Device Authentication Could Make Passwords Obsolete

15

Comments

+ Add a Comment
avatar

firefox91

Not really convinced this is a good thing. I find it less hassling to have to remember a bunch of different passwords that I do fetching my cell and waiting for the authentication to happen.

avatar

apuser

Mr Mims title is a bit misleading.. there is still a password for his twitter account.. it hasn't gone away.. it's just stored in a cookie so he doesn't have to enter it all the time (no different than it's always been.)

What's needed is extra protection where the user doesn't have to do anything different: Nothing to carry, nothing to enter, just login like normal. But if someone has your credentials they are stopped.

Also, the security should have additional factor verifications post login that match the risk. For example, making a purchase, or deleting an account, etc.

All this security should be completely invisible to the user unless there is a reason to verify because some number of additional factors don't match up, and then and only then should there be a challenge with possible options on how to verify the account.

In nearly all cases the real user sees nothing different. In nearly all cases, the fraudulent user is challenged & the real user is notified so they can change their password.

Oh and users can always step up the strength of the security if they want more.

These days depending on naked security (id and pwd alone) is risky.

avatar

ApathyCurve

"Without [the debit card], the PIN is useless, and so are passwords without a physical device in a two-factor authentication scheme"

Yeah, because there's no such thing as an ATM skimmer... Back to school with ya, junior.

avatar

btdog

If your life revolves around your phone (and it does for many people), then 2FA is perfect. If, on the other hand, your not hunched over your phone every chance you get, 2FA is an inconvenience at best and could be an absolute nightmare.

Case in point. I have an elderly aunt from who lives in another country but visits our family every couple of years. She's not tech savvy - she has an email account to keep in touch with family members and plays casual games on the computer, maybe checks the news. That's about it.

Hotmail, in their infinite wisdom implemented 2FA. She tries to access her account from our house...whoops, looks fishy - let's send you a code to your phone to authenticate it actually you. Problem is she doesn't have a cell phone and she listed her home phone when she was asked to complete that section. Calling her house when shes 1000s of miles away won't help anybody.

Now, you can fill in this questionnaire where you can try to justify you're you by filling in various bits of information (past passwords, personal information, etc.). Provide an alternate email and Microsoft pledges a response in 24 hours. Not too bad, right? It would be except Microsoft doesn't respond. We waited patiently for 3 days (72 hours) with no response. All the while, she's asking me daily why she can't get to her email.

We finally call Microsoft (yeah - try to find a number online for hotmail help...good luck with that). After 3 transfers and 45 minutes on the phone we are verbally provided a link to fill in ANOTHER form and if we provide another hotmail email, they vow we will get a response in 24 hours. We do and we finally get a response - a special link will let us access her account. Problem solved, right? Wrong. The link wants to perform 2FA to verify it's really us and ask if it could send a message to her home phone! SOB!

She was here 2 weeks and never got to check her email. What a nightmare.

Instead of 2FA, why can't a person set up a password and a couple security questions they can answer to prove who they are?

avatar

LatiosXT

2FA doesn't ask for another code if you tell it to remember your browser. Even if you log out, it usually doesn't ask again.

Security questions can be annoying and it's just another layer of passwords someone can easily breach depending on what the question it is. Like asking for your mother's maiden name... Well looks like you better not tell anyone your name! (kind of hard since a lot of people use their name for email accounts anyway)

Just get another provider in this case.

avatar

Opm2

This is just another method for data mining your personal phone number to sell with your email address and any other info you have been tricked into giving them.

Think your junk email folder is annoying... have fun getting texts from enlarge your penis websites all day.

avatar

maverick knight

Highly disagree. He doesn't factor in that there are work environments were electronic devices are not allowed. I know he is an MIT columnist but he base his opinion off of personal experience and preferences. Plus, the more authentication measures, the more secure it would be. A password or a passcode is something that you know, combine it with something that you are and something that you have makes it more secure.

Most comments here are leaving one security awareness flaw out. Every one talks about hackers cracking codes but in reality most intruders use social engineering to get pass authentication.

avatar

Rebel_X

Useless, would be cracked in no time! There was multiple softwares that relied on dongles for protection and authenticity and were cracked (one come to mind is Alldata for automobiles). It is not impossible for seasoned hacker/cracker to emulate that device and fake it.

avatar

FireGarden

I like the idea of banishing passwords. I have so so many, that I can't possibly remember them all, and when I forget, I turn the air blue with profanity like you've never heard!! I'm so sick of haven't to use that 'forgotten password' link!

I like the idea of biometrics - but most of it still pretty bad as yet and I wouldn't trust it to be the only way in to an online account. NFC sounds good, but I'd hate to have to constantly set it up when I change devices. Maybe a chip under the skin? ;)

avatar

Eoraptor

All well and good... so long as you live in an area where cell phone coverage is ubiquitous.

Those of us living between the coasts (particularly you poor saps in the inter-mountain west) often live in areas where coverage, even for a simple SMS, can often be hit and miss. So for us... device-based authentication is feck-all useless because it might be two or three hours before we get that stupid little six digit magic code sent to us to allow us to unlock whatever it is we wanted to unlock with the browser, website, or program we're using.

and for gaming schemes where "we'll register your computer and then email you a code that you can feed back to us" I suppose I'm just old fashioned. if I'm playing a single player sim city or civilization, my machine does not need to be authorized or phoned home just so I can play a game I already own. it's days when I have to go through reinstall hell with ARC or Steam after doing a flash of my system that I lament not just having a cd or dvd to slap in a drive, doing the email shuffle of "did I get the code for this client yet? Yes this is my machine, you've seen it before dummy just refreshed windows"

avatar

bloodgain

My opinion dissents from the others below. For anything I value (my primary email, social networks, etc.) two-factor authentication is not very bothersome when well implemented.

I use Google's Authenticate app on my smartphone, which requires my face or a pin code to unlock. However, once a device I use regularly has been approved, it doesn't require the extra step again. If I lose my phone, I can recover using an alternate (SMS to my wife) or a previously authenticated device. I may regret it eventually, but I haven't even printed the backup codes.

Still, I'm more secure, because someone has to access an approved device, get into it, and still know my password (which I can change quickly and easily). It's a one-time hassle, or an extra step on the rare occasion I use a shared computer.

I do agree that it's overkill for mundane access like MaxPC or a game.

avatar

LatiosXT

The problem is that what if you lose the device? What steps do you have to go through to prove you're you? In one case, Google provides 10 one use codes you can print out and keep safe, but it's not immediately obvious where those are.

Two step authentication however is good when it doesn't repeatedly ask you for two codes (such as you can tell the website to remember the computer). Other places, namely I see this in financial institutions, is the security image/phrase that shows up.

But yeah, having yet another device is just annoying.

avatar

Insurgence

The issue that I see with most two factor authentication is the inconvenience. The fact that you have to enter two passwords will only irritate people. Especially for the run of the mill stuff. I'm fairly confident that I don't want to enter two passwords just to log into MaximumPC, no offense.

The only way that I see two factor authentication taking off is if they can come up with a non-password style (such as a Computer Access Card or a Credit Card) that also isn't a security risk. Although I do believe there are enough ignorant people out there who would adopt something that was a security risk, while thinking it only made things more secure.

A simple example would be phones with a secure NFC connection, one that would only need to be configure once per session or per profile on the main device (ie computer). Just keep it within a certain range, and it acts as an authentication device. Because it is your phone, your "less" likely to leave it, unlike a device such as a thumbdrive. If you require a one time authentication between devices, either to establish a connection profile or to establish a connection, you can make it so that it would be harder to just sniff out the signal. While the computers login would still provide a level of protection should your phone get snagged.

But I do not believe authenticators as they are will be the answer. For one there are two many of them. Take MMO's as an example. I have played Starwars: the Old Republic, World of Warcraft, and Rift. All three of which have authenticators, and have their own authenticator. Each one either takes up space on a key ring or on my phone. And while I think it is possible for a third party to make an authenticator that is widely accepted, I also think money and marketing will make it less likely to happen.

avatar

John Pombrio

Battle.net has its changing number two faction authentication device which would be a lot better than a smartphone app. It's smaller, fits on a key ring, and works well.
I used it a lot for a while then I disabled it on Battle.net. Even that device added to the hassle of logging in and I could not use built in password managers to simplify logins.

For work, financial, or other critical log-ins, yes. For the run of the mill stuff, no.

I would like a thumb drive that I could just plug in (and I am sure, forget to pull out).

avatar

dgrmouse

But it works a treat for preventing impulse purchases! Every time I consider buying a Blizzard product, the urge passes long before I finish tracking down the device and contemplating the install of a huge software framework just to play one game. As the number of WoW subscribers falls, all the Battle.net and monolithic login application buildup will change from a benefit to a liability. Returning to the topic at hand, I remain skeptical that my PC security will be improved by introducing an insecure cell phone. More likely, it will just be easier to monitor my activity if I have to ping my cell phone every time I login to my bank's website.