53 comments

[ 1008 ms ] story [ 3907 ms ] thread
Anyone else remember those Java rings?

http://en.wikipedia.org/wiki/1-Wire

Despite what Google says, I think there's a need for people to have multiple online personas. The ring concept is very cool (I remember those rings, wish I had one), but the physical dimensions of the iButton are too large to have multiple of them on a ring. Say, one for home or family, and another for work. If you're a freelancer, then possibly several for your work customers.

Who knows, watches may return, only with the bands as the holder for your key storage devices.

They keyfob isn't tied to a unique identity, the goal is to actually prevent websites from correlating account. From the IEEE article:

> One device should be sufficient with a reasonable number of websites for which users have accounts. But, for privacy preservation, the websites mustn’t be able to correlate users based on the device.

I do, and I am still waiting for my personalized coffee machine - supposedly they had that at one of the early Java conferences (machine recognizes you by your ring and brews your preferred coffee for you).
How could you write this story and so stubbornly avoid the most obvious title in the world?!

Ach. Such a missed opportunity.

And the most obvious title in the world is ...?
"one ring to rule them all..." ?
Most of my passwords are in a file called ring. I never write them out fully, but have mnemonics to help me remember. So many sites and if you want to have more than a few passwords, it really is unmanageable.
Get Lastpass. It's awesome. All my passwords are 20+ completely random characters. I access the password list via a password and 2 factor authentication (google authenticator on my phone).
Use a password manager. You never have to think about what a password looks like again. Keepass and KeepassX are a very popular ones. There is also PasswordSafe by Schneier.

Unlike LastPass and many other password managers, they are fully offline.

Also, Keepass has full mobile support as well as many plugins, including auto-login on browsers.

Isn't this exactly the same concept (if not implementation) as that of the yubikey (http://www.yubico.com/) In fact, google supports yubikey for google mail login. I use mine with Lastpass password vault. Once you have the browser plugin it makes it so easy login and generate secure passwords.
What's using a yubikey like? I've got LastPass premium account and seen it being promoted... How would it work with the password manager on your mobile?

Ahh - just seen it's got NFC build in.

You can use google authenticator as a second factor for lastpass, that's what I do. Install the free app, hook it up to your account, bam, hugely more secure.

And you can get lastpass to remember certain devices, so you don't have to keep authenticating on your home laptop, for example (and you can always go to the site and revoke access to that machine if it ever gets lost).

It's pretty awesome.

Similar concept but the Google proposal is better for a number of reasons (I'm assuming Google's is based of public key cryptography). Yubikeys have to be verified by yubico so you have to trust them. This also means it can be safely used by any untrustworthy source. It also means anyone could produce these. The Google one isn't vulnerable a phishing site with a valid SSL certificate between you and the target site. Lastly, the yubikey is really implemented as just a hack it just pretends to be a keyboard that types the code when you press the button I think a more specific protocol would be better although understandably the yubico one is more compatible.
The yubikey hardware interface is actually pretty clever. Having to press the button means there is physical interaction when using it, which means that if the auth was successful, the user actually did something. It also means that if it's left plugged in and the machine is compromised, the attacker can't use it.

It also means you dont have to worry about drivers, and can use it on whatever OS you want (OK, any OS that supports USB keyboards).

Interestingly, on Yubikey NEO's web page:

Currently sold out. We expect new orders to ship in 7 weeks.

I'll say it since no one else wants to:

"ONE RING TO RULE THEM ALL"

And to the dark fiber BIND THEM.
Wearable smart cards.

I guess, in a sense, I wear the keys to my car basically everywhere I go.

Or just use an IronKey (http://www.ironkey.com/). I have an older device with > 130 unique login and password combinations and VeriSign VIP (RSA token) authentication. Works very well for me although the Linux support isn't great.

It looks like the Workspace versions support Windows To Go for a managed portable OS scenario. I wonder at how robust that can be against a malicious host.

Hm, I already have a smartphone with Google Authenticator App and NFC, why would I want to carry a ring?

Having recently married and struggling a lot with the ring issue (basically lots of money for a useless piece of metal), the idea of a wedding ring with some badass electronic capabilities has crossed my mind, though.

It is bad enough that pick pocketers know the place where 90% of males keep their cash and credit cards...what happens when identity thieves know the exact place people keep their entire digital persona?
It doesn't seem easy to me to steal a ring from someone's finger. Since the key is never transmitted, copying it without having access to the hardware also seems impossible. Proper implementations would also have the user remember a PIN or the like, so that losing the key doesn't exponse your whole identity.
It doesn't seem easy to me to steal a ring from someone's finger.

Do you wear a ring? I ask because I used to think similarly, but now that I've worn a ring for a couple of years, I find them incredibly easy to remove.

Admittedly, some might wear smaller and tighter rings, but I think the good ol' twist & pull works in a lot of cases.

The real question is, how hard is it for someone to steal your ring without you knowing? Because that's the only part that's important. As long as you know it's stolen, you can go in and deactivate it before the thief can do any real damage. (There's usually a backup authentication measure, like a password text messaged to your phone that'll let you log in to deactivate the key).
So all someone has to do is break into my locker while I'm at the gym (assuming I remove my ring and cell phone before I go swimming, etc.)?
I think the idea of using a ring for this purpose is that you never need remove it. It would have to be pretty durable, of course, but then you'd basically leave it on while swimming, sleeping, etc. (like the standard approach to a wedding band).

Having it work by proximity makes me a bit more uneasy, though -- I imagine someone brushing by your hand in the subway and authenticating with your bank then & there.

It doesn't seem easy to me to steal a ring from someone's finger

Maybe, maybe not, but there are all kinds of professions and occupations where rings must be removed for safety and/or security reasons. It would seem easy for a thief to be able to take advantage of those situations to get the "key" to someones online persona.

The attacker punches you in the face, hard, until you give them the ring or until you are weak enough for them to take the ring from you.

Since people have been kidnapped and forced to enter their ATM PIN to withdraw the maximum (often kidnapped near midnight so the gang can make two maximum withdrawals) this violent scenario isn't particularly farfetched. It depends what the ring gives access to.

Anything is vulnerable to rubber-hose cryptanalysis. The question is whether this is more or less secure than average Joe using the same three passwords for every site he logs into.
> It doesn't seem easy to me to steal a ring from someone's finger

There are alternatives: 1. Point gun and say give me the ring with your entire identity on it. 2. Chop finger off and take the ring.

Becoming the bearer bond of my identity seems like a very bad idea.

Meanwhile it's rumored apple may add a fingerprint scanner to iphones. Wouldn't this be at least as effective without requiring additional jewelry?

http://appadvice.com/appnn/2013/03/report-the-iphone-5s-will...

Not really. Most biometric authentication systems are pretty poor. Add that to the fact that most biometric systems don't use very many features of the signal (e.g. they don't have a lot of key strength / entropy) and you get a pretty lame authentication systems.

A hardware key, on the other hand, can be almost arbitrarily big, is upgradable and totally random.

This. Fingerprint scanners are notoriously unreliable. Either they reject the real person's fingerprint way too often, or they accept way too many similar fingerprints.

A real key is 100% reliable if you have it and 100% secure if you don't.

I assume the phone would be the hardware key and the fingerprint would be an additional security measure because people are more likely to lose/misplace their phones.
So it removes the danger of reusing passwords, but doesn't it introduce the danger of having a lost/stolen ring giving away your logins to every protected site?
Assuming they can figure out your identity on those sites, yes. But you also generally know when you lose it, so you can go deactivate it through a backup channel.

Having a keyfob to log in is pretty standard security practice. The only thing that makes a ring different or interesting is that it's an easier form factor, and I presume it would have wireless capabilities so you don't have to actually plug it in for it to work.

The ring would most likely be used in addition to another authentication factor like a password. An attacker would need both to authenticate.
I was curious about this as this is how other keyfobs/SecureID cards work. But the article seems to imply that there would be no password at all to use with this device.
I recently found a set of RFID chips that could be bought cheaply in a small set. They were small enough that they EASILY could be fit into a ring. Paired with an RFID reader, you could have some good fun.

The problem is, there aren't any consumer purchaseably RFID+Asynchronous encryption options out there meaning that someone just has to manufacture an RFID with the same ID to spoof your identity. Kind of why I lost interest in hacking something neat.

manufacture an RFID with the same ID to spoof your identity

Uh... actually, since it's just radio waves, I don't think there's any manufacturing involved. If you can transmit an identical signal at the proper time, regardless of the source, you can spoof an object.

An RFID chip is just a transponder. A tiny antenna, wired to a circuit that reacts to radio waves in a specific manner, with a specific transmission. It's not a prerequisite that the antenna and circuit must be tiny and/or embedded in a chip. Any radio equipment that can send and receive radio transmissions will do.

Sure, but I'm imagining that these are produced in some factory and they just have a serialized ID that they use for each one. I'm imagining if there were a breach of security, it would be slipping a $100 bill to the guy and asking him to run a set with {MY_ENEMYS_ID}.
Aren't RFID small in terms of storage size? How many bits could each RFID store?

Also, they tend to be mostly passive, so it's just a big string that you present to the computer, rather than a decent challenge / response.

The C/R is what makes the article interesting, and it's what's holding me back from buying a Yubikey. (Which does a convoluted form of C/R, but on Windows.)

Yup, not very many, yup.

That's why I lost interest. The smart cards that do active (async) encryption for a proper challenge/response are all contact, rather than contact-less.

My comment on Google+: https://plus.google.com/100221912051999668442/posts/Wf9nDPFQ...

Here's a copy of the most important parts:

---

(One ring to rule them all, anyone? ;) )

Anyway.

"using personal hardware to log in would remove the dangers of people reusing passwords or writing them down"

Shit yes, writing passwords down and putting it in a drawer at home is so much more vulnerable than stealing the one thing with which you secure all of your accounts and take with you. And how is one-factor authentication that someone has to force out of you (password) worse than one-factor authentication that someone has to rip from your finger and run away with? People apparently can steal watches without the bearer noticing, what the hell am I supposed to think of a ring?

"Everyone is familiar with an ATM. What if you could use the same experience with a computer?"

An ATM requires a PIN-code. Your second factor (a 4-digit password) that is validated by the IC on your card and provides some sort of secure authentication.

> writing passwords down and putting it in a drawer at home is so much more vulnerable than stealing the one thing with which you secure all of your accounts and take with you.

People should be doing a risk analysis of their online services, so they can decide what kind of password security is useful to them.

I'm a big fan of writing passwords down and keeping that list in a secure place. But some people (eg, in offices) don't have a suitably secure place to keep those passwords. This device would be handy for them.

I would love something like this. And there's plenty of ways to secure it. Put sensors in it, and as soon as it's away from you (after you put it on), the passwords it contains are wiped out.

You'd need to have those passwords backed-up anyway, either somewhere locally or in the cloud, so you can retrieve them later. You could also make it so you have to "reconnect" with your PC account or whatever every 24 hours, every week, etc.

I'm sure there are other ways to keep this safe, too.

Perhaps I'm missing something - why try and have wearable passwords when everyone is already carrying around a phone?
1. For broad consumer uptake, authentication methods better than a password, or indeed classical 2-factor authentication, needs to be "fire-and-forget". That is, users set it up at most once and then it works almost transparently in most situations. This necessitates broad (read, universal) device-to-device connection.

2. There's no universal method for connecting a mobile phone to another device.

3. Besides, what if you require authentication without a password, on a mobile?

4. The closest to a universal method for interdevice connection is USB. Most importantly, a browsing-capable device almost certainly has a USB interface.

Hence, efforts like Yubikey.

(comment deleted)