Authentication Tokens for Password-less Access? 28
A not-so anonymous Anonymous Coward puts forth this query: "As someone who tires of constantly remembering and re-entering many passwords in possibly hundreds of uses, it strikes me that something as simple as a USB memory-stick device containing security tokens cannot be simply used in favour of passwords. Kernel messages could be monitored for tokens and update local access as needed (such as opening kwallet or disabling the screensaver). Is this really any less secure than say, using a key in the front door? It would be great to hear what the Slashdot community have found useful in reducing the number of passwords that need to be remembered, and what progress (if any) is being taken to increase security while providing ease of access?"
Modality (Score:3, Informative)
A few starting points (Score:4, Informative)
http://www.schneier.com/passsafe.html [schneier.com] Password safe - This uses strong encryption with a master password to store all your other passwords. You still have to cut'n'paste them everywhere, though. Keep it on a USB key with the encrypted passwords.
https://addons.mozilla.org/extensions/moreinfo.ph
http://web.mit.edu/kerberos/ [mit.edu] Kerberos - Use a password to log in once, and then you're authenticated for all the services you need. This works great, but it has to be supported by each site that uses it. It's great for intranets, but it doesn't help for random web sites.
Re:A few starting points (Score:1)
Keyring? (Score:5, Interesting)
Passwords I might use for this page (Score:1, Interesting)
todhsalsksa
522361
or some mix of the above with each other, doubled, etc.
Another interesting password is:
drowssapymyllaersisihteveilebt'nacI
3 tenets of security (Score:3, Informative)
2. What you know
3. What you have
The general consensus that I'm aware of is that if you can give proof that you are indeed the individual requesting access on your own behalf (perhaps through biometrics), if you can prove you have knowledge of some piece of secret data (a password), and finally if you also have in your possession some item or object required to gain access (like the token you mentioned), then the system can be reasonably sure you're legit. Thwarting all of these simultaneously would be quite difficult.
Re:3 tenets of security (Score:1)
Other Means! (Score:1)
One of my passwords is 15 character digits long, containing upper and lower case, digits, and special characters. I really doubt that it could be easily cracked (before the attacker died of old age). I think the attacker would spend time trying to break in through other mean
Re:Other Means! (Score:4, Informative)
http://www.projectblackdog.com/product.html [projectblackdog.com]
Its security is as good as a fingerprint and SSH encryption.
You can even use it on a host machine with a keyboard logger
as long as you are accessing stuff that accepts your SSH key
-- you wouldn't want to ever have to type in your password
for a remote service.
iButton with encryption? (Score:2)
USBWiSec and AutoHotkey for Windows (Score:3, Interesting)
USBWiSec [makezine.com]
to control it,
AutoHotkey [autohotkey.com] to unlock it and automate authentication.
Re:USBWiSec and AutoHotkey for Windows (Score:2)
Cryptocard (Score:3, Informative)
http://www.cryptocard.com/index.cfm?PID=464&PageN
They support Windows, Mac OS X, and Linux.
http://www.cryptocard.com/index.cfm?PID=376&PageN
--Paul
Just do what I do (Score:4, Funny)
Re:Just do what I do (Score:1)
this was far funnier than you got credit for. Simple, but funny.
Even better, (Score:4, Interesting)
2.6.13 kernel has already some very decent support for it (.12 - sorry, not so decent...;
iButtons are way more rugged than USB stick (think surviving in pockets of Indiana Jones, Gordon Freeman and Lara Croft), smaller and more comfortable in use and some are designed to be unlockable only with a password
And if you're a Java freak, there's a java-based minicomputer in one of them
Re:Even better, (Score:3, Interesting)
I've actually built a home alarm system that uses iButtons as the arm/disarm switch instead of a numeric code. I have about 15 iButtons which I store in a DB. When we need to lend a key to someone to check on the house, I put an iButton on the keychain, go into the database and activate it. Then, when that iButton touches the sensor pad by the door, it will arm/disarm the system.
I've had it running for about 6 months now without a problem. I'm still adding features (the IR beam across a doorway insd
Cost (Score:5, Interesting)
What we use is that in order to log in, you have to enter your normal username and password and then you receive a token (via SMS) which you have to enter.
That way no expensive tokens have to be distributed to end-users and even if a end-user's password is stolen, it's no good as long as you don't steal also his/her mobile phone.
If such a thing happens that the end-user does not have a mobile phone (which here in Finland is _extremely_ rare) it's far more cheaper to give away a couple of mobile phones and accounts than to distribute tokens/usb keys/whatever to all users which then have to be renewed/get broken/are difficult to use.
Things can be lost....or fried (Score:1)
In the password juggle, I have a core password, and then some other crap attached based on the need for the password. Works for me, that's enough.
PAM-USB (Score:1)
I only managed to get it working with Login, but it apparently (quoting the projects site) it works with any PAM enabled program, such as (Login), su, gdm/kdm/xdm, xlock et-cetera.
Check the site out.
- Phileeep.
biometrics on a usb stick? (Score:1)
I like the idea of having a usb mem stick and having a biometrics thumb print scan such as the one on the newer IBM laptops. You can keep all of your passwords on there but the trick would be that only your 'the owners' thumb scan would turn on the stick. This would make it more secure then a tradional door key as some people have pointed out, an obvious flaw.. and also another thing that could be done would be dock it when you get home, all pwds would be synced (in case of loss/damage/explosion!) then ju
Smartcards (Score:3, Insightful)
The problem with Biometrics is that if somebody does manage to forge your credentials, it's very difficult to change your "password" (fingerprint/retina/etc).
An authentication solution for Linux (Score:1)
Email me at locust (at) sampsa (dot) com if you're interested.