John McAfee rattles tin for password replacement tech Infosec wild man John McAfee has taken time off from his US presidential campaign to launch a fresh funding drive for a password replacement product. The proximity-based authentication and access control product, dubbed EveryKey, is also touted as a replacement for physical keys, as the pitch explains. Everykey replaces your …
... you wouldn't have to give out objects you have at searches.
Unlike a password, you can legally be forced to give the police your device.
But hey, this comes from John McAfee, the snake oil salesman, it's not like he ever (professionally) thought a security related question through to some extend.
not quite, thanks to RIPA
http://search.theregister.co.uk/?q=password+police+ripa&advanced=1&author=&date=the+dawn+of+time&site=0&results_per_page=20
It is also controversial because a decryption key is often a long password – something that might be forgotten. An accused person might pretend to have forgotten the password; or he might genuinely have forgotten it but struggle to convince a court to believe him.
http://www.theregister.co.uk/2010/10/06/jail_password_ripa/
http://www.theregister.co.uk/2009/11/24/ripa_jfl/
Having a physically isolated password store is a good start, you don't have to entrust your data to others (or do you? details...) and it ought to be difficult to hack by virtue of having a limited connection to the machine's it unlocks. Also it ought to encourage unique and difficult passwords all round, so you don't get some numptie's server being raided and half your family/friends other accounts exposed due to id (email address?) & password re-use.
But really it ought to be a 2FA item, and you still should need some master password as well, so that it can't be stolen and used before you realise it and can have it frozen. There are, of course, other issues like how it is supported on the host machines, and how free such software will be (e.g. will there be an open source driver for Linux use?) to make it usable on enough platforms to be of value.
Most worrying is the time and money so far for no sign of a working prototype...
So what about if you only carry one factor on you: the fob, because you don't believe in cell phones, for example?
And what if your memory is so bad that even ONE long password is problematic ("Now was it 'correcthorsebatterystaple' or 'cotterpindonkeypetrolwrong'?)
Hi Paul
There was a working prototype back in Nov 2014 when EveryKey hit Kickstarter, but it bares little resemblance to what is being offered today.
https://www.kickstarter.com/projects/everykey/everykey-the-wristband-that-replaces-keys-and-pass/description
The original purpose of their first crowd funding campaign was to "fund their first production run", suggesting all the R&D, quality assurance and prototyping niggles had been ironed out already. In truth, backers paid to entirely redesign the product. To add insult to injury, at no point was it mentioned that EveryKey needed a further $1 million dollars to complete the project. Unfortunately, the contractual obligations of those investments forced EveryKey to launch another Indiegogo campaign, presumably to sell a minimum amount within a certain time after funding.
$130 (+shipping) for something that's little more (if even that) than a $50 Yubikey Neo - https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ - which admitedly doesn't use BT 4.0 but relies on NFC
Maybe in a couple of years when standards settle out a bit more this will be viable, but not sure I want to be an early adopter for an untried security solution...
Wristwatch? I have never lost on of mine, though I have occasionally forgotten to put it on in the morning. If my pre-departure email check needed it, then probably that would be further reduced to the point where its an acceptable risk.
But..still needs something like a master password designed-in as well so it can't be used to activate another phone by someone standing next to me in the tube, etc, without my knowledge.
Have him install that passphrase device that responds only to your voice modulation. Even if someone got your phrase, it has to come from your voice.
Or if you're really hot for security install a system like Edna Mode has in the Incredibles... pincode, handprint, voice scan, iris scan and it detected that Edna had a guest as well.
I know this is all hot air, seems John is full of it on this occasion.
"If you lose your Everykey, you can remotely freeze it, so no one else can use it."
Mentioned (quoted) in the article, and stated by McAfee in the video at about 1:08: "If I lose it, I can remotely freeze it. Then use my old passwords until I find it again."
This means a couple of things.
Firstly, it means that when the video has Luddite John referring to his "secure document" on which he stores all his passwords, and Everykey John says "This replaces all of those," it's lying. You still need to keep those passwords somewhere safe in case you lose this device and you need to use them. So that "secure document" (humorously represented by a scrolled up piece of paper secured with a padlock and key) isn't actually replaced, as such. It's just locked away somewhere.
Secondly, the video also refers to it replacing keys - and Everykey John suggests it can be carried in a holder attached to a keyring. So you're carrying it with the keys you need to replace. That amused me.
Now, someone pro-this rubbish might argue that you now need to carry fewer keys - which is itself hinted at in the video: Luddite John has a much bigger bunch. However, once again, there is the issue of what happens when the device is lost. As with the passwords, you'll need to use your keys - so, you definitely need to be carrying the important ones with you, such as the one to get in your house.
And if you're carrying the Everykey on your keyring along with the other keys when you lose it, you're just as frelled when you lose that as when you lose your keys anyway - because you've just lost both.
So as a key replacement, it seems even more pointless - more a matter of laziness (it's now quicker and easier to unlock the door) than of practicality.
Also (from the Indiegogo page) to freeze the device, you do so through Everykey (by calling or via the website) - so you need that password at the very least - and "a message is immediately sent to all of your devices letting them know that they should not unlock without manual password entry." No mention there of physical locks - so either physical locks are now vulnerable (because you don't know if Everykey is simply misplaced or stolen), or for the same lock down to happen, your locks need to be iOUT* locks.
I'll stick with passwords and keys, thanks all the same.
* Internet of Unwanted Things
Is it me or does this sound like a RSA token with bluetooth?
If this thing unlocks your devices by being in proximity, how are you even going to unlock the device without the key to remotely freeze the lost or stolen key in the first place?
I agree that passwords suck, but I don't think this is the answer, either.
However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.
And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
Incidentally, biometrics are dependent on passwords in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. Passwords will stay with us for long.
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).
(= what we know and nobody else knows).
Trouble is, are there REALLY things we know that nobody else knows or rather there are things we know and only THINK nobody else knows. It's like searching for that absolute truth everyone can universally agree upon. I suspect it'll be like chasing unicorns; there's no such thing as something ONE AND ONLY ONE person can ever know. So what else can we use?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
