinking about password alternatives recently because I was designing a website just for friends and family. I wanted enough security to keep out strangers on the Web, but I didn't want to make people I know memorize a lengthy password.
So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.
I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.
Something you know, something you have, something you are. Google may be trying to prefer something you have, but that's hardly going to kill "something you know" forever and ever.
I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, four factor authentication, security so secure that it uses four out of three possible authentication techniques!)
> Something you know, something you have, something you are.
Excellent point - and oddly reflects a subtle point: Something you are (bio-id) is what we are asserting, and using one or both of the others to give the far point a guage of how likely fraud is.
In short:
* Something you are -> Username
* Something you know -> Password
* Something you have -> RSA fob
When it comes to security, when people refer to "something you are", they mean that distinct from the "totality of who you are" or "who you truly are" (if you can even define that). Thus, fingerprints are "something you are"... but they can still be faked, and they aren't necessarily immutable, either. They explicitly aren't talking about "who you 'really' are" because if we had a way of telling that, we would be done. We wouldn't need any of the the three factors if we simply knew who you were, magically, 100% accurately.
So, the "something you are" is still distinct from "who you really are", which is the thing we are trying to establish. (And we should have at least another two or three decades before that becomes a tricky question of its own.)
who I am (my identity) is for all sensible purposes a construct of other people.
the real me sits behind my eyes. lets ignore that for current purposes.
my identity then is what other people chose to use to distinguish me from the other seven billion on the planet. mostly we used faces, and became real good at recognising them. then we moved to using names because there were so many of us.
but it is still notable that who I am (Paul) is really just a shorthand for other people's convenience. if I was the only human on the planet I would have no use for a name but everything about me otherwise would still be unchanged
in short who I am is my "identity" and that is just an assertion to help you tell me from the guy next door. Who I am is my name (if you are on the telephone) or my face if we are in the pub, or my DNA if you are in CSI. none of those things are to do with the quale of being Paul - but they are useful for other people.
make sense?
I'm saying that don't call into the trap of thinking that if there was some way to determine who I am really, the we could get rid of passwords. who I am really is a quale in my head and no use to anyone else - so instead we find ways to distinguish bags of meat and call it identity
According to the article, she did say exactly those words:
"password are dead"
"passwords are done at Google"
"our relationship with passwords are done"
Then they go on about how they're experimenting with hardware tokens and stuff, and how all startup should be solving that for them now.
It looks like PR to me, and it also looks like Google has lost it's soul.
Obviously, passwords are far from dead. It's wishful thinking at this point. The only thing everyone can agree on, is that passwords sucks to remember, input, and manage, and that there are many superior technical solutions.
The main issue is and has always been is that those superior solutions are painful to introduce because they're not standard, everyone wants it's proprietary piece of equipment in there, and they're not seamless solution that customers - users, really - are willing to test til something becomes a defacto standard.
basically you can have an ECDSA or RSA key pair and store the private key locally, either in a PGP smartcard (which can really be just a USB stick), or more conveniently into a piece of clothing that use some sort of NFC to transmit the data.
again, the yubikey neo does that (using NFC) but with OTPs for example.
Or maybe she didn't really want to divulge how Google plans to make passwords obsolete.
>> Although Adkins didn't offer any real specifics on how Google will innovate beyond today's security, she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. "A hacker can't steal that from you," she said.
There isn't really anything magical to make passwords go away, thus, nothing fundamentally new or to hide. A tiny piece of NFC hardware can be used to authenticate users using S/R or HOTPs (look at the yubikey neo for example). Then you can hide it in clothing, rings, bracelets, watches if you want. Way more convenient than a usb stick too, but you need a NFC reader, still.
Google has a huge impact, thus they're the ones most likely to have enough momentum to push for a change. That's different.
Maybe I'm too cynical (is that possible about csec anymore?), but as soon as I saw this line from Google, I thought "oh right, it'll be something to get Google inserted into every login interaction".
Well, not quite yet it seems, but this may be part of the set-up for it.
It's funny, but Blizzard's been playing this game for years with their two-factor auth, particularly the part where people's accounts without two-factor would get compromised and the thief would then turn on the two-factor auth, thus making it that much more difficult to recover the account.
Blizzard's been doing this for longer than Google has, maybe Google could learn something.
This thread seems like a valid place to ask a long-standing question of mine.
Are there any projects aiming for a hardware security token with the following properties?
1) Open hardware running open software.
2) Support for many and long keys.
3) Relatively fast signing on-board - i.e. keys are inaccessible to the host computer. (Obviously, I'm not expecting it to be feasible to sign gigabytes using a USB dongle).
4) Some PIN-entry-like low-grade security obsticle to delay an attacker that physically steals the dongle.
I am aware of CryptoStick [1], but the current version is sold out and also does not satisfy 3 and 4 (and only partially 2, since it only takes three RSA keys and there's no support for EC, as far as I can tell).
I really want to move away from passwords, but it seems very hard to do without a device satisfying 1-4 above.
This is not about passwords per se - its about identity verification providers (as-a-service).
There is a fight coming. A few global providers will have the single-sign-on password/biometric/blah of everyone (the UK government is starting to mandate the use of seven such providers.)
This is big not just because of the commercial advantages of being the sign-in point of 1 billion people. But because right now my major identity verifier is my own government (passports, NHS number, Social Security, arrest record etc). But it will not be in 20 years - I expect I will visit the hospital and need to verify who I am through GoogleID.
The thing is. I expect GoogleID will be a heavily regulated industry by then too.
To be fair, isn't Google a bit disreputable for security problems right now? I mean, the last two Google-related security discussions (Google email-change spoof/phish and plaintext-visible passwords in Chrome) have been kind of embarrassing.
"... she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. 'A hacker can't steal that from you,' she said."
Something embedded in their clothes? Users have to wear the same jacket or dress every day? Anyone, not just a "hacker" can steal your jacket if you take it off. If it relies on something physical, it's easier for anyone to steal. You still need a password/passphrase.
Passwords are not dead. Simple single factor authentication using short passwords is dead. That's not a new thing either and they're not going away either. Biometric implants are cool but it's a long ways away (and I'm pretty sure I don't want anything inserted into my arm...). Ditto for security rings and other gadgets. Yes they work but the general populace is not going to be using them for a long while.
I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable.
Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one).
Since passwords (or more accurately passphrases) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person.
For tech savvy folks:
- Use a password manager (ex: KeePassX)
- Long passphrase to unlock the password manager[1]
- Individual random passwords per site using using max length the site allows
- Use multiple email accounts for different functions (friends, shopping, finance, etc)
- Use two-factor auth everywhere that allows it
For the rest of folks:
- Use a passphrase for your email passwords
- Use a site that lets you use long passwords (Google does, Outlook doesn't[2])
- Use a separate email account for "important" accounts (ex: finance and everything else)
- Don't login to anything from other people's computers (net cafe, shared computer in a hotel, etc)
- For the really important ones (ex: your bank) use a very long complicated password and write it down[3]
- Learn more about security!
I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!").
In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance.
[3]: Yes write it down. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account.
In light of Apple's announcement yesterday about Touch ID, a way to unlock the new iPhone with your fingerprint, I was hoping to hear someone weigh in on how safe it is compared to a passcode. I'd love to simply use my fingerprint as long as it meets HIPAA requirements for protecting sensitive emails and other data on my phone, but this Forbes article is suggesting the risk of spoofing fingerprints is still too great:
Yes even over SSL connections. You don't know if the other person's computer itself is compromised (e.g. key logger). Rather then instruct a not-so-tech-savvy person to make the decision of whether computer X is trustworthy the defacto default is "No it's not, don't use it".
In practice this doesn't really limit folks too much as how often do you really need to login from somebody else's computer? Can it seriously not wait till later?
my bank tracks my IP and notices when I'm logging in from somewhere new and asks me security questions or sends my phone a code like Google's dounle-auth (which I use). And then it asks me if I want to remember the computer I'm on.
I've been interested in a password manager but haven't tried them. Do my passwords get stored "in the cloud" or is it a local desktop/mobile app? If it's a local desktop app, can I copy my password DB to another computer I trust like say my work computer?
been meaning to start creating new emails for different accounts. I might start doing that and just have google aggregate them into one inbox
> I've been interested in a password manager but haven't tried them. Do my passwords get stored "in the cloud" or is it a local desktop/mobile app? If it's a local desktop app, can I copy my password DB to another computer I trust like say my work computer?
It depends what you use. LastPass will stick them in the cloud if that's what you want.
The problem with a hardware token security is that it relies on every user having one or not leveraging the security. That's something that can be difficult for an IT department to coordinate across an organization, thus would be herculean for a Google scale company to legislate across its user base.
Arguably there is a lot of social/technical space for making passwords better and more secure for the average user. But dropping the knowledge factor isn't a clear improvement.
Passwords have been dead for long, so no news. That's exactly why we're using something called shared secret. That's what I'm using with most sites currently.
And still there are "modern" games and services telling me that my password "May only contain letters and numbers" Really? Are you stupid or something?
I'd like to learn more from these spam-bots about how they are making money off my passwords. Perhaps I can quit my (wonderful) day-job and sell v1agra.
Emails are (almost) free to send, and the payout (identity theft) is generally worth thousands, so all it takes is one or two clicks to make it worth the investment.
There are tricks you can use to remember a strong password. As far as "trivial to intercept, easy to lose, not hard to guess", the point is mute over the network as long as the target system uses something like iptables rate limiting or MaxAuthRetries and LoginGraceTime in SSH.
If it's a local resource only then all an attacker needs is time and computing resources, but, that's true for key based authentication too.
So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.
I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.