Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Data Storage Security

Authentication Tokens for Password-less Access? 28

Posted by Cliff from the lose-your-keys-AND-your-passwords-at-the-same-time dept.
A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"
This discussion has been archived. No new comments can be posted.

Authentication Tokens for Password-less Access? More

Authentication Tokens for Password-less Access?

Comments Filter:

  • Modality (Score:3, Informative)

    by poopdeville ( 841677 ) on Friday September 23, 2005 @07:30PM (#13634482)
    A password is an authentication token. Each modality of authentication has its own weaknesses (e.g. passwords are weak against keyloggers on untrusted systems). The question as to whether a particular modality is safe depends essentially on the specifics of the circumstance in which it is to be used. Is the machine you're working with otherwise secure? Trusted? If untrusted, can you ensure that the modality doesn't depend on any untrusted resources? Answer these questions and you'll have your answer.

  • A few starting points (Score:4, Informative)

    by subreality ( 157447 ) * on Friday September 23, 2005 @07:52PM (#13634681)
    None of these is a complete solution, but they may help you.

    http://www.schneier.com/passsafe.html [schneier.com] Password safe - This uses strong encryption with a master password to store all your other passwords. You still have to cut'n'paste them everywhere, though. Keep it on a USB key with the encrypted passwords.

    https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=670 [mozilla.org] Password Composer - Takes the md5 of your master password and the hostname of a site to generate a unique password for each site. It's available as a Firefox extension, or as a bookmarklet. The method is simple, so you can get your password back with nothing more than echo and md5sum on the command line, so you're not at the software's mercy. However, there's not a good way to change either your master password or a site password if they're compromised. And it's only good for the web. But it's still a good improvement for handling tons of sites that don't need the very highest security.

    http://web.mit.edu/kerberos/ [mit.edu] Kerberos - Use a password to log in once, and then you're authenticated for all the services you need. This works great, but it has to be supported by each site that uses it. It's great for intranets, but it doesn't help for random web sites.

  • Keyring? (Score:5, Interesting)

    by Phleg ( 523632 ) <stephen AT touset DOT org> on Friday September 23, 2005 @07:53PM (#13634696)
    What's wrong with having a password protected virtual keyring, as opposed to some sort of physical media? Say what you want, but physical media are highly likely to be lost or stolen. With keys, the former isn't much of a problem; you can always have them remade. But how do you accomplish this virtually, over a website? Even worse, when a key (or keyring) is lost, the likelihood for damage is exceedingly low, because the odds of anyone finding what each key goes to is pretty unlikely. However, if you have a device with all your authentication tokens on it, the person just has to visit paypal.com, ebay.com, and so on until they have a match. I doubt it would take long.
  • noitacitnehtuA
    todhsalsksa
    522361
    or some mix of the above with each other, doubled, etc.
    Another interesting password is:
    drowssapymyllaersisihteveilebt'nacI

  • 3 tenets of security (Score:3, Informative)

    by joeslugg ( 8092 ) on Friday September 23, 2005 @08:51PM (#13635115)
    1. Who you are
    2. What you know
    3. What you have

    The general consensus that I'm aware of is that if you can give proof that you are indeed the individual requesting access on your own behalf (perhaps through biometrics), if you can prove you have knowledge of some piece of secret data (a password), and finally if you also have in your possession some item or object required to gain access (like the token you mentioned), then the system can be reasonably sure you're legit. Thwarting all of these simultaneously would be quite difficult.

  • Even the most complex passwords (retina scan, finger print?) can be stolen by adding a logging program of some sort. We shouldn't worry about how to store passwords, but how passwords are transfered - that needs to be the most secure.

    One of my passwords is 15 character digits long, containing upper and lower case, digits, and special characters. I really doubt that it could be easily cracked (before the attacker died of old age). I think the attacker would spend time trying to break in through other mean
  • Store your passwords on a Java based iButton. You still need to trust the computer you plug it into, but it should be relatively secure.

  • USBWiSec and AutoHotkey for Windows (Score:3, Interesting)

    by zbuffered ( 125292 ) on Friday September 23, 2005 @11:53PM (#13635997)
    It ain't Linux, but...
    USBWiSec [makezine.com]
    to control it,
    AutoHotkey [autohotkey.com] to unlock it and automate authentication.

  • Cryptocard (Score:3, Informative)

    by plsuh ( 129598 ) <plsuh@noSpAM.goodeast.com> on Saturday September 24, 2005 @01:49AM (#13636385) Homepage
    There's a company called Cryptocard that produces a product similar to what you're looking for:

    http://www.cryptocard.com/index.cfm?PID=464&PageNa me=UB-1%20USB%20Token [cryptocard.com]

    They support Windows, Mac OS X, and Linux.

    http://www.cryptocard.com/index.cfm?PID=376&PageNa me=CRYPTO-Server [cryptocard.com]

    --Paul

  • Just do what I do (Score:4, Funny)

    by kbielefe ( 606566 ) <karl.bielefeldt@ ... om minus painter> on Saturday September 24, 2005 @02:24AM (#13636481)
    i keep all My webSite logiN PASSWORDs In my slaShbox, So they are alWays clOse at hand. when i want real security, i employ a top secRet steganography technique insiDe of a comment. iF security through obscurIty iS good enough for commercial software, it is certainly good enougH for me.

  • Even better, (Score:4, Interesting)

    by SharpFang ( 651121 ) on Saturday September 24, 2005 @05:08AM (#13636883) Homepage Journal
    http://www.ibutton.com/ [ibutton.com] - free samples available.
    2.6.13 kernel has already some very decent support for it (.12 - sorry, not so decent...; .14-rc? seems even more promising, this is a very actively developed area) - now just wait for good userspace support software. It's in /sys already.

    iButtons are way more rugged than USB stick (think surviving in pockets of Indiana Jones, Gordon Freeman and Lara Croft), smaller and more comfortable in use and some are designed to be unlockable only with a password ;) One problem is the biggest one is 8 kilobytes, so if you plan using them to store MP3s, sorry. But PGP keys, password lists etc - why not?
    And if you're a Java freak, there's a java-based minicomputer in one of them :)

    • Re:Even better, (Score:3, Interesting)

      by Nos. ( 179609 )

      I've actually built a home alarm system that uses iButtons as the arm/disarm switch instead of a numeric code. I have about 15 iButtons which I store in a DB. When we need to lend a key to someone to check on the house, I put an iButton on the keychain, go into the database and activate it. Then, when that iButton touches the sensor pad by the door, it will arm/disarm the system.

      I've had it running for about 6 months now without a problem. I'm still adding features (the IR beam across a doorway insd

  • Cost (Score:5, Interesting)

    by Anonymous Coward on Saturday September 24, 2005 @06:24AM (#13637030)
    USB tokens or anything similar are not a viable option when you have lots (and I mean LOTS) of users.

    What we use is that in order to log in, you have to enter your normal username and password and then you receive a token (via SMS) which you have to enter.

    That way no expensive tokens have to be distributed to end-users and even if a end-user's password is stolen, it's no good as long as you don't steal also his/her mobile phone.

    If such a thing happens that the end-user does not have a mobile phone (which here in Finland is _extremely_ rare) it's far more cheaper to give away a couple of mobile phones and accounts than to distribute tokens/usb keys/whatever to all users which then have to be renewed/get broken/are difficult to use.

  • In the password juggle, I have a core password, and then some other crap attached based on the need for the password. Works for me, that's enough.

  • Can't you do this with PAM_USB in Linux? (http://www.pamusb.org/ [pamusb.org])

    I only managed to get it working with Login, but it apparently (quoting the projects site) it works with any PAM enabled program, such as (Login), su, gdm/kdm/xdm, xlock et-cetera.

    Check the site out.

    - Phileeep.

  • I like the idea of having a usb mem stick and having a biometrics thumb print scan such as the one on the newer IBM laptops. You can keep all of your passwords on there but the trick would be that only your 'the owners' thumb scan would turn on the stick. This would make it more secure then a tradional door key as some people have pointed out, an obvious flaw.. and also another thing that could be done would be dock it when you get home, all pwds would be synced (in case of loss/damage/explosion!) then ju

  • Smartcards (Score:3, Insightful)

    by MeanMF ( 631837 ) * on Monday September 26, 2005 @01:15AM (#13648520) Homepage
    There are plenty of USB-based Smartcards out there. Not sure about Linux drivers, but they work great with Windows.

    The problem with Biometrics is that if somebody does manage to forge your credentials, it's very difficult to change your "password" (fingerprint/retina/etc).
  • I have just written a masters thesis where I designed an authentication solution for Linux using plain old USB flash drives, Linux kernel level encryption and PGP. If there's any interest I might release the sources of a proof of concept in Python under a nice FOSS license, and/or put the thesis itself up on my website so any interested party could implement the system by themselves.

    Email me at locust (at) sampsa (dot) com if you're interested.

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close