Despite what Google says, I think there's a need for people to have multiple online personas. The ring concept is very cool (I remember those rings, wish I had one), but the physical dimensions of the iButton are too large to have multiple of them on a ring. Say, one for home or family, and another for work. If you're a freelancer, then possibly several for your work customers.
Who knows, watches may return, only with the bands as the holder for your key storage devices.
They keyfob isn't tied to a unique identity, the goal is to actually prevent websites from correlating account. From the IEEE article:
> One device should be sufficient with a reasonable number of websites for which users have accounts. But, for privacy preservation, the websites mustn’t be able to correlate users based on the device.
I do, and I am still waiting for my personalized coffee machine - supposedly they had that at one of the early Java conferences (machine recognizes you by your ring and brews your preferred coffee for you).
Most of my passwords are in a file called ring. I never write them out fully, but have mnemonics to help me remember. So many sites and if you want to have more than a few passwords, it really is unmanageable.
Get Lastpass. It's awesome. All my passwords are 20+ completely random characters. I access the password list via a password and 2 factor authentication (google authenticator on my phone).
Use a password manager. You never have to think about what a password looks like again. Keepass and KeepassX are a very popular ones. There is also PasswordSafe by Schneier.
Unlike LastPass and many other password managers, they are fully offline.
Also, Keepass has full mobile support as well as many plugins, including auto-login on browsers.
Isn't this exactly the same concept (if not implementation) as that of the yubikey (http://www.yubico.com/) In fact, google supports yubikey for google mail login. I use mine with Lastpass password vault. Once you have the browser plugin it makes it so easy login and generate secure passwords.
What's using a yubikey like? I've got LastPass premium account and seen it being promoted... How would it work with the password manager on your mobile?
You can use google authenticator as a second factor for lastpass, that's what I do. Install the free app, hook it up to your account, bam, hugely more secure.
And you can get lastpass to remember certain devices, so you don't have to keep authenticating on your home laptop, for example (and you can always go to the site and revoke access to that machine if it ever gets lost).
Similar concept but the Google proposal is better for a number of reasons (I'm assuming Google's is based of public key cryptography). Yubikeys have to be verified by yubico so you have to trust them. This also means it can be safely used by any untrustworthy source. It also means anyone could produce these. The Google one isn't vulnerable a phishing site with a valid SSL certificate between you and the target site. Lastly, the yubikey is really implemented as just a hack it just pretends to be a keyboard that types the code when you press the button I think a more specific protocol would be better although understandably the yubico one is more compatible.
The yubikey hardware interface is actually pretty clever. Having to press the button means there is physical interaction when using it, which means that if the auth was successful, the user actually did something. It also means that if it's left plugged in and the machine is compromised, the attacker can't use it.
It also means you dont have to worry about drivers, and can use it on whatever OS you want (OK, any OS that supports USB keyboards).
Or just use an IronKey (http://www.ironkey.com/). I have an older device with > 130 unique login and password combinations and VeriSign VIP (RSA token) authentication. Works very well for me although the Linux support isn't great.
It looks like the Workspace versions support Windows To Go for a managed portable OS scenario. I wonder at how robust that can be against a malicious host.
Hm, I already have a smartphone with Google Authenticator App and NFC, why would I want to carry a ring?
Having recently married and struggling a lot with the ring issue (basically lots of money for a useless piece of metal), the idea of a wedding ring with some badass electronic capabilities has crossed my mind, though.
It is bad enough that pick pocketers know the place where 90% of males keep their cash and credit cards...what happens when identity thieves know the exact place people keep their entire digital persona?
It doesn't seem easy to me to steal a ring from someone's finger. Since the key is never transmitted, copying it without having access to the hardware also seems impossible. Proper implementations would also have the user remember a PIN or the like, so that losing the key doesn't exponse your whole identity.
It doesn't seem easy to me to steal a ring from someone's finger.
Do you wear a ring? I ask because I used to think similarly, but now that I've worn a ring for a couple of years, I find them incredibly easy to remove.
Admittedly, some might wear smaller and tighter rings, but I think the good ol' twist & pull works in a lot of cases.
The real question is, how hard is it for someone to steal your ring without you knowing? Because that's the only part that's important. As long as you know it's stolen, you can go in and deactivate it before the thief can do any real damage. (There's usually a backup authentication measure, like a password text messaged to your phone that'll let you log in to deactivate the key).
I think the idea of using a ring for this purpose is that you never need remove it. It would have to be pretty durable, of course, but then you'd basically leave it on while swimming, sleeping, etc. (like the standard approach to a wedding band).
Having it work by proximity makes me a bit more uneasy, though -- I imagine someone brushing by your hand in the subway and authenticating with your bank then & there.
It doesn't seem easy to me to steal a ring from someone's finger
Maybe, maybe not, but there are all kinds of professions and occupations where rings must be removed for safety and/or security reasons. It would seem easy for a thief to be able to take advantage of those situations to get the "key" to someones online persona.
The attacker punches you in the face, hard, until you give them the ring or until you are weak enough for them to take the ring from you.
Since people have been kidnapped and forced to enter their ATM PIN to withdraw the maximum (often kidnapped near midnight so the gang can make two maximum withdrawals) this violent scenario isn't particularly farfetched. It depends what the ring gives access to.
Anything is vulnerable to rubber-hose cryptanalysis. The question is whether this is more or less secure than average Joe using the same three passwords for every site he logs into.
Not really. Most biometric authentication systems are pretty poor. Add that to the fact that most biometric systems don't use very many features of the signal (e.g. they don't have a lot of key strength / entropy) and you get a pretty lame authentication systems.
A hardware key, on the other hand, can be almost arbitrarily big, is upgradable and totally random.
This. Fingerprint scanners are notoriously unreliable. Either they reject the real person's fingerprint way too often, or they accept way too many similar fingerprints.
A real key is 100% reliable if you have it and 100% secure if you don't.
I assume the phone would be the hardware key and the fingerprint would be an additional security measure because people are more likely to lose/misplace their phones.
So it removes the danger of reusing passwords, but doesn't it introduce the danger of having a lost/stolen ring giving away your logins to every protected site?
Assuming they can figure out your identity on those sites, yes. But you also generally know when you lose it, so you can go deactivate it through a backup channel.
Having a keyfob to log in is pretty standard security practice. The only thing that makes a ring different or interesting is that it's an easier form factor, and I presume it would have wireless capabilities so you don't have to actually plug it in for it to work.
I was curious about this as this is how other keyfobs/SecureID cards work. But the article seems to imply that there would be no password at all to use with this device.
I recently found a set of RFID chips that could be bought cheaply in a small set. They were small enough that they EASILY could be fit into a ring. Paired with an RFID reader, you could have some good fun.
The problem is, there aren't any consumer purchaseably RFID+Asynchronous encryption options out there meaning that someone just has to manufacture an RFID with the same ID to spoof your identity. Kind of why I lost interest in hacking something neat.
manufacture an RFID with the same ID to spoof your identity
Uh... actually, since it's just radio waves, I don't think there's any manufacturing involved. If you can transmit an identical signal at the proper time, regardless of the source, you can spoof an object.
An RFID chip is just a transponder. A tiny antenna, wired to a circuit that reacts to radio waves in a specific manner, with a specific transmission. It's not a prerequisite that the antenna and circuit must be tiny and/or embedded in a chip. Any radio equipment that can send and receive radio transmissions will do.
Sure, but I'm imagining that these are produced in some factory and they just have a serialized ID that they use for each one. I'm imagining if there were a breach of security, it would be slipping a $100 bill to the guy and asking him to run a set with {MY_ENEMYS_ID}.
Aren't RFID small in terms of storage size? How many bits could each RFID store?
Also, they tend to be mostly passive, so it's just a big string that you present to the computer, rather than a decent challenge / response.
The C/R is what makes the article interesting, and it's what's holding me back from buying a Yubikey. (Which does a convoluted form of C/R, but on Windows.)
That's why I lost interest. The smart cards that do active (async) encryption for a proper challenge/response are all contact, rather than contact-less.
"using personal hardware to log in would remove the dangers of people reusing passwords or writing them down"
Shit yes, writing passwords down and putting it in a drawer at home is so much more vulnerable than stealing the one thing with which you secure all of your accounts and take with you. And how is one-factor authentication that someone has to force out of you (password) worse than one-factor authentication that someone has to rip from your finger and run away with? People apparently can steal watches without the bearer noticing, what the hell am I supposed to think of a ring?
"Everyone is familiar with an ATM. What if you could use the same experience with a computer?"
An ATM requires a PIN-code. Your second factor (a 4-digit password) that is validated by the IC on your card and provides some sort of secure authentication.
> writing passwords down and putting it in a drawer at home is so much more vulnerable than stealing the one thing with which you secure all of your accounts and take with you.
People should be doing a risk analysis of their online services, so they can decide what kind of password security is useful to them.
I'm a big fan of writing passwords down and keeping that list in a secure place. But some people (eg, in offices) don't have a suitably secure place to keep those passwords. This device would be handy for them.
I would love something like this. And there's plenty of ways to secure it. Put sensors in it, and as soon as it's away from you (after you put it on), the passwords it contains are wiped out.
You'd need to have those passwords backed-up anyway, either somewhere locally or in the cloud, so you can retrieve them later. You could also make it so you have to "reconnect" with your PC account or whatever every 24 hours, every week, etc.
I'm sure there are other ways to keep this safe, too.
1. For broad consumer uptake, authentication methods better than a password, or indeed classical 2-factor authentication, needs to be "fire-and-forget". That is, users set it up at most once and then it works almost transparently in most situations. This necessitates broad (read, universal) device-to-device connection.
2. There's no universal method for connecting a mobile phone to another device.
3. Besides, what if you require authentication without a password, on a mobile?
4. The closest to a universal method for interdevice connection is USB. Most importantly, a browsing-capable device almost certainly has a USB interface.
53 comments
[ 1008 ms ] story [ 3907 ms ] threadhttp://en.wikipedia.org/wiki/1-Wire
Who knows, watches may return, only with the bands as the holder for your key storage devices.
> One device should be sufficient with a reasonable number of websites for which users have accounts. But, for privacy preservation, the websites mustn’t be able to correlate users based on the device.
Ach. Such a missed opportunity.
Unlike LastPass and many other password managers, they are fully offline.
Also, Keepass has full mobile support as well as many plugins, including auto-login on browsers.
Ahh - just seen it's got NFC build in.
And you can get lastpass to remember certain devices, so you don't have to keep authenticating on your home laptop, for example (and you can always go to the site and revoke access to that machine if it ever gets lost).
It's pretty awesome.
It also means you dont have to worry about drivers, and can use it on whatever OS you want (OK, any OS that supports USB keyboards).
Currently sold out. We expect new orders to ship in 7 weeks.
"ONE RING TO RULE THEM ALL"
I guess, in a sense, I wear the keys to my car basically everywhere I go.
It looks like the Workspace versions support Windows To Go for a managed portable OS scenario. I wonder at how robust that can be against a malicious host.
Having recently married and struggling a lot with the ring issue (basically lots of money for a useless piece of metal), the idea of a wedding ring with some badass electronic capabilities has crossed my mind, though.
Do you wear a ring? I ask because I used to think similarly, but now that I've worn a ring for a couple of years, I find them incredibly easy to remove.
Admittedly, some might wear smaller and tighter rings, but I think the good ol' twist & pull works in a lot of cases.
Having it work by proximity makes me a bit more uneasy, though -- I imagine someone brushing by your hand in the subway and authenticating with your bank then & there.
Maybe, maybe not, but there are all kinds of professions and occupations where rings must be removed for safety and/or security reasons. It would seem easy for a thief to be able to take advantage of those situations to get the "key" to someones online persona.
Since people have been kidnapped and forced to enter their ATM PIN to withdraw the maximum (often kidnapped near midnight so the gang can make two maximum withdrawals) this violent scenario isn't particularly farfetched. It depends what the ring gives access to.
There are alternatives: 1. Point gun and say give me the ring with your entire identity on it. 2. Chop finger off and take the ring.
Becoming the bearer bond of my identity seems like a very bad idea.
http://appadvice.com/appnn/2013/03/report-the-iphone-5s-will...
A hardware key, on the other hand, can be almost arbitrarily big, is upgradable and totally random.
A real key is 100% reliable if you have it and 100% secure if you don't.
Having a keyfob to log in is pretty standard security practice. The only thing that makes a ring different or interesting is that it's an easier form factor, and I presume it would have wireless capabilities so you don't have to actually plug it in for it to work.
The problem is, there aren't any consumer purchaseably RFID+Asynchronous encryption options out there meaning that someone just has to manufacture an RFID with the same ID to spoof your identity. Kind of why I lost interest in hacking something neat.
Uh... actually, since it's just radio waves, I don't think there's any manufacturing involved. If you can transmit an identical signal at the proper time, regardless of the source, you can spoof an object.
An RFID chip is just a transponder. A tiny antenna, wired to a circuit that reacts to radio waves in a specific manner, with a specific transmission. It's not a prerequisite that the antenna and circuit must be tiny and/or embedded in a chip. Any radio equipment that can send and receive radio transmissions will do.
Also, they tend to be mostly passive, so it's just a big string that you present to the computer, rather than a decent challenge / response.
The C/R is what makes the article interesting, and it's what's holding me back from buying a Yubikey. (Which does a convoluted form of C/R, but on Windows.)
That's why I lost interest. The smart cards that do active (async) encryption for a proper challenge/response are all contact, rather than contact-less.
Here's a copy of the most important parts:
---
(One ring to rule them all, anyone? ;) )
Anyway.
"using personal hardware to log in would remove the dangers of people reusing passwords or writing them down"
Shit yes, writing passwords down and putting it in a drawer at home is so much more vulnerable than stealing the one thing with which you secure all of your accounts and take with you. And how is one-factor authentication that someone has to force out of you (password) worse than one-factor authentication that someone has to rip from your finger and run away with? People apparently can steal watches without the bearer noticing, what the hell am I supposed to think of a ring?
"Everyone is familiar with an ATM. What if you could use the same experience with a computer?"
An ATM requires a PIN-code. Your second factor (a 4-digit password) that is validated by the IC on your card and provides some sort of secure authentication.
http://www.computer.org/cms/Computer.org/ComputingNow/pdfs/A...
People should be doing a risk analysis of their online services, so they can decide what kind of password security is useful to them.
I'm a big fan of writing passwords down and keeping that list in a secure place. But some people (eg, in offices) don't have a suitably secure place to keep those passwords. This device would be handy for them.
You'd need to have those passwords backed-up anyway, either somewhere locally or in the cloud, so you can retrieve them later. You could also make it so you have to "reconnect" with your PC account or whatever every 24 hours, every week, etc.
I'm sure there are other ways to keep this safe, too.
2. There's no universal method for connecting a mobile phone to another device.
3. Besides, what if you require authentication without a password, on a mobile?
4. The closest to a universal method for interdevice connection is USB. Most importantly, a browsing-capable device almost certainly has a USB interface.
Hence, efforts like Yubikey.