There is an old RFC that explains the problem in very simple terms. Security need to be transparent, or it fails. If the user need to see and use security in order to be secure, the user will eventually do something to render the security ineffective.
If you got passwords, users either pick easy ones or write them down next to the device that needs them. If you require physical "key" items, user leaves the key next to the computer that needs it.
When designing a security system you need to acknowledge this limitation, and design the system with it in mind. Running between "something you know" (passwords) to to "something you know and has" (Two-factor authentication like password and phone), and now back to only "something you have" (an USB key) won't solve the problem.
If the security is to authenticate a user, how do you do it without the user's participation?
You could go for biometrics. But that creates a new problem - unless you're deeply paranoid, you'll leave plenty of DNA, fingerprints and pictures of your irises, without thinking of them as security holes.
You could tie it to the device. But that's no good when you want to check your email on a friend's computer. And if your phone gets stolen with full access credentials... The device is not the same as the user. So I don't see how you can avoid some combination of 'something you know' and 'something you have'.
I don't disagree with what you wrote about going back the "SYH" being not that smart but...
It's not transparent when my 65-years old mom uses a physical device not connected to the computer, in which she enters her identity (Java SmartCard) card and perform a manual challenge/response to login and do her online banking.
It's a pain for her: it's SYK+SYH but it beats going to the bank all the time... So it's not transparent but it still works because she doesn't really have the choice.
Used one of these before (YubiKey) - they are an utter pain in the arse.
The contacts get dirty, they dont fit some USB ports properly, they die regularly, are absolutely no good if you don't have a USB port handy (my desktop for example doesn't have a USB hole in the front or on the keyboard or monitor, resulting in crawling around under my desk to authenticate) and to be honest quite fragile.
All it does is act as a USB HID keyboard and pump some text down when you press the button on it. It's basically about as secure as an RSA key but requires physical electrical contact with the machine.
FWIW, I've had one at work for a year now and I've had nearly none of the problems you've mentioned. It's fit into all USB ports I've tried, the contacts are still fine, it hasn't died, it doesn't seem fragile (or at least hasn't broken yet) and I haven't had to crawl anywhere to plug it in. The most annoying thing (apart from the general annoyance of a second authentication step) is that I can't use it via my phone; a screen on it would be handy for that.
The contacts get dirty, they dont fit some USB ports properly, they die regularly, are absolutely no good if you don't have a USB port handy (my desktop for example doesn't have a USB hole in the front or on the keyboard or monitor, resulting in crawling around under my desk to authenticate) and to be honest quite fragile.
I've got some hard to access USB ports, too. I solved that problem by buying some USB extension cables (male on one end, female on the other). They are very inexpensive. Give them a try, you won't be disappointed. No more uncomfortable hunting for USB ports under the desk!
I really like the idea of the Yubikeys, but I had one fail on me after I touched it and experienced a static shock.
Another problem is they don't work if the OS is configured to an alternate keyboard layout. The default hex encoding assumed QWERTY, but I use Dvorak. Perhaps this has been remedied in newer models.
"In a 21 March 2011 email to customers, RSA essentially admitted that the information stolen from their internal network could allow an attacker to compromise a SecurID-protected system without having physical possession of the token."
This is actually why two factor authentication is great. In this instance, users were still protected (at the least) by their PIN.
This is somewhat equivalent to losing your ssh private key. Yes, it's bad, but your passphrase should ("should" -- at least it's not an immediate breach like losing a password or clear text private key) buy you enough time to revoke and replace the key.
Yubikey's are different in that there isn't (well, doesn't have to be) a centralized location where management of the keys is handled. Yubico offer a solution where you can authenticate/issue/revoke keys from within your own infrastructure[1]. So long as you keep that secure (say with HSM) you should be OK.
Google already has the two-factor authentication with Google Authenticator for iPhone and Android. I use it for my Google account and (this is the awesome part) other websites that use their API to add their auth keys to the Google Authenticator app on my phone.
There is a problem with Google's two factor solution. If you need to use things outside the browser (eg checking email via imap, chat via xmpp) then you need to generate secondary passwords. That is fine. What isn't is that those passwords are not scope restricted - ie if you generate a password for imap access then it can be used for anything else (eg chat).
Just as one note on that, it isn't an API but rather are existing standards (TOTP and HOTP). Google Authenticator the application uses a very simple text pattern for the QR-code that anyone can emulate. It is good stuff.
What happens when you want to leave Google services?
You will be locked in. I remember the days when everyone had hotmail. At some point you will want to leave gmail or google apps. Genius move on their part though.
I think if a mammoth like Google pushes forward strongly enough, it might achieve some results. And it probably takes all its mass to push this particular piece - the almighty and alstupid password, away.
I'll bet that human beings in 20 years, looking back at our times, will point fingers and say "How we have been so silly! Passwords are the worst authentication mechanism, and so obviously flawed! How come did we not use x or y?"
I see another thing that they will point fingers at: the human driven cars: this is so frightening, when you think about it. You have this thousands kilogs wheeled machine, driven by almost anyone including drunkyards, grannies, people who just married and people who just divorced, and a sec of inattention and you send families to the grave.
Actually, I think passwords are a brilliant authentication mechanism that will continue to have a place in computer security for many years to come. When used correctly, a password implies the presence of the correct brain. Not a device that can be lost or stolen, not even a fingerprint that can be lifted. Authentication based on information stored in your neural network might not be suitable for everyone, but at least among competent professionals, I don't see mobile phones or USB dongles replacing the passphrase on my PGP key anytime soon.
> They see a future where you authenticate one device — your smartphone or something like a YubiKey — and then use that almost like a car key, to fire up your web mail and online accounts.
> That means that if someone steals your card or your smart-ring, you’d better report it stolen pretty quickly.
I won't be surprised if thieves devised a method to extract online credentials from a stolen device in a matter of minutes, if not seconds. Since any password you have on your mobile device is unlikely to be strong (the article specifically mentions that you won't need a strong password on your device), it will also be a piece of cake to brute-force it. Meanwhile, you're without a phone, desperately looking for a payphone or Internet cafe where you can contact Google. Too slow.
At Clef(clef.io) we're storing keys on your smartphone and they're protected by a PIN wall. We used PIN-based encryption to keep a rooted device from being vulnerable to attackers. Generating the keys from the PINs take long enough to make a brute force attack time consuming. Since users can deactivate their devices remotely if they're stolen (so the public side of the key pair is deleted and the private side is worthless), even in cases of device theft, their identity is protected.
They don't currently provide ways to force password age rules for corporate google users. So corporate clients that want to use google apps are currently forced to use an IdP that does this for them.
They have the tools to allow for it, we even give corporate customers a way to use Google Apps accounts and force 2-Factor auth and password aging without things like Active Directory.
Also not providing the ability to change session information is, well, a little off putting for some. It's not that it's a war on the password it's just that they don't want their services to be something you actually have to log into (chromebook experience).
Those of you how own Dell or HP Computers - you may notice that most of the professional grade laptops have smart card readers built in. My guess is this is due to DoD purchasing requirements. Of course, the MacBook doesn't have a smart card reader and thus you start to look for solutions like the YubiKey.
The military didn't solve the problem. They solved an easy variation. The problem is not just "How do I make it easy and secure to access the systems I control?" but "How do I make it easy and secure to access all systems?" The military implemented 2-factor auth and unified their systems to support it. This is very nice, but doesn't solve the broader problem. Military employees are still struggling with the same "million not-very-secure passwords I can't remember" problems as civilians, because they military does not control all or even most of the systems they interact with.
This seems like an interesting solution to me. Obviously we have gotten to a point where our computing power has rendered the kind of passwords that most people can easily remember and use fairly trivial for many password cracking methods, and so there is a clear need to develop a convenient method of using more complex methods of authentication.
The idea of using a smartphone as a central area for things such as identification and payment(Google Wallet) has been something i've been interested in for a while, and something I think could be amazing if we manage to work out a few kinks that are in the way of making it a viable option.
For this to become a reality i think there are 3 main things that would need to happen:
1) Battery life on smartphones would have to become a lot better, I don't want to have to worry about if I'm going to have enough battery at the end of the day to pay for dinner, get into my car, etc.
2)The ability to remotely clear data on a device that may have been stolen need to become a standard.
3)There need to be some sort of authentication between the user and the device in order to approve the use of stored authentication.
In 1998 Bill Gates (American Banker article, and elsewhere) said that the future of ecommerce was based on replacing passwords with smart cards....hmmm how did that work out :)
Remember AMEX Blue? they stopped sending out card readers almost immediately, but continued sending the smart cards out and running TV ads with all sorts of Terminator like special effects to promote how secure its smart cards were.
It was a huge marketing success, but the smart card part was never used.
Security is an illusion.
Actual conversation....
Naive dev: Hey Big Bank, we invented this revolutionary perfect authentication technology! no more hacks!
Big bank: why would we want to redirect the hackers to a new attack that we don't understand, cannot model, cannot assign a stable cost to, and would almost certainly expose even worse flaws in other parts of our systems? as long as fraud is between X and Y %, we WANT the attacks to use the current vector.
Naive dev: ooooooooooooooohhhhh (world view changes)
Here in several european countries people are doing just that:
- using a Java SmartCard (your identity card) + a card reader (not hooked to the computer) + a PIN to connect to your online bank but ALSO to challenge/response any VISA/credit card transaction.
If I'm not mistaken there are about 200 millions citizen in Brazil who have a Java SmartCard as their identity card (as a medical care card I'm sure, identity I don't know for sure).
I think it's a bit early to decide that it failed and that it's an illusion. There are probably hundreds of millions of people who are carrying daily a Java SmartCard and using it to perform kinda safer online transactions.
MITM attacks over unsuspecting users are still possible using "mocking birds", but it's becoming harder and harder to game the system.
Why can't we just all get along, and say, for example - instead - that "rsa_key.pub" is all we need, and if we ever get a logon prompt, look for that file on USB media instead ..
I mean, that would work, wouldn't it? I suppose for it to work, though, we'd have to have an actual .. you know .. OS Company .. again.
The Yubikey would only work if there was an absolute guarantee that a hacked kernel/drivers would not be able to access the memory.
The way I can see it working is if there is a private key on the device, inaccessible to the host hardware, and the crypto stuff is done on the device - so the Yubikey was effectively the client. Auth service sends challenge to the browser which sends it to the driver which asks the yubikey wtf, the yubikey responds to the challenge, and the response is sent to the browser and back to the host.
But this would all fall down if there was even the slightest chink and your host hardware could be modified to access/save the keys on all of the Yubikeys when they are plugged in.
The biggest problem I see with all of these proposed ideas is that people often need to be able to share access to accounts with others. Yes, sharing a password is the wrong solution to that, but usually it's the only solution, and it will be until there's an accepted standard procedure for providing limited access to your account via somebody else's key.
[+] [-] belorn|13 years ago|reply
If you got passwords, users either pick easy ones or write them down next to the device that needs them. If you require physical "key" items, user leaves the key next to the computer that needs it.
When designing a security system you need to acknowledge this limitation, and design the system with it in mind. Running between "something you know" (passwords) to to "something you know and has" (Two-factor authentication like password and phone), and now back to only "something you have" (an USB key) won't solve the problem.
[+] [-] mattmanser|13 years ago|reply
They all keep them on their key chain so I don't agree with your premise.
The only thing I never understand is why, like the device pictured, they're designed with strings and thin plastic instead of chains and a beefy case.
[+] [-] tonfa|13 years ago|reply
I would say for consumer it's already better than passwords. Biggest threats seems to be password-reuse (and hacked servers) and phishing.
[+] [-] takluyver|13 years ago|reply
You could go for biometrics. But that creates a new problem - unless you're deeply paranoid, you'll leave plenty of DNA, fingerprints and pictures of your irises, without thinking of them as security holes.
You could tie it to the device. But that's no good when you want to check your email on a friend's computer. And if your phone gets stolen with full access credentials... The device is not the same as the user. So I don't see how you can avoid some combination of 'something you know' and 'something you have'.
[+] [-] webreac|13 years ago|reply
[+] [-] martinced|13 years ago|reply
I don't disagree with what you wrote about going back the "SYH" being not that smart but...
It's not transparent when my 65-years old mom uses a physical device not connected to the computer, in which she enters her identity (Java SmartCard) card and perform a manual challenge/response to login and do her online banking.
It's a pain for her: it's SYK+SYH but it beats going to the bank all the time... So it's not transparent but it still works because she doesn't really have the choice.
[+] [-] meaty|13 years ago|reply
The contacts get dirty, they dont fit some USB ports properly, they die regularly, are absolutely no good if you don't have a USB port handy (my desktop for example doesn't have a USB hole in the front or on the keyboard or monitor, resulting in crawling around under my desk to authenticate) and to be honest quite fragile.
All it does is act as a USB HID keyboard and pump some text down when you press the button on it. It's basically about as secure as an RSA key but requires physical electrical contact with the machine.
No thank you.
(For reference http://bigv.io/ uses these).
[+] [-] archangel_one|13 years ago|reply
[+] [-] obituary_latte|13 years ago|reply
Not necessarily. They can be configured for challenge-response auth: http://www.yubico.com/products/services-software/personaliza...
[+] [-] Teckla|13 years ago|reply
I've got some hard to access USB ports, too. I solved that problem by buying some USB extension cables (male on one end, female on the other). They are very inexpensive. Give them a try, you won't be disappointed. No more uncomfortable hunting for USB ports under the desk!
[+] [-] Jayschwa|13 years ago|reply
Another problem is they don't work if the OS is configured to an alternate keyboard layout. The default hex encoding assumed QWERTY, but I use Dvorak. Perhaps this has been remedied in newer models.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] afandian|13 years ago|reply
[+] [-] reidrac|13 years ago|reply
"In a 21 March 2011 email to customers, RSA essentially admitted that the information stolen from their internal network could allow an attacker to compromise a SecurID-protected system without having physical possession of the token."
http://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_c...
So passwords are a bad idea, but I'm not sure if I want to replace a problem with a different one.
[+] [-] majelix|13 years ago|reply
This is somewhat equivalent to losing your ssh private key. Yes, it's bad, but your passphrase should ("should" -- at least it's not an immediate breach like losing a password or clear text private key) buy you enough time to revoke and replace the key.
[+] [-] obituary_latte|13 years ago|reply
[1]http://www.yubico.com/products/services-software/validation-...
[+] [-] quest88|13 years ago|reply
[+] [-] tonfa|13 years ago|reply
[+] [-] ComputerGuru|13 years ago|reply
[+] [-] rogerbinns|13 years ago|reply
[+] [-] corresation|13 years ago|reply
[+] [-] mattmanser|13 years ago|reply
What happens when you want to leave Google services?
You will be locked in. I remember the days when everyone had hotmail. At some point you will want to leave gmail or google apps. Genius move on their part though.
[+] [-] gbog|13 years ago|reply
I think if a mammoth like Google pushes forward strongly enough, it might achieve some results. And it probably takes all its mass to push this particular piece - the almighty and alstupid password, away.
I'll bet that human beings in 20 years, looking back at our times, will point fingers and say "How we have been so silly! Passwords are the worst authentication mechanism, and so obviously flawed! How come did we not use x or y?"
I see another thing that they will point fingers at: the human driven cars: this is so frightening, when you think about it. You have this thousands kilogs wheeled machine, driven by almost anyone including drunkyards, grannies, people who just married and people who just divorced, and a sec of inattention and you send families to the grave.
[+] [-] kijin|13 years ago|reply
[+] [-] sergiotapia|13 years ago|reply
* Checks my posture.
* Checks the sounds I make while sitting neutrally.
* Checks the positions of my hands.
* Checks my overall frame.
* Checks my eye and shape of face.
---
Hopefully, all of these little things add up and in the end it can determine quite easily whether it's "me" or not.
I hate typing in passwords, it's a pain in the ass.
[+] [-] meaty|13 years ago|reply
"What do you mean access denied - I've just got a back ache!"
[+] [-] b_emery|13 years ago|reply
[+] [-] zawaideh|13 years ago|reply
[+] [-] andybak|13 years ago|reply
[+] [-] kijin|13 years ago|reply
> That means that if someone steals your card or your smart-ring, you’d better report it stolen pretty quickly.
I won't be surprised if thieves devised a method to extract online credentials from a stolen device in a matter of minutes, if not seconds. Since any password you have on your mobile device is unlikely to be strong (the article specifically mentions that you won't need a strong password on your device), it will also be a piece of cake to brute-force it. Meanwhile, you're without a phone, desperately looking for a payphone or Internet cafe where you can contact Google. Too slow.
[+] [-] brennenHN|13 years ago|reply
At Clef(clef.io) we're storing keys on your smartphone and they're protected by a PIN wall. We used PIN-based encryption to keep a rooted device from being vulnerable to attackers. Generating the keys from the PINs take long enough to make a brute force attack time consuming. Since users can deactivate their devices remotely if they're stolen (so the public side of the key pair is deleted and the private side is worthless), even in cases of device theft, their identity is protected.
[+] [-] chayesfss|13 years ago|reply
[+] [-] harshaw|13 years ago|reply
Those of you how own Dell or HP Computers - you may notice that most of the professional grade laptops have smart card readers built in. My guess is this is due to DoD purchasing requirements. Of course, the MacBook doesn't have a smart card reader and thus you start to look for solutions like the YubiKey.
[+] [-] dpark|13 years ago|reply
[+] [-] mpyne|13 years ago|reply
[+] [-] rficcaglia|13 years ago|reply
i guess we need 3 factor authentication, yeah, that's the ticket!
[+] [-] stevenameyer|13 years ago|reply
The idea of using a smartphone as a central area for things such as identification and payment(Google Wallet) has been something i've been interested in for a while, and something I think could be amazing if we manage to work out a few kinks that are in the way of making it a viable option.
For this to become a reality i think there are 3 main things that would need to happen: 1) Battery life on smartphones would have to become a lot better, I don't want to have to worry about if I'm going to have enough battery at the end of the day to pay for dinner, get into my car, etc. 2)The ability to remotely clear data on a device that may have been stolen need to become a standard. 3)There need to be some sort of authentication between the user and the device in order to approve the use of stored authentication.
[+] [-] rficcaglia|13 years ago|reply
Remember AMEX Blue? they stopped sending out card readers almost immediately, but continued sending the smart cards out and running TV ads with all sorts of Terminator like special effects to promote how secure its smart cards were.
It was a huge marketing success, but the smart card part was never used.
Security is an illusion.
Actual conversation.... Naive dev: Hey Big Bank, we invented this revolutionary perfect authentication technology! no more hacks! Big bank: why would we want to redirect the hackers to a new attack that we don't understand, cannot model, cannot assign a stable cost to, and would almost certainly expose even worse flaws in other parts of our systems? as long as fraud is between X and Y %, we WANT the attacks to use the current vector. Naive dev: ooooooooooooooohhhhh (world view changes)
[+] [-] martinced|13 years ago|reply
You're totally wrong. Probably because you're living in the U.S., where it's still the stone age from that standpoint.
http://en.wikipedia.org/wiki/Smart_card
Here in several european countries people are doing just that:
- using a Java SmartCard (your identity card) + a card reader (not hooked to the computer) + a PIN to connect to your online bank but ALSO to challenge/response any VISA/credit card transaction.
If I'm not mistaken there are about 200 millions citizen in Brazil who have a Java SmartCard as their identity card (as a medical care card I'm sure, identity I don't know for sure).
I think it's a bit early to decide that it failed and that it's an illusion. There are probably hundreds of millions of people who are carrying daily a Java SmartCard and using it to perform kinda safer online transactions.
MITM attacks over unsuspecting users are still possible using "mocking birds", but it's becoming harder and harder to game the system.
[+] [-] primitur|13 years ago|reply
I mean, that would work, wouldn't it? I suppose for it to work, though, we'd have to have an actual .. you know .. OS Company .. again.
[+] [-] zobzu|13 years ago|reply
The password is used to access those keys at the identity provider.
Replace the identify provider (idp) by a token. Bang. Much easier than rolling out yet another standard.
[+] [-] antihero|13 years ago|reply
The way I can see it working is if there is a private key on the device, inaccessible to the host hardware, and the crypto stuff is done on the device - so the Yubikey was effectively the client. Auth service sends challenge to the browser which sends it to the driver which asks the yubikey wtf, the yubikey responds to the challenge, and the response is sent to the browser and back to the host.
But this would all fall down if there was even the slightest chink and your host hardware could be modified to access/save the keys on all of the Yubikeys when they are plugged in.
[+] [-] wmf|13 years ago|reply
[+] [-] aluhut|13 years ago|reply
I would love to have some other solution but I don't see this as one. I grew up remembering passwords and I'm pretty good at it now.
But if you have something for under my skin, we can talk again.
[+] [-] mistercow|13 years ago|reply
[+] [-] moondowner|13 years ago|reply
[+] [-] FourthProtocol|13 years ago|reply
So which desktop is runs on, or even phone, tablet or any other form factor, is irrelevant.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] DanBC2|13 years ago|reply
Well, yes. But you'd hopefully have a master passphrase to open the "smart-ring" device, making theft less of a problem.