Brad Ideas - openid - Comments

Double passwords

John — Wed, 16 Feb 2011 18:35:51 -0800

CitiBank does something very similar to what Brad suggested - if you wan t to do a wire transfer (a very hight fraud potential activity) you need to enter your additional info - the question varies (it's not a password but it does provide a second level of protection). CitiBusiness uses one time tokens but they won't let me assign a token to my personal account (lame).

Cell phone auth

brad — Tue, 18 Jan 2011 00:30:58 -0800

Yes, I say that’s the likely long term situation. Of course GSM is not hard to crack, and once we do use our phones for this, you can bet that attackers will move their resources into pwning phones, which gets easier the more we want the phones to do. But having yet another token is not a great answer.

Out of Band One Time Passwords

Dean — Mon, 17 Jan 2011 22:46:12 -0800

Reusable passwords are a loss in all ways. "Certificate" systems based on public key cryptography need a secure store for private keys, and PCs can be assumed to be 0wned by hackers, and the site needing authentication can't distinguish an honest Linux system or Mac from a lying Windows PC. Nobody really wants to carry around a keyring with dozens of OATH tokens hanging from it. The problem with card codes is that they're patented, and license terms are apparently expensive, so they're not often used despite their convenience and low actual cost. The US Treasury uses them for "Treasury Direct" bond purchases, though. But cards can be lost, and you won't notice if you don't use the account frequently.

The best system I've encountered so far is used by my bank, which sends a one-time-use PIN to my phone via text message. Leverages existing infrastructure, zero investment in user-carried stuff, easily revocable and reasignable, can't be lost or stolen without the user noticing; what's not to like?

Using Voice to Authenticate

Leonard — Tue, 21 Dec 2010 10:54:04 -0800

My bank already can automatically email upon each significant transaction. (What is "significant" is simply a dollar-amount I can set.) This seems to happen after the transaction, so I am not sure what would happen if my account had been hijacked. But at least I would become aware of it, and shut down any further misuse.

My credit card company will have a person phone me if its computers notice any odd transactions.

I'd like a cross between these things. I would register a cell phone number with my bank. Whenever a significantly large transaction has been ordered from my bank account, they call my number, verify it is me, and allow a transaction only after I have verbally OKed it.

Card codes

brad — Mon, 20 Dec 2010 09:31:32 -0800

Most of the implementations of “security questions” actually weaken security, of course, though it doesn’t weaken to ask for both the password and the security questions. All the sites that will tell you the password if you know the security questions make things worse — you can get in knowing either, and the security questions are often things that are easy to get or even public like mother’s maiden names or SSNs. (It’s not that hard for people to get your SSN.)

My point though is to make it easy for me to get on and do the low end stuff, and ask for extra security when I’m doing something important, like moving money or points, changing an address or name to which money is sent and so on.

If you make it too much of a pain to login for the ordinary stuff, people won’t login, or they will write down all the information on a piece of paper in their desk. There is a risk with the 2nd password that they will also write it down, and in fact it makes sense to write it down, but not somewhere people would easily think to look. However, when you say “This is the password that can drain your bank account” people will take more care with it, I would hope.

Double Authentication

Anonymous — Mon, 20 Dec 2010 04:36:30 -0800

My credit union already has a double authentication scheme. When I log on from an unknown IP address, I am prompted to answer a security question. I have the option to turn this feature for all logons, regardless of my IP. I like the extra layer of security, but I an not convinced that it is much better than using a single strong password. As an alternative I would like to have the bank issue me a preprinted card with a grid of random characters (a first step toward a hardware token). The system would ask you the character found in position X-Y of the grid. The bank could replace the card based on frequency of use. It could even be printed right on your ATM card. Now I have to prove that I know something, my userid/password, and that I have something, my ATM card. Further, the system could ask you to append this card code to your password, making that a little stronger, making your password different each time you logon. I know these systems exist, but I suspect companies are reluctant to implement them due to cost, and the added complexity.

I'm very satisfied with my bank password system

Paavo Ojala — Sat, 18 Dec 2010 11:57:48 -0800

My bank uses TUPAS, that has three passwords. one is a constant one, that i have memorised. For others the banks sends you a list, with 80 one use passwords for login, and 18 confirmation passwords that are randomly assigned. I'm happy with using it. I managed to identify myself with it and take back my university e-mail address when someone had hijacked it.

It's an old system already, but for banks every security measure has to be long term, because customers have enormous inertia.

The scale is just vastly different

brad — Tue, 25 May 2010 18:40:04 -0700

These are just two very different orders of things, dictatorships and web sites playing too lose with your data.

Facebook is a useful service, and we want innovative useful services. We just want them to be designed to not cause so many privacy risks, and they can in fact be designed that way, it’s just harder.

As I have said before, most people don’t focus on their privacy needs until after an invasion. So it’s not surprise that millions join Facebook or Twitter regardless of their policies, and then push even those who are concerned to also join.

Call it courage

Phillip Helbig — Tue, 25 May 2010 08:16:02 -0700

Many people are criticised because they join the dictator's party. People expect more
courage (often wrongly stating that, in the same situation, they would show more
resistance). My point is that if this expectation has some value, shouldn't we expect
even more courage if the threat is not backed up with guns?

Can and will

brad — Mon, 24 May 2010 16:58:32 -0700

Relatives can email pictures, or print them, but they don’t. It is indeed quite convenient that they can just post them to facebook and that’s all they need do to show them to the whole family and to friends. While you can ask your relatives to print and mail photos the reality is they won’t do this, or if they do, it will be reluctantly, and a smaller subset of the pictures.

And in fact the same has been true of MS software, as they work to make their formats more proprietary, so that people are mailing you documents that won’t load properly in anything but MS Office. We don’t like that either. The ruling party analogy goes too far — there the power of that party is backed up with guns, the lines are very clear. I’m talking about something more subtle.

Give me a break

Phillip Helbig — Mon, 24 May 2010 07:36:46 -0700

"But I’ve seen lots of people who have recently joined Facebook who for years did not want to. They still would prefer not to but it is the only place to get certain things now, including locating many people, and even seeing pictures of your relatives."

The same argument can be used for using Microsoft software, joining the ruling political party in a dictatorship etc.

Pictures from relatives? Don't tell me that one's relatives can't email the pictures, or even print them out and send
them snail mail.

Oh, I don't think so

brad — Sat, 22 May 2010 00:41:32 -0700

But I will play the violin for you.

XKCD disagrees with you

Anonymous — Fri, 21 May 2010 16:24:57 -0700

http://xkcd.com/743/

Exactly

DensityDuck — Tue, 18 May 2010 15:39:05 -0700

I don't have a problem with Facebook selling my private data, because I NEVER GAVE THEM ANY. The closest they've gotten to me is one of my spamtrap email address.

As for the rest of the web, do you really think that my email address is "what@why.net"?

Facebook is the web and the internet is computing

brad — Fri, 14 May 2010 11:29:11 -0700

Well, for those folks those statements are true.

If Facebook were just one player in the social network and identity battles, I would agree with your statement (which matches Facebook’s own statement that they believe all of Facebook is “opt in” because you have to decide to use Facebook.)

But I’ve seen lots of people who have recently joined Facebook who for years did not want to. They still would prefer not to but it is the only place to get certain things now, including locating many people, and even seeing pictures of your relatives. At least with today’s architectures, there is a bit of a natural monopoly in social network databases. Only the one that has your associates is usable for you, and that’s generally the market dominator in your geographic area or sector. It’s very hard for two companies to meaningfully compete over the same zone of people, especially if one is a giant. It’s even hard to get competition in the identity space once it congeals, though it is slightly easier. Many people seek “data portability” as the answer to the anti-competitiveness, but as I have written, that may just mean all your data is now out at lots of sites, with an even greater probability of losing all control of it.

As I identify in this article, there will be market pressure for Facebook to play free with the data. However, the irony is that the more secure they are in that state, the less need they have to sell off their users for revenue. (They may still have the desire but not the need.)