A (not) new security idea
Brian Fahrlander
brian at fahrlander.net
Thu Oct 14 11:26:20 UTC 2004
On Wed, 2004-10-13 at 20:58, Scot L. Harris wrote:
> On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
> Security wise it is always a bad idea to write down passwords or
> passphrases. The reality is that almost everyone does just that. :)
Oh, to be sure! But if they're GONNA do it due to human nature,
it's better to have them do it off site...
> Actually there are several different two factor authentication schemes
> out there. The idea of authenticating someone based on something they
> have and something they know is pretty much the standard for really
> secure systems.
>
> And I think that may be the issue with wide spread adoption of such a
> system. Most people feel that a password provides enough security for
> their purposes. And from past experience dealing with users if you make
> a system to complex they won't use it. This includes issues with
> recovering from that catastrophic failure or lost passphrase.
Well, that may not be a problem. The way I see it, the initial
(beta) would take place amongst the people who care about it the most,
then as time goes on we point'em to a howto and let'em enter things into
a form. Then, it becomes a convenience feature that people might
actually adopt, especially since carrying a fob like this is, in some
places considered to be a status symbol. "Sure, you've got one...but
does it _do_ anything for you?"
> Personally I think a proof of concept would be the first thing. Once
> you have that then you can sort out the silly stuff like names and such.
> :)
OK, is this formal- is there a section on the RFC library sites for
this kinda thing? Are we talking about a working model, or a very rough
draft?
> Don't forget that you need to encrypt any thing you want to send like
> that. Probably you will want to consider using some kind of public key
> setup so that you never pass the real password info over the network.
Well, the indication that a fob is available for authentication
could be "**KEYFOB**" in the browser line, then the server would switch
to TLS/SSL/etc and interrogate it, if it supports it.
> Like I said before, getting wide spread adoption of something like this
> will be a problem. It will appeal to a select group at best. Take a
> look at selinux over the next year. If/when that is enabled by default
> I suspect you will see the most common question on the list is how to
> disable it.
:) I've been waiting secretly for that day, knowing it'll be a LONG
day for newbies.
> I do have one idea that many people may find useful. Using your idea of
> a usb flash memory, figure out how to store your web browsers cache of
> passwords on the flash memory. Then no matter what machine you use you
> plug in the flash and your browser has all the passwords for all the
> sites you visit. Would need to modify the browser to look for the cache
> information on the flash memory. Once you get the proof of concept
> working then you need to add heavy duty encryption to the flash device
> and a method to unlock it for use by the web browser.
Yeah, that would also be a way to get it off the machine and make
them portable, too. Is there a standard amongst Mozilla variants?
Galeon, Epiphany, Firefox all using the same password file?
--
------------------------------------------------------------------------
Brian Fahrländer Christian, Conservative, and Technomad
Evansville, IN http://www.fahrlander.net
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041014/82a6441d/attachment-0001.sig>
More information about the fedora-list
mailing list