Thursday, May 3, 2007

VeriSign's Passcode Initiative

http://www.itwire.com.au/content/view/11775/53/

VeriSign now offers a special card that generates a one-time passcode that expires quickly, so even if someone were to steal it, it wouldn't be of much use.
The passcode is displayed on the card itself, at the push of a button. Expected to last two years or around 100000 uses, it's a nice, elegant, and compact solution.

I know you're waiting for the key word - HOWEVER - it's easily subject to the infamous MitM attack (Man in the Middle). See, after all, the passcode is just another bit of data that can be stolen along with user name and password. Nothing really more to it, in my opinion, than hype.

Although two-factor authentication schemes are very strong and should be recommended for most security applications (who you are, what you have, what you know are the three principal factors), there are severe limitations that need to be considered as well.

A nearly foolproof method would be the use of biometric systems - the iris check, fingerprints, voiceprints, facial recognition, and so on, are somewhat advanced and used in most high-security areas. The trick is to incorporate them into devices that we need access to at higher levels of security, such as ATM machines, bank lockers, safes etc.

In any case, VeriSign is doing the right thing by at least starting the process somewhere. I know Discover Card used to have a little application that one could download to one's desktop, and it'd do the same thing. Not sure what happened to it.

Also, many MasterCard and Visa issuers are also using the two-factor method to prevent phishing. For example, one site lets you pick a picture, and it'll show it to you when you enter just your username, and if you don't recognize it you simply don't supply the password. If the picture is something that you know you picked then you enter the password. How secure is this? Quite, but not foolproof. A hacker could try and randomly generate the pictures from actually using the site as a regular user and looking at the pictures, and if it matches - whoa!

A better idea would be to let the user pick their own pictures - something personal, say their dog or their home or their messy office desk or something that's not easy to duplicate.

In summary, while it's a good start, it's only a start. I look forward to seeing more biometric authentication schemes available to the general public and not just to the privileged. We pay the bills, after all!

Be safe!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)