It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.
I don't see how this is much different from key generation software running on a phone or any other device. Useful as a 2nd factor for authentication and a little less friction (more convenient, less secure). I've yet to see any technology that can replace an old fashioned master password as the 1st factor. All the hype around biometrics a few years ago seemed especially silly given that it's pretty easy to steal fingerprints and once stolen, of course, they are pretty hard to change. Maybe I'm an outlier here but I think in 20 years we'll still be using password managers with master password type in authentication into a dashboard with varying degrees of additional authentication required to access sites/services within, based on relative sensitivity.
> I've yet to see any technology that can replace an old fashioned master password as the 1st factor.
Since a few weeks I'm using the Windows Hello system on my new Surface Pro 4. Its using facial recognition, and it's pretty awesome: turn on the PC, sit still for a second, it greets you, logs in and you can work. For two factor logins I use the Microsoft Account app on Android, which also works very well (no typing a code, just approve the request on the phone).
Now only if Microsoft would fix the power/sleep issues with Surface 4, it would be perfect.
Windows Hello uses an IR emitter and camera to get a 3D map to verify in addition to the ordinary webcam, and I've confirmed that mine doesn't fall prey to the most obvious of exploits.
Of course, it makes the assumption that "<user>'s face in front of the computer means <user> wants to log in", which may not always be the case.
That being said, I'm eagerly looking forward to reading about its pitfalls once people crack it.
I wonder if your face would look different enough in the 3D map while under duress to stop it from authenticating. Or what about if you're unconscious? It sounds like it would be real easy to break this security with a $5 wrench.
I've read it is very accurate: even twins who look very much alike won't fool it.
But it still has some funny characteristics: if you train it for two people/faces (you can scan multiple times), it will happily let both people log into the account.
Another gotcha: if I go for a coffee I usually lock my PC (Windows-L). If I then go too slowly, it will recognize me again and log me back in, leaving the pc unlocked.
My wife has a Surface Pro 3, and slams it from standing on it's leg down on the keyboard cover. I wince every time she does this, because I expect the glass to shatter. But she never has issues with it sleeping.
It's like the technological version of "Go the fuck to sleep" I suppose.
Touch ID or any other fingerprint readers are static, but what about behavioral biometrics which are very difficult to reproduce if done right, like voice verification or dynamic signature verification?
Don't forget that today's iris scan, using Daugman's algorithm are the gold standard in biometric technology.
So, since the original Kickstarter, FIDO and U2F came about. I can't find anything that suggests that this has any relation to standards, or more technical detail rather than marketing. That's worrying.
The Everykey device holds a decryption key (or key-equivalent) for your keychains, and it has over-the-air upgradeablefirmware? Even if the firmware is signed, and the upgrade procedure is password-protected, the feature may expose the device to a variety of different attacks.
(Not to mention hardware attacks, since even if the device has a secure element, it has to send key material back to the device with the keychain.)
Is this actually really positively available right now? I don't see any link to kickstarter or a preorder link or a video that says "But now, we need your help". If so, it's refreshing.
That's because their Kickstarter (linked from the bottom of the website; [1]) ended in November 2014. The original shipping date for customers was March 2015; they now claim that they will ship by March 2016, but they also started a second crowdfunding campaign on IndieGogo [2].
One of the more surprising things to me is how few people use password managers. I know some companies buy 1Password for all their employees and less than half of their employees use it.
I really don't understand why that is. I've always thought it was partly a pricing problem (which would be very bad for this $128 gadget), but when you're company is providing it to you for free, that can't be the reason you don't use it.
I am about to finish a more limited implementation of this idea for Android Wear smartwatches and Windows. It works by measuring bluetooth signal intensity (rssi).
I already made a prototype for Mac & generic smartwatches [1], but if you have a Pebble you'll have to disconnect the watch from the phone. Questions, criticism & suggestions are welcome.
Using just signal strength as an authenticator is a bit of a shaky idea for actual security IMO. Car thieves have been using signal amplifiers to break into cars for a while now.
I think you should have some initial prompt on the watch that asks the user if it is OK to unlock the device. It's more friction, but otherwise it's trivially bypassable.
Very true. But I am using Bluetooth and it has much better security protocols than the plain simple radio-frequency signals for car remote controls. At the very least, the user needs to first pair the watch with the computer. Besides, all communication between the 2 is encrypted. And, to avoid Bluetooth spoofing, there is also an exchange of time-based encrypted tokens, all transparent for the user. There are a few more security details about it (e.g.: the authentication password is not stored in the watch, is AES-encrypted in the computer, etc). I intend to write a detailed risk-assessment about it later.
In truth, my intention is someday to make it FIDO-UAF [1] compatible, if I have get the money to do it.
It is very cool to understand what concerns people have about it. Thank you.
I believe that you can safely pair with the watch and authenticate it reliably and an attacker can neither read nor modify what you send; this is largely a solved problem.
But I am concerned that you cannot measure proximity accurately because an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents, and none of your comments about crypto or time-based tokens convince me otherwise.
> an attacker could just replay messages between the two devices and boost the signal without being able to decipher the contents
As a simplified version of a MITM attack? That is clever, I admit I didn't think of it.
However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages. That is for the Android Wear-Windows PC version, though. I admit the Mac version is not that sophisticated, yet.
> However, even in case the attacker is able to do so, the watch would still inform the user when the PC is unlocked. And the user can manually force a lock, from the watch, overriding the proximity/signal strength.
It's better than nothing, but the user is likely to think of it as a malfunction if they are far away (e.g. at a coffee shop), and the watch may not actually be physically on them at the time either.
Though that might be more of an argument about why this attack vector is unrealistic since most people don't even have full disk crypto on their phones/computers.
And the user can manually force a lock, from the watch, overriding the proximity/signal strength. To intercept this the attacker would need to decipher the messages.
Not if the attacker stops the relay right after the PC is unlocked.
You mean, like the video that purports to be a "Demo", but is actually just John McAfee waving his dick around and pretending to be an actor? That video?
I'm sorry, were we arguing whether this was a "DEMO" or not? You were the one who brought it up. I just pointed out how the assumption that someone can steal the device and use it just like a steel key is not true. Nothing to do with quality of the video
It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.