On Wed, 2004-10-13 at 20:58, Scot L. Harris wrote:
On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
Security wise it is always a bad idea to write down passwords or passphrases. The reality is that almost everyone does just that. :)
Oh, to be sure! But if they're GONNA do it due to human nature, it's better to have them do it off site...
Actually there are several different two factor authentication schemes out there. The idea of authenticating someone based on something they have and something they know is pretty much the standard for really secure systems.
And I think that may be the issue with wide spread adoption of such a system. Most people feel that a password provides enough security for their purposes. And from past experience dealing with users if you make a system to complex they won't use it. This includes issues with recovering from that catastrophic failure or lost passphrase.
Well, that may not be a problem. The way I see it, the initial (beta) would take place amongst the people who care about it the most, then as time goes on we point'em to a howto and let'em enter things into a form. Then, it becomes a convenience feature that people might actually adopt, especially since carrying a fob like this is, in some places considered to be a status symbol. "Sure, you've got one...but does it _do_ anything for you?"
Personally I think a proof of concept would be the first thing. Once you have that then you can sort out the silly stuff like names and such. :)
OK, is this formal- is there a section on the RFC library sites for this kinda thing? Are we talking about a working model, or a very rough draft?
Don't forget that you need to encrypt any thing you want to send like that. Probably you will want to consider using some kind of public key setup so that you never pass the real password info over the network.
Well, the indication that a fob is available for authentication could be "**KEYFOB**" in the browser line, then the server would switch to TLS/SSL/etc and interrogate it, if it supports it.
Like I said before, getting wide spread adoption of something like this will be a problem. It will appeal to a select group at best. Take a look at selinux over the next year. If/when that is enabled by default I suspect you will see the most common question on the list is how to disable it.
:) I've been waiting secretly for that day, knowing it'll be a LONG day for newbies.
I do have one idea that many people may find useful. Using your idea of a usb flash memory, figure out how to store your web browsers cache of passwords on the flash memory. Then no matter what machine you use you plug in the flash and your browser has all the passwords for all the sites you visit. Would need to modify the browser to look for the cache information on the flash memory. Once you get the proof of concept working then you need to add heavy duty encryption to the flash device and a method to unlock it for use by the web browser.
Yeah, that would also be a way to get it off the machine and make them portable, too. Is there a standard amongst Mozilla variants? Galeon, Epiphany, Firefox all using the same password file?