Is Battery-Free 2-Factor ID Secure?

An anonymous reader writes "There was a television program in Australia last week about Matthew Walker's visual battery-less two-factor authentication system called PassWindow. Essentially, you hold the clear plastic window up to the apparently random pattern on the screen of your computer, revealing a one-time PIN to type in for authentication. The plastic window has many advantages: difficult to copy or view over the shoulder, etc. Because there is no electronics, chip or battery, the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems. However, I don't know about the security of the system. The apparently random pattern of lines in the PassWindow is analogous to a one-time pad, using a different subset of the one-time pad every time a PIN is needed. Is this a useful level of security for logging in to a bank account?"

Wrong. It is not translucent.

[brunes69]

Please RTFA and the website. The filter is opaque. THe user is sent gibberish as a password, and it only makses sense if you have the opaque window to create letters and numbers from the gibberish.

It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.

If the authors claims are accurate (that it is possible to create tens of thousands of throwaway passwords per window before they need to be replaced) then this is an ideal authentication method IMO.

meh

[TheSHAD0W]

From what I saw, this system might be able to protect you from a single compromisation of your security. This would depend on a few factors, though. Given you can see both the pattern and the code, from a single session you could make some assumptions about what the code would be with a different pattern. It might take a few tries to generate the correct code. If the attacker can partially log in multiple times without being locked out, he may be able to choose a pattern that has fewer possible permutations for the code.

There's also a potential problem in that, if an attack is made on an account and the account is locked out, the card would have to be replaced. Otherwise, if the account is re-enabled without replacing the card, the attacker would be able to continue to make attempts to log in. I suppose you could also alert the customer to change their password due to a security breach.

I don't think this will protect very well against a customer's own system being compromised, with an attacker being able to monitor multiple log-ons. There are simply too few possible permutations in those 7-segment displays.

I'd also like to mention there's a potential problem if the monitor's resolution is too high. If, for instance, the user wants to log on via a netbook, the code displayed may be too small to match up with the code on the card, making logging in impossible.

It's better than nothing....

[Dr. Crash]

It's better than nothing.

The trick is that yes, it does leak information- each time you use it, an eavesdropper gets a little more information, perhaps enough to "get in". Or perhaps not.

On the other hand, the server end knows what cells may or may not have been compromised and can optimize around that.

The beauty of such grilles (and they have been known for centuries) is that they are _cheap_ and it's not unreasonable for the server end to predict when a grille's private information has been used up and sends you a new one well before that time.

So- not new, but not bad, either.

Re:Easily Rectified

[amorsen]

This image is going to be scaled to be the exact same size on the screen in any web browser.

Only in your dreams. Lots of people lie to their OS about their monitor DPI, because said OS is deficient.

short answer: no

[Arthurio]

The transaction looks like this: 1) user chooses which kind of credit card he/she has 2) user gets a screen where he/she can specify the cc nr and de-scramble the code 3) user's browser sends the cc nr and de-scrambled code back to the server 4) server replies: all is well, congratulations If the fraudster is able to intercept just 1 of these transactions then he can already narrow the number of possible "PassWindow" combinations down to lets say a few hundred. But if he can intercept for example 3 or more of the transactions made with the same card then he can easily narrow the possibilities down to fewer than ten combinations. There exists no mechanism that would prevent the fraudster from trying out all of these 10 or fewer combinations. The most secure way to handle cc transactions would be to confirm every transaction with the cc holder. It could work with e-mail, sms, telephone, im or any other means of communication that the cc holder has chosen and believes is secure enough for him/her. That of course would create significant delays that many current cc systems would be unable to handle since atm they expect instant replies from the cc issuer. Which means that this system would only work with credit cards meant for online payments. In physical stores the 'pin code' is still the best solution at least until the confirmation delays come down to a few seconds.

Re:Wrong. It is not translucent.

[maeka]

The problem is that the second time you use that window, it's no longer a one-time pad.

You're only using a subset of the window at a time. It is a single object which acts as many many one-time pads.

Re:Wrong. It is not translucent.

[morgan_greywolf]

It is mot possible to decode without knowing the one time padd. And the one time padd is implemented in the physical world, by the window.

I wouldn't say that. The "one time pad" is static. If it were truly an OTP, you would either need hundreds of these cards, or at least several that could be combined together in thousands of different ways. and they would have to have lots and lots of different combinations to make it work.

The bottom line is the physical factor is the weak link in the chain. The key-length is too short.

Re:Password in clear-text

[Joce640k]

It's like having a few dozen CVVs. If you snoop one of the CVVs on the card it won't help you when the server asks you for a different one.

If you can snoop a few dozen transactions you can crack it, sure, hut if you're in a position to do that the other person is basically screwed anyway.

Re:Chaum-like

[goofy183]

The whole point of this is *2* Factor authentication. You use this as well as a password (something you have, something you know). Stealing one or the other is useless. Key loggers are useless because you need to physically have the device or a copy of it to make the system work.

Really this is a stab at an inexpensive version of something like an RSA Card which uses a cryptographically secure RNG that is synced to a master server when it is initialized. The numbers it generates every 60 seconds are only good for a small window so along with a password it makes systems very hard to crack.