Comments on: Simple Universal Authentication System

By: ioo

ioo — Tue, 07 Oct 2008 13:18:10 +0000

I wrote and use such system for authentication to my antispam service (and aghhh, I’ve seen it in a competitive product). Works like a charm, I also give users possibility to use a traditional username/password authentication, but apparently nobody uses it anymore.

By: Simple Universal Authentication [The SOX Jockey] | Small Business System

Simple Universal Authentication [The SOX Jockey] | Small Business System — Thu, 02 Oct 2008 09:12:28 +0000

[...] one of my favorite blogs, GNU Citizen, comes this simple and elegant proposal for authentication. It is only suitable for lower value [...]

By: V

Wed, 01 Oct 2008 07:11:27 +0000

I also thought about a kind of “personal recognition” to implement aside the passwords.
Let’s say – after your first logon you upload a picture of something special – your girlfriend, your child, your car.

This picture can be used to assure that you really are the person which is owner of this account.
How? Well – let’s say that the banking website prints a picture wall after the password login. A page of 30 pictures, or 50, or even 10. Pictures contain cars, pets, people, toys and one of them something you have uploaded before. (file names have to be randomized – sure)

This would be something an attacker would only know if he has evaluated things in your social life as well. This would often be much more difficult than breaking CAPTCHAs or intercepting Firefox-Password-Manager.

By: Nik

Nik — Mon, 29 Sep 2008 11:00:04 +0000

Interesting idea. There are also some products around that use SMS messages to provide one-time passwords on the basis that pretty much everyone has a mobile, and carries it with them. Not perfect (DOS is a potential issue, and GSM is by no means perfectly secure) but good enough for many applications.

By: w0lf

w0lf — Sun, 28 Sep 2008 17:11:07 +0000

Good thought but you never know how many loop holes are hidden beneath!!! :)

By: V

Fri, 26 Sep 2008 11:07:16 +0000

I thought about this on banking websites. They should offer their clients a mechanism to send the password in a short message to the clients cellphone. Costs per short message are low and the medium is a completely different one (no IP network).

By: romee

romee — Fri, 26 Sep 2008 08:17:58 +0000

as singu mentioned, smtp is not interactive. on top of it, I’ve found greylisting a very effective way against spam, but it has drawback of delays, which can be in hours. however, i’ve found http://www.xmppid.net/ and imilar services very usable, which uses xmpp instead of smtp.

By: singu

singu — Thu, 25 Sep 2008 15:19:04 +0000

One problem with this on top of my mind – we are used to e-mails to be received after few seconds, however SMTP doesn’t guarantee how much time it will take to deliver the mail. It’s perfectly possible for a server to get an error and then just sit and wait for couple of hours before retrying. During that time the user won’t be able to log-in, or worse – will spam itself with login attempts. Also – large number of logins will surely put a domain into couple of spam black-lists.

By: Beau

Beau — Thu, 25 Sep 2008 11:54:42 +0000

I like the idea of using text messaging for two-factor authentication. The idea would be that when you go to log into a website, you get a text message with a unique code that’s valid for say 5 minutes. This will also alert you that someone is attempting to access your account. I see potential applications for this in banking, VPN, online gaming, or anyone who wants a cheap true two-factor authentication.

Now which way to the USPTO?

By: pdp

pdp — Thu, 25 Sep 2008 10:06:27 +0000

FilipM, Natwest (RBS) have a similar security mechanism, although they just use it to verify the user’s authority when performing critical transactions such as transferring funds, etc.

It is secure, no doubt about that. However, the problem is the annoyance of keeping the reader with you all the time. And if you loose it then you are locked out. You cannot reset your credentials! It could take months before they send you a new reader. Therefore the system is kind of flawed. It is similar to the situation where a vendor implements account lockout feature and then the attackers go ahead and lock everybody out of the system. This is an administrative DoS and you don’t need a botnet to make the attack work.

Now, regarding the auth system I proposed. Well, it sucks in many ways. But it does provide a universal logon.

By: FilipM

FilipM — Thu, 25 Sep 2008 08:50:26 +0000

Belgium implemented the Electronic Identity Card (eID). Every eID has a chip on it and a PIN-code to activate it. The personal data is also stored on the chip (picture, address, etc…) so they don’t need a new card when they move to a new address, they just change the data on the chip. Although there were some bugs and security problems in it at the beginning, they think now it’s secure.

The interesting part of this? It’s used for various implementations outside federal public services, some companies use it for their employees to login every morning, car-rental company’s use it to register someone, it’s used as a badge to open gates, etc, etc…

But more and more websites are using it to be sure that the visitor actually is the person they say they are (for example the tax-on-web website from the Belgium governement).

The current problems for authenticating on the web with eID are: Not everybody has a card-reader (yet) and it will only work for belgium citizens.

Perhaps this wil be the new way of authenticating in the future if everybody has an eID-card and reader? Or will it just open a new branch of security-issues? What about “Big Brother is watching”? Will there be any annonimity possible on the web?

What do you guys think of this system ?(seriously promoted by microsoft by the way)

By: pqs

pqs — Thu, 25 Sep 2008 08:23:10 +0000

Mugshot.org already uses this system. Or at least, they used it the last time I logged in the system. I wrote a post about it last year
http://bits.quintanasegui.com/.....-password/

By: Ben

Ben — Thu, 25 Sep 2008 02:25:14 +0000

The majority of the world’s mail traffic is unencrypted and easily sniffed, whereas SSL connections are less likely to be sniffed (although still possible in some situations).

By: Geoffrey Lee

Geoffrey Lee — Wed, 24 Sep 2008 22:56:03 +0000

In concept, this sounds very similar to OpenID.

By: Nathan

Nathan — Wed, 24 Sep 2008 22:06:14 +0000

The only issue I see, is the fact that most people don’t like to log out every time they use a site. Say I use this to log into Ebay, later when I go to check my auction, I wouldn’t want to have to go through this system again. Also after winning the auction I go to PayPal to pay, now I have to do this all over again because its a new site. This is a feature of OpenID that I like so well. One thing I do like, is the ability to use my own email. For security I could set up a private email which only I have access to, through second factor authentication, but this could work with OpenID also.