Shove over, 2FA: Authentication upstart pushes quirky login tech Security upstart LiveEnsure is trying to shake up the authentication market with technologies that verify users by device type, location and user behaviour, as an alternative to established authentication systems. The firm is pushing its smartphone-based services as an alternative to security tokens, biometrics, one-time- …
On my last trip I was about to inform my credit card company (you know, the one who I booked the flights and hotel through and therefore knows I'm taking a trip) when I read this on their website:
"There is no need to inform us that you are going abroad as normal authorisation rules will continue to apply regardless."
Thank goodness for sanity.
OK, so the description of what they actually measure is fairly vague (and probably deliberately so), so I may be wrong but the tech, as described, has some major flaws.
First, location. How does the system handle unexpected locations? You may usually use your phone on a Campus or in a town (as described) but what happens if you suddenly end up having to call someone while in the middle of a field in Cornwall?
OK, so it sounds like it will happily contact people in your contacts list, but how does it deal with IVR systems such as those in use by Banks (after all, I suspect most people have some sort of phone banking access now)? How does it work in the middle of the night? Does it phone your contacts at 4am? How would it deal with exes who's number you haven't got rid of? Would it phone them? Could be embarrassing. What if you have a lot of company phone numbers in your contacts book? Are they going to to get called asking you to verify your ID even though they are unlikely to have a clue who you are?
Also, the article mentions they use gestures. This can be a very good way of identifying a person as even if someone should see you making a gesture, the timing of each individual movement within that gesture is apparently very personal and is difficult for humans to replicate. However, how would the system cope with the disabled. Someone with very bad motor control or very bad movement is unlikely to be able to use gestures.
The mention of wearables is made several times - so we're replacing a password that I have in my head plus a mobile phone that I have in my pocket with a password that I have in my head (typed in my own unique way... you know, wrong, wrong with caps on, wrong typed slowly and then right when I remember I changed it last week) while wearing a device (which of course will never get lost unlike a mobile phone, right?) at a particular location (unless I happen to be somewhere else).
Failing to see the benefit so far.
There isn't one, obviously. They are hardly going to admit that though.
I truly love ideas people have about security these days. Did you know you can host an AD server in the cloud via Azure along with the 2FA portal also on Azure? Why anybody would do both escapes me, all a hacker would need to do is gain access to it and they could setup their own account on your domain and their own 2FA account and they could log into your network without actually having had access to your network to start with.
Call me old fashioned (or paranoid) but I draw some comfort in my own systems being under my thumb (and under my firewall) and setup and accessible by me only. I just don't trust anybody else. Nothing personal, i'd hope nobody else trusts me that much either.
User: Hello. I can't log in to my e-mail account.
Tech: OK. So where are you?
U: At home, where I normally read my e-mail.
T: Right. Then, what are you doing.
U: Just sitting here in the chair where I normally read my e-mail.
T: On Tuesdays? Because that can make a difference you know.
U: No, I am normally at work on Tuesdays.
T: Right, so we need to reset your access. I need for you to do the following. Are you ready?
U: Sure.
T: OK, I need you to stand on just your right leg. Got it?
U: Uh, yeah.
T: Now, while you do that, I need you to hold your phone to your right ear with your left hand, but you have to have your left am behind your head. Got it?
U: Hold on a sec. Yeah. OK. Got it.
T: Now hop up and down while you hum your favorite movie's theme.
U: Uh, sure. Hmm-hmm HMM-hmm-hmmmmm...
T: Great. Try it now.
U: (panting) Let's see... Nope. Still can't get in.
T: Right. Let me try this <clickety-click>... Try it now.
U: Oh, it works. Great! Thanks for the help
T: My pleasure. Now, if you don't mind, please stay on the line for a brief survey rating your satisfaction with your service today.
This post has been deleted by its author
Excessively depending on "contexts" could well bring the same sort of dilemma as biometrics, i.e., false acceptance versus false rejection, which can be summarized below.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.
Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
"Good afternoon, this is HSBC fraud team, how is your Christmas shopping going?"
"Fine, thanks"
"Good to hear it, enjoy London."
Compared with more recently
"Hello, Citi, why was my card just declined at my local restaurant while taking my in laws out for dinner"
"We placed a block on your card after you bought some jewellery over the phone"
"So you let the big suspicious transaction go through but blocked the smaller and not at all suspicious transaction through?"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
