Lenovo, PayPal and lesser-known fellow travellers Agnitio, Infineon Technologies, Nok Nok Labs and Validity, have cooked up a new authentication standard for websites and an alliance to push it to the world. The Fast Identity Online Alliance (aka FIDO), as the group and proposed standard are both known, advances a two-factor …
How many days...
.... before this is cracked?
"A browser plugin is an essential piece of the FIDO plan"
Of course, the coding of the plug in will be to such a high standard that it will be impossible for any rogue web site to read anything from the token (or, heaven forbid, write to it), wont' it?
See also: Java, ActiveX, Flash.
Re: How many days...
It might, just might, be open source - or at least open for security researchers. If it is not, I do not quite see how this might be approved by wide enough user base.
Just got a Yubikey
(http://www.yubico.com/) and it seems to be a nice piece of kit - my email provider uses it so I can protect my email in a more secure way. There IS innovation in this space, it's just more vendors need to embrace it.
Anybody else have one?
Re: Just got a Yubikey (Fanboy alert)
Yes. I've had one for nearly three years, now, and love it.
I recently bought a Yubikey Nano, which has challenge-response and can be used as an additional token for Windows logon.
I just have one concern about the original (one-time password) Yubikey. The AES encryption key lives in the Yubikey, where it's safe, and on the authentication server, where, in principle, it isn't. Maybe a challenge-response arrangement might be better.
Or they could just implement one of the PAM based systems already out there, for hordes of people, say - those Android users who can use Google Authenticator. But that's free and thus not something they can charge for :)
How exactly will lubricating the device make it more secure?
If PayPal are involved, I probably don't want anything to do with it...
Would be nice if they'd just accept Google Authenticator.
PayPal's involvement doesn't impress me. I'm more likely to go for something based on the Yubico platform (and I see Google recently announced they're working with Yubi on a similar two-factor auth scheme to do away with passwords)
I use a Yubi key for personal stuff, and for work have a Gemalto token - the sooner site/domain specific passwords are done with the better, though I would want any two factor auth scheme to provide the ability for me to maintain different personas - "work", "private", "public" etc
I see the Trusted Platform Module is making another insidious theoretical comeback.
It sounds another hype.
2 being larger than 1, it looks obvious that the 2-factor solutions should provide more or less higher security than 1-factor solutions, but with caveats.
1. What works in the unguarded outdoor environment necessarily works as well in the guarded indoor environment, but what works indoor does not necessarily work as well outdoor.
However sophisticated the physical tokens may be, the security obtained by the possession of the token would be lost altogether when the PC/tablet/phone gets stolen together with the physical token. We should not assume that attackers who have the chance to steal the PC/tablet/phone will always refrain from stealing the physical token.
If a password is supposed to stay as another factor against such threats, it is not appropriate to call the scheme a post-password plan.
2. Biometric solutions could be one of the 2 factors only if their false rejection rates are zero when the false acceptance rates are close to zero in the outdoor environment. For they would otherwise require something else (possibly a password) for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. The overall security cannot be higher than when only that “something” was used.
Convenience should not be a replacement for security.