So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.
I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.
I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, four factor authentication, security so secure that it uses four out of three possible authentication techniques!)
Excellent point - and oddly reflects a subtle point: Something you are (bio-id) is what we are asserting, and using one or both of the others to give the far point a guage of how likely fraud is.
In short:
* Something you are -> Username * Something you know -> Password * Something you have -> RSA fob
So, the "something you are" is still distinct from "who you really are", which is the thing we are trying to establish. (And we should have at least another two or three decades before that becomes a tricky question of its own.)
"password are dead"
"passwords are done at Google"
"our relationship with passwords are done"
Then they go on about how they're experimenting with hardware tokens and stuff, and how all startup should be solving that for them now.
It looks like PR to me, and it also looks like Google has lost it's soul.
Obviously, passwords are far from dead. It's wishful thinking at this point. The only thing everyone can agree on, is that passwords sucks to remember, input, and manage, and that there are many superior technical solutions.
The main issue is and has always been is that those superior solutions are painful to introduce because they're not standard, everyone wants it's proprietary piece of equipment in there, and they're not seamless solution that customers - users, really - are willing to test til something becomes a defacto standard.
Care to give any examples of such?
>> Although Adkins didn't offer any real specifics on how Google will innovate beyond today's security, she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. "A hacker can't steal that from you," she said.
Google has a huge impact, thus they're the ones most likely to have enough momentum to push for a change. That's different.
Well, not quite yet it seems, but this may be part of the set-up for it.
Blizzard's been doing this for longer than Google has, maybe Google could learn something.
Are there any projects aiming for a hardware security token with the following properties?
1) Open hardware running open software.
2) Support for many and long keys.
3) Relatively fast signing on-board - i.e. keys are inaccessible to the host computer. (Obviously, I'm not expecting it to be feasible to sign gigabytes using a USB dongle).
4) Some PIN-entry-like low-grade security obsticle to delay an attacker that physically steals the dongle.
I am aware of CryptoStick [1], but the current version is sold out and also does not satisfy 3 and 4 (and only partially 2, since it only takes three RSA keys and there's no support for EC, as far as I can tell).
I really want to move away from passwords, but it seems very hard to do without a device satisfying 1-4 above.
There is a fight coming. A few global providers will have the single-sign-on password/biometric/blah of everyone (the UK government is starting to mandate the use of seven such providers.)
This is big not just because of the commercial advantages of being the sign-in point of 1 billion people. But because right now my major identity verifier is my own government (passports, NHS number, Social Security, arrest record etc). But it will not be in 20 years - I expect I will visit the hospital and need to verify who I am through GoogleID.
The thing is. I expect GoogleID will be a heavily regulated industry by then too.
Something embedded in their clothes? Users have to wear the same jacket or dress every day? Anyone, not just a "hacker" can steal your jacket if you take it off. If it relies on something physical, it's easier for anyone to steal. You still need a password/passphrase.
I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable.
Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one).
Since passwords (or more accurately passphrases) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person.
For tech savvy folks:
- Use a password manager (ex: KeePassX)
- Long passphrase to unlock the password manager[1]
- Individual random passwords per site using using max length the site allows
- Use multiple email accounts for different functions (friends, shopping, finance, etc)
- Use two-factor auth everywhere that allows it
For the rest of folks:
- Use a passphrase for your email passwords
- Use a site that lets you use long passwords (Google does, Outlook doesn't[2])
- Use a separate email account for "important" accounts (ex: finance and everything else)
- Don't login to anything from other people's computers (net cafe, shared computer in a hotel, etc)
- For the really important ones (ex: your bank) use a very long complicated password and write it down[3]
- Learn more about security!
I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!").
In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance.
[2]: http://nakedsecurity.sophos.com/2012/08/02/maximum-password-...
[3]: Yes write it down. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account.
Passwords may have insecurity - but they also permit anonymity. I think people haven't even started thinking that far yet.
http://www.forbes.com/sites/andygreenberg/2013/09/10/apples-...
You can't repudiate your fingerprints.
Similar, worse problems for iris and DNA.
Imagine being on a watch list that you can't get off of.
This is not a good road to go down.
Trust me, at the point they get the bone-saw out, they can save the 5 dollars on the rubber hose and simply ask ...
Even over SSL connections?
In practice this doesn't really limit folks too much as how often do you really need to login from somebody else's computer? Can it seriously not wait till later?
http://www.kickstarter.com/projects/mclear/nfc-ring
http://www.technologyreview.com/news/512051/google-wants-to-...
How many passwords does Google hold? Maybe a billion? Google has decide it's more cost effective to completely overhaul the password system.
How can passwords be the only system available?
Hard for users to remember, trivial to intercept, easy to lose, not hard to guess.
If it's a local resource only then all an attacker needs is time and computing resources, but, that's true for key based authentication too.
Well, I for one, am sold!
