Is Battery-Free 2-Factor ID Secure?

An anonymous reader writes "There was a television program in Australia last week about Matthew Walker's visual battery-less two-factor authentication system called PassWindow. Essentially, you hold the clear plastic window up to the apparently random pattern on the screen of your computer, revealing a one-time PIN to type in for authentication. The plastic window has many advantages: difficult to copy or view over the shoulder, etc. Because there is no electronics, chip or battery, the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems. However, I don't know about the security of the system. The apparently random pattern of lines in the PassWindow is analogous to a one-time pad, using a different subset of the one-time pad every time a PIN is needed. Is this a useful level of security for logging in to a bank account?"

Simpsons trading cards

[Bob Gelumph]

I used to have some Simpsons trading cards that were like that. There was what looked like static on a TV screen, which, when another plastic panel was put in front of it, would show a de-scrambled image. I can't see how it is secure though, because the plastic descramblers are all the same. Someone could still take a photo and use a similar plastic window elsewhere.

Re:One major problem: monitor resolution

[Cylix]

The image is displayed via browser and the sizing can be corrected at render time. It might not look pretty depending on the scale technique, but it can be done.

It still doesn't make it worthless. A one time factor like this has only so many combinations.

It's like solving the cypher problems in the newspaper. It really won't take that many iterations before you can correctly guess the pass card values.

Easily Rectified

[brunes69]

This is easily rectified in any software by compensating for the DPI by scaling up or down the image.

Heck you can do this in CSS:

            IMG.passwordWindow { width: 2in, height: 1in }

This image is going to be scaled to be the exact same size on the screen in any web browser.

Also, this has nothing to do with color filters.

I swear to god every poster on this thread so far has not gone to the website: http://www.passwindow.com/ [passwindow.com]

This is actually a very novel idea that has been thought out thoroughly.

Re:Totally crackable

[mlts]

I use a similar system when offered by vendors. Blizzard has a keyfob, same with PayPal and eBay. Both of which are not technically SecurID, but OEM-ed VASCO tokens. My OpenID account on one site uses this keyfob as well.

What I wish for is someone to make a standard among the keyfobs, so regardless if someone has a SecurID card, a DigiPass Go, or a program that runs on a smartphone, they would be interchangable. Mainly so I don't need multiple keyfobs to authenticate to multiple sites, and it would be nice to buy a keyfob with selectable security features, be it merely pressing a button to see the 6 or 8 digit number, or more advanced measures like typing in a PIN, or swiping a fingerprint for three factor authentication (something you know, something you have, something you are.) Then take this standard for authentication and build it into all the popular OS logins, so the root password on a Linux box can be tied to one or more of these devices (so multiple people's keyfobs can authenticate).

Of course, it won't completely stop crime, but it will force malware writers to not just use passive keyloggers. Instead, they would be forced to go into more active man in the middle attacks against browsers (where the user is shown one thing while another action is being performed. IBM's ZTIC is the ideal solution for this.) This should be a lot more detectable though, as opposed to a keylogger that is just a driver hook away from silent operation.

Permuation Enumeration

[Algorithmn]

Lets analyze....

5 character code - 0-99999 = 100,000 possible codes.
5 characters with 7 lines each = 35 possible "line" locations. The card in the video has 14 lines. The challenge code on the computer "ALSO" has 14 lines.

This solution simply has the appearance of security. There are MAJOR design flaws.

If one were to analyze the incomplete code from the video you begin to notice that there is an enumeration flaw.

The first character is blank, 0-9. The second character can either be a 0, 6 or 8. The third character can either be a 0, 5 or 8. The fourth character can only be a 0, 2, 3, 8 or 0. The fifth character can only be a 0 or 8.

This only leaves 900 possibilities. Much easier then 100,000 possibilities.

If I calculated each of these 900 possible codes I could then determine which of these 900 codes utilize 14 characters! This would allow me to determine all possible "card codes" within a 99% accuracy. If I was able to receive multiple challenges from the server, I would repeat the process and cross compare results. This would allow me to determine the key on the card within an almost 100% accuracy.

Increasing the keyspace, utilizing [A-Z0-9] and randomizing the number of challenge characters would limit my ability to enumerate as easily.

This solution currently provides no security against a motivated attacker.