Wednesday, March 3, 2010

The Real Way to Get the Password Off Your Computer

Password protection really is a thing of the past. It is still the most widely used authentication system, but the security implications are so outrageous I am surprised people use their credit cards online. There are so many ways passwords can be stolen: looking over somebody's shoulder, a man-in-the-middle attack if the site is not encrypted (especially if sent through email), and even online scams. Surprisingly, protection against these threats have been unusually indirect, like browsers automatically blocking known scam sites. Revolutions in authentication technology, like OpenID and OAuth, have put a new spin on the market, but you still need a password to log in. So how do you protect your information and identity?

I have seen many attempts at solving the problem of passwords. Some were actually pretty good, just not taken far enough. At MyOpenID, they allow you to generate SSL certificates so you can log on with your web browser. However, what if you are using a public computer, the most likely place for a password to get stolen. You could purchase a sometimes costly USB device that will hold your certificate on it (there is even a PKCS standard on it), assuming the computer has the correct drivers installed. I believe, from experience, the best and most efficient way to make your information safe is to take the authentication out of the computer. Phone Factor provides something like this, calling your phone for verification before logging you in. This in an almost ingenious system. All you need to do is make sure nobody takes you phone, and voila! The primary concern with this system in convenience. Are you going to have your phone on you? What if your phone gets stolen or lost? In general, the method is just a little messy, and, coming back to it again, phone authentication only works when paired with a password.

But the solution to all of these problems is on its way. Safeberg, an online backup company, started displaying what might be the next generation of online authentication: offline authentication. Huh? What the company does is take a full 4096-bit RSA private key, convert it to a two-dimensional bar code, and print it out on a sheet of paper. We have yet to see what this will be printed on. Hopefully they are aiming for a compact, credit-card size key, but this may be too small, and is convenience enough of a reason to risk security? Maybe so. The other concern is also obvious: how do you get the paper to the screen? The company talks about multiple options. The first is not to go completely offline, just store the key in a PDF file on a flash drive, and use that. Another option is to take a photo of it or scan it. None of these options seem particularly efficient or convenient.

Well, all of this put aside, I have my own suggestion as to where the future of authentication should go. The first requirement: OTP. One time passwords really are a secure device that can and should be used. I use OTP with my PayPal account, and it works perfectly. The second requirement: portability. I need to be able to carry it around. (I left security out of the requirements because I thought it would be pretty obvious.) My solution is a USB flash drive that has a custom output only system. The website in question would save a file onto the flash drive, and instead of saving the file directly, the drive would automatically encrypt (or decrypt) whatever file was put in. The website can then take this file and use it to authenticate the user. If custom drivers are not installed on the computer, the files could be downloaded and uploaded manually, not taking that much time seeing as the files will be relatively small. It is not a panacea for all security issues, but a solution for this problem needs to be able to work with current systems without making big changes to the software on the computers.

Have your own idea for the next generation of authentication? Post it below.


  1. I've been playing around with a Yubikey for some while now. They're $30 (includes S&H) and generate OATH-compatable OTPs and their own OTP format. Best part, they don't need drivers.

  2. Really? That's interesting, and I know that LastPass, my password manager, accepts YubiKeys. How exactly does it work without drivers?

  3. yeah...I use a password for Facebook...It seems to be working fine.

  4. The phone idea has been around for a while - Cryptomathic have had a solution around this for years now. Have a look at

    With the USB solution, how is this any better than a phone? I know which I'd have on me more often.

  5. @Tails Let's say you become like one of many users out there, and somebody steals your password. What now?

    @t0rx It seems interesting. The only problem is that it's not free. Solutions like OpenID have long been open source. Unfortunately, I doubt the entire Internet would every adapt something that is proprietary and cuts in on their profits, even if it means sacrificing security,

  6. Tyler, it emulates a USB keyboard and types them in when you press the button.