What You Have, What You Know, What You Are

I'm no fan of the classic login/password scheme. I can barely remember any of the zillion logins and passwords I have. More often than not, I end up using the "forgot password" link. Which means, in effect, that my email account is my global password. And if you're like most people, your email password isn't very secure. As Bruce Schneier recently observed:

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/02/what-you-have-what-you-know-what-you-are.html

I’ve been using Bloomberg with three-factor authentication:

(1) a login name / password screen
(2) a smart card reading your fingerprint
(3) correctly submitted (1) will pop a algorithmically freshing block on the screen, which the smart card reads it and gives you an one-time password

It’s pretty elegant way to integrate all 3 factors. And some forensic detection system works on ‘where you are’ too.


You could give this tool a try: http://www.dekart.com/products/access_control/password_manager/

It can use up to three factors (including biometry), and the second factor is a USB disk, thus you don’t have to pay for a smart card and a smart card reader. It can generate complex passwords for different sites, so there is no need to actually memorize the credentials.

You know the lost passwordt procedure where you have to answer a question only you know the answer to (What’s you mother’s maiden name, for example)? My company recently rolled out something like it, only with a slight twist that makes it useless.

First of all, users have to provide both the “question” and the “answer”. This is fine, and some websites offer the same option, but that is where sanity ends.

When a user wants to retrieve their password, they have to enter BOTH the “question” and “answer” manually. Not only that, but both parts are also displayed as asterixes instead of plain text, and are case-sensitive. Much like normal passwords, yes.

So, in essence, when you’ve forgotten your original password, which can be only 6-8 characters in length, and you want to retrieve it, you need to enter TWO additional passwords, which both have to be at least 10 characters long.

Of course, when I asked why is was reasonable to expect users to REMEMBER two long passwords to retrieve a single short password they FORGOT, I ran into the usual Large Corporation wall of bureaucracy.

It seems to me that a protocol for a web site to authenticate to a smart card attached to a PC is possible. Why not? I imagine most smart cards just return a simple number. However, a more sophisticated card (maybe a USB device) could handle a challenge/response or public key encryption based authentication. The private key would never be revealed outside the device. A session key would be encrypted by the site and decrypted by the device. This session key would then be used by the PC for communications with the site. Sort of like SSH, but doing the session exchange on the device. And the server would only communicate with known devices. The device could also only communicate with known servers.

Of course, you’d still want a second or third factor for your security. And you’d want access anomaly detection (e.g., user logs in from California at 3:40pm, then at 7:00pm logs in from China, an immediate lockout should occur).

I suggest the CAPCHA should be “orange1” from now on.


Hard to believe I don’t see more on your blog from this guy…


Pedantic, but I’d guess ‘Password1’ was probably more popular than ‘password1’ these days.

Hoorah for two-factor authentication!

But don’t be fooled into thinking a fingerprint reader is secure:

Here’s the actual link:

Regarding the two-factor auth you mentioned and its vulnerability to screen/key loggers, the cadillac solution is probably use challenge-based token. This way, the website requires you to enter your name/password and displays a short challenge code, which you type in your small device. Your device will display a number which you will inform the website. Naturally, the challenge codes are not very likely to repeat, thus avoiding screenlogger attacks.

If there’s one thing in this world that keeps me up at night, it’s that my brokerage account is protected only by a UserID/Password. Like many people, all that I have in this cruel world is contained therein. WTF, Fidelity?

(Unfortunately due to some strange regulatory restrictions with one of my clients, I can’t switch away from Fidelity…)

Am I the only old enough to remember when the Internet was benign? And now we HARDWARE passwording just to buy Superman #1???

Internet commerce is on the edge of collapse if this continues.

Either most folk will opt out just because it’s a pain in the butt, or most folk will opt out because a PC with cujones enough to run Vista over a personal T1 along with the necessary firewall machine to keep the bad guys away cost so much that only Bill Gates will be able to afford to use eBay. OK, a little hyperbolic. But I’d bet a fiver on it.

Dave: Never mind the Fidelity. Everyone knows you’re supposed to keep a 20 in your sock and the rest under a tarp in your attic.

While it won’t give you much better security, KeePass is a good software for managing passwords: it will randomly generate passwords for you and store them in an encrypted file. It helps for those myriads of web sites that ask for passwords, at the very least you can use that application to manage complex passwords without having to remember them.


Of course, you still have the master keepass password to worry about, but at least it’s only one password and not dozens of them.

There is a bank here in Australia that has implemented an optional security option for internet banking whereby every transaction sends a unique code via SMS to your phone. The transaction will be processed when you enter the SMS code correctly. This just adds another practical cheap layer of authentication protection.

$50 for the RSA fobs is interesting. When our group was told they ran $1000 each (purchased in packs of 5 for $5K) I was shocked. It’s nerve-racking carrying that thing around.

I like the idea of having one of those key-fob SecurID-type things. But, the problem is what happens when you have a bunch of systems that use them? I already have four or five of those darn “special” shopper discount cards on my keyring. How am I going to fit it into my pocket with a half a dozen SecurID-type fobs, too? For example, right now, I have to keep track of accounts at: a brokerage (2 accounts – used to be 3 accounts), a bank (3 accounts), another bank (2 accounts), and since it’s mentioned in the article, 1 ebay and one paypal account. So, without counting any non-financial stuff and assuming the fobs can’t be consolidated, that’s 8 to 10 different fobs. Throw in at least a couple more for work systems, health systems, and insurance systems. Well, just remind me to buy stock in SecurID and the key-ring industry.

I work for the government, and our smart cards have some sort of certificate on them (PKI?) that is protected with a password. Secure sites then require a client cert, which is located on the card. So in order to log in, I need the card, the password to the card, and my username and password to the site.

When you state:

“The secrets on each card stay secret because it’s impossible to extract the data without destroying the chip in the process.”

I think that’s a little ambiguous. If you couldn’t extract the data, wouldn’t it be worthless?

You continue by stating:

“Since smart cards are read by hardware on your PC…”

Which seems to contradict the previous statement. Maybe it’s completely coherent, and it is just too early in the morning for me to think. :stuck_out_tongue: