Passwords are dead, and what really needs to happen is that we all have some type of software we can download and put on our USB sticks. We stick the USB stick into a drive, type in a 4 digit pin code and on that PC we are now securely logged in till we pull that USB stick out. Whenever a site is opened that requires even more level of security (like a bank page), we have an additional level 2 security code.
Thank God someone finally sees that OpenID is a waste of time and resources. I really don't understand why so many tech kids are jumping on this openid bandwagen when it is:
1. Difficult to use
2. Confusing
3. Has no obvious advantages for most end users
4. Insecure by design
Get rid of ATM pin codes, too. All you should need is the card. And the same card for all your bank accounts!
Anything that requires physical access to a card or usb stick or a specific computer to do things on the web is a non-starter.
Given this constraint, passwords work fine. The problem boils down to the completely unavoidable security vs. ease of use trade-off. I say just get rid of the complexity requirements. If someone wants to enter a blank password for all their needs, let them. I personally will keep track of my varied and complex passwords.
I don't really need to have a USB stick to use this system, as it is just software. In emergency situations, I can ask another site to act at the USB stick, and then type in my pin code there. So it's still secure, as people do not know my pin code.
Sure, keep using your passwords, my grandpa also loves using his walkie talkie.
Passwords and social engineering go back millennia, and both will continue forward into the foreseeable future.
What might lead anyone to believe there is a technical solution to this?
Even if the most fearful involved here manage to mass-deploy what they're told is uncrackable personal remote identification -- and undoubtedly at great financial cost to all parties involved, and quite probably at great social cost, too -- it'll (still) get cracked.
Security need be "good enough", "affordable" and "useable." Security that is unaffordable or unusable will be bypassed.
Public key is a solution, or at least a huge detriment, to social engineering. The problem with passwords is they're fixed; once an attacker gets it they're in forever. If we used asymmetric crypto to login to websites people wouldn't even have to know how it works. Instead of a password text field on a website there would just be a button, and the site would do a check with your browser to make sure you have the private key corresponding to the public key they have for your account. People wouldn't even have to know what a private key is, let alone where it's stored on the disk to give to somebody asking for it
The problem is the lack of convenience when you are away from your primary computer. Having to take a memory stick everywhere to login to websites is going to annoy a lot of people an awful lot.
Also, if you plug that memory stick in a computer you don't own then that computer can read all the private keys you have on it... and possibly forward it to an attacker.
All current 'something you are' systems can be fooled - and they can be copied without you even knowing it (fingerprint is very insecure for example, since you leave them everywhere, same for dna. Iris systems can be copied with a telescope.)
'Something you have' system are flawed because it's too easy to loose the item, or have it stolen. Or the item can be duplicated (often very easily, sometimes not so easy).
Only 'something you know' is secure because it can never be taken from you or copied without your knowledge.
The point is that the combination of the three is the most powerful and secure. To copy something-you-are, they have to have access to you or things you've touched. To copy something-you-have, they have to steal the object itself. To copy something-you-know, they have to trick you into revealing it (phishing) or guess it. Requiring all three makes things that much more secure.
I really thought passwords would be dead by now, I'm amazed they're still the primary authentication mechanism. Public key is trivial to do these days, it's done by browsers all the time to secure communications but not to authenticate who you are. The article focused on the client side hardware, the cards that hold your private key, but the big issue is websites themselves. Sites need to switch from "enter a password:" to "upload your public key:"
Bad logic: author correctly notices that passwords are not the biggest problem in computer security right now, and yet somehow they should be eliminated. The weakest link is the the software running on the computer. Spyware, trojans, XSS, XSRF, all make your super secure authentication system irrelevant.
The logic is sound if you take the stance that phishing is the biggest threat to security. I don't know whether it is or not, but XSS and CSRF at least are under the website developer's control. Malware and phishing are the head-scratchers for people who know how to build secure websites, and the information card system does partially address the phishing problem. It prevents the attacker from being able to log into your accounts, but it doesn't prevent you from telling him lots of other things.
If the information card also contained your public profile information, then a lot of phishing would be curtailed. The problem is that we are constantly asked for information. If this was largely automated, guarded by cryptographically secure means of identification, and attached to a physical device of some sort, then the number of times we're asked for information would be reduced tremendously.
Thank God someone finally sees that OpenID is a waste of time and resources. I really don't understand why so many tech kids are jumping on this openid bandwagen when it is:
1. Difficult to use 2. Confusing 3. Has no obvious advantages for most end users 4. Insecure by design