Two factor authentication

A couple of weeks ago, Hunter and I were talking about passwords. More to the point, the inadequacy of passwords and why we haven’t moved beyond them yet. This touches on several points that I made last year. Specifically, that a password that is secure enough starts to restrict its usability.

In a nutshell, authentication is proving that you are who you claim to be. The standard ways of authenticating yourself are through: something you know (e.g., a password), something you have (e.g., a token) or something you are (e.g., biometrics, facial recognition, etc.). So the claim here is that the human brain is not good enough at remembering things to make “something you know” secure. Unfortunately, it’s cheap and easy to implement. Two things which are always important.

Our other options are something you are or something you have. Something you are can be complicated and expensive. At the very least, it requires a something-you-are-reader anywhere you want to authenticate yourself. Want to use your computer at home to access the one at work? Make sure you have your trusted, secure something-you-are reader set up (finger print scanner, iris reader, etc.). Want to authenticate from an Internet cafe? Good luck. Besides that, there’s some argument that many of the approaches used to date are not secure; and there’s the creepiness factor.

So, something you have. This one can also get potentially expensive, but is potentially cheaper than the rest which is why you see it being used by banks to access online accounts. Here we have some sort of hardware “token.” Most traditionally, these tokens have a simple processor, a clock and an LED display. The display shows a pseudo-random number. At a regular interval, the number changes. To log into a service, you key in the random number and maybe an a password. Since the service you access knows the pseudo-random number generating algorithm for your device and the time, it can validate the number you entered. Allow a little bit of logic to deal with clock skew and you are set. Several companies will sell you something like this. Of course, you pay for the devices, pay for the authentication server and then, in some cases, pay for each service.

So, what about an open source solution?  This is in-part what Hunter and I were talking about. Imagine if you had an encrypted private certificate stored on a thumb drive. You could fairly easily write up a challenge-response protocol to validate the certificate. Since it’s certificate based, you could authenticate without a centralized authentication server – the ability of the certificate signed by your (private) certificate authority to participate in the response authenticates the certificate holder. You could create PAM modules for unix/linux and the equivalent for Windows and Mac. On the client side, stored on the same drive, you would have software to mediate the authentication.

I could see two ways for the client to do this. 1) a separate process that connects to the service’s server and essentially allows access for this IP. The service then needs to talk to the server-side piece to see if a user is allowed to access from the IP. That plus a password and you’re in pretty good shape. No connection to the authentication service means that you can’t log in. 2) Try to create a service along the lines of stunnel that mediates all communication between the client and the service. This is extremely ugly and I wouldn’t recommend it.

So, what are the advantages/disadvantages?

  1. Advantage: low hardware cost. Most every computer has a USB reader
  2. Advantage: relatively simple to implement
  3. Disadvantage: even the cheapest thumb drives are on the order of $5 each
  4. Advantage: many people already have one and they could be used for this purpose without wasting too much space
  5. Disadvantage: to a certain extent, this is not secure. Specifically, there’s no proof that the user actually has the key as opposed to a copy of the certificate and the algorithm required.

#5 seems like the biggest problem. As an open source product, all one needs is the certificate to spoof the token. Okay, we could incorporate the USB serial number, but that can also be copied. Ideally, all the processing would occur on the thumb drive, but that takes us out of the realm of commodity. So, the risk here is that using your token on a compromised computer compromises the token in the same way that using your password on a compromised computer compromises your password.

This is definitely not a hypothetical problem, but I don’t know how to resolve it. Is it still worth implementing something like this? If folks have thoughts or suggestions, I would love to hear them.

“I am not a perfect son. I am not a perfect husband. I am not a perfect parent, but I am, without a doubt, not a child abuser,” Peterson said in the statement. “I am someone that disciplined his child and did not intend to cause him any injury. “And although some people may not like his parenting skills, he says ‘I am not a child abuser.’ I think that’s about as good as it gets.”She has a broad range of options, from throwing out all the lawsuits as the league wants, or allowing all of Wholesale NFL Jerseys them to go forward or just some of them. At stake is not a single class action filing, in which any award would be split equally between every plaintiff, but 222 separate lawsuits that were nfl jerseys cheap consolidated for the purposes of the Philadelphia hearing.Hill fed Lobaton a 1 1 bender wholesale football jerseys china at the belt. It was, in Grandal eyes, bad pitch to the part of the zone he hits. Lobaton deposited it in the Dodgers bullpen, with enough force to traverse the wind, awakening the crowd in the process. He climbed his dugout steps for a curtain call.But regardless of their crazy hobo appearance and proclivity toward sex crimes, the Yule Lads do serve a nice, Santa like function: receive a gift from each of them on the 13 days leading up to Christmas. That’s sort of sweet, right? It’s like equal parts Hanukkah and Christmas, with just a little implied rape thrown in to keep the kiddies on their toes. But there’s one more, significantly less jolly member of the crew: The Yule Lads also have a pet the Yuletide Cat and his job is to eat all the children that don’t receive new clothes in time for Christmas. Snap! Take that, poor people!Ramsay’s technique Replica Oakley Sunglasses of bellowing profanity like a Nazi born from a Vidal Sassoon explosion magically rescues the restaurant from the brink of financial collapse and restores its profitability. His work complete, he floats away on the breeze like Mary Poppins to find Cheap Jerseys China another ailing eatery in need. Rockefeller just because a Scottish man shouts at them and gives them a new menu their cooks can’t even read. In actuality, only about a third of the restaurants Ramsay “rescues” actually manage to stay open once he leaves them in a haze of scowls and belittlement, and the number drops as time goes on. For instance, in the first two seasons of the show (2007 to 2009), Ramsay rescued wholesale nfl jerseys 21 restaurants.The splenius is the main muscle targeted, but the traps, levator scapulae and sternocleidomastoid all get worked as well. After bending your knees and placing your feet flat on the floor, rest your hands on your stomach. In a steady motion, lift your hips, arch your back and roll onto the top of your head.

3 Responses to “Two factor authentication”

  1. Hunter Says:

    What I had in mind was even simpler. The file .something_probably_unique on the key contains a random sha1 hash.

    And thats it. In my role as random internet target, I’m not trying to keep someone competent out. They’ll just social engineer around anything technical at a university anyway. I’m trying to keep out the other 99.9% of the black hats on the internet, and ANY kind of physical key is sufficient for that.

  2. Bryn Says:

    There’s a 6th problem for physical keys, that of someone losing the key (or having it stolen) – that way, you don’t have access anymore and someone else does. There is some security-through-obscurity, of course, given that the chances of anyone who finds or steals a key would know what to do with it are pretty low, but there are deliberate malicious bastards out there who would target a key.

  3. cec Says:

    Hunter: so you’re suggesting some big long random string stored on a thumb drive. Would the user cut and paste the string as if it were a password? Or would there need to be client-side code to manage the authentication?

    Bryn: the advantages/disadvantages I mentioned were intended to be specific to this instantiation of something-you-have authentication, i.e., commodity USB keys instead of customized hardware. Losing the key/token is a generic problem with something-you-have, regardless of implementation: if you lose it, then you no longer have it 🙂