What You Have, What You Know, What You Are

This seems like a good idea to include a 2-factor authentication. I just can’t wait until we are able to integrate the most unused factor in password security to this day: What we are.

It’s interesting that the US is just now talking about this. For the past five years I’ve been using what they call here in Indonesia a KEY. The pic of a lady on my bank’s homepage is holding one (FYI, the last update to this site’s structure was in 2000). http://www.klikbca.com/default.html?langID=2

It most closely resembles a tiny calculator with 10 digits and a red function key. When making a simple online transaction like paying your electric bill, the bank will just ask you to press 1 and enter the code thats displayed on the KEY. For more complex transactions like transferring money it will put you through an extra step before hand telling you to press 2, enter a code from the website, then you enter the reply code from the device.

I only need this to make online transactions. Without it I can only check my balance exchange rates, etc. The only problem as someone previously posted is that you have to bring it with you. So I can’t access my account anytime/anywhere like I can from my US accounts.

I feel sorry for all the people I know that have 3 or 4 bank accounts that each use KEYs.

David H, I’m not sure. After doing a bunch of research, I’m still a little fuzzy on how smart cards actually work. And there’s not much quality information on the internet about them. It does seem to me that rogue software could read the smartcard just as well as the “trusted” software if your system is compromised.

Anyone have any good links or specifics on why a smart card is inherently more secure than, say, a USB key?

I just can’t wait until we are able to integrate the most unused factor in password security to this day: What we are.

Well, except that information can never be changed, which is sort of a problem too. If a password or keyfob is lost, they can be invalidated. We can’t invalidate your DNA or your fingerprint…

the cadillac solution is probably use challenge-based token. This way, the website requires you to enter your name/password and displays a short challenge code, which you type in your small device.

This is something that RSA has proposed; basically they are packaging their software to run on a variety of handheld devices, eg, your smartphone, or something else you already carry around with you:


RSA Security (Nasdaq: RSAS)today announced a series of initiatives designed to enable a broad range of devices to deliver RSA SecurID two-factor authentication capabilities. […] extension of the RSA SecurID Ready partner program, which is designed to encourage device and software manufacturers to embed the RSA SecurID algorithm within their own solutions. RSA Security is already working with several flagship partners including M-Systems, Motorola, RedCannon Security, Renesas and SanDisk

I can see the attraction. If you were using a challenge-response smartphone instead of a dumb keyfob, Both your computer and your smartphone would have to be compromised for attackers to log in as you. But the bad news is that can only protect you from trojans. Real-time phishing still works in that scenario.

We’d have to come up with something that couldn’t be relayed in real time by phishers.

I’m shocked that Paypal can implement key fobs for only $5. We use RSA fobs for connecting to our VPN and those run a cool $1,000 each. What happened to allow the sharp drop in cost?

I put a 20 in my sock last year, and now I have a 26-dollar-and-seventy-two-cent bill. Stupid compound interest.

Chris, one reseller is here: http://www.securehq.com/vendors.wmlvendorid=31adv=GG

$1k per token is astonishingly wow. I wonder who was trying to sell that. And what they were trying to do.

I’ve used the RSA soft-token (software based token vs the keyfob)
and it tends to drift in time, so I have to call Security to get it reset on the server. This is a significant slowdown while trying to login to the servers during an emergency.
Also, wouldn’t it be prone to scripting?

It would be unless you use some kind of webcam and OCR setup (hmmmmmmmm)


Did you see MythBusters hack a fingerprint reader with a photocopy of a fingerprint? Don’t bet the bank on that technology.

My little RSA token scheme - just like the one pictured - has some odd moments. Sometimes it asks me to enter the next number and I have to wait almost a minute for that to come up.

Nice! You didn’t mention however that some banks are doing the picture recognition feature.

I think I recall Schneier mentioning methods that do work even in cases where the end-user computer is heavily infected with malware. Namely behavioral pattern matching at the provider site (bank, credit card company etc.).

For instance if you normally make purchases ranging from $5-$50, then a $1000 purchase should raise a flag. The bank could then call you to check if this is authentic. Demanding that the attacker has access to your phone really makes the attack more difficult, although it won’t stop subtle attacks that simply steal the “right” amount.

Perhaps a simpler baby step to more security is for sites to disallow trivial passwords via password strength algorithms.

The secrets on each card stay secret because it’s impossible to extract the data without destroying the chip in the process.
That is the theoretical idea. Researchers have managed to reproduce the contents of the cards with things like examining power consumption. Non-destructive methods for making educated guesses about what goes on inside the chips. But this sort of thing takes well funded universities. The best devices for programming smart cards have been yanked off the market due to the legal efforts of the satellite tv providers. There used to be a book, with a smartcard, on the java smartcard api, but that too is off the market.

Europe is more than a decade ahead of the US in smartcard deployment and usage. That’s partly due to the lack of a sue-happy satellite provider combined with cheap online verification. We’re used to cheap phone service here, thus credit card charges can be validated quickly with a short phone call (the swipe terminals usually use 300 or 1200 baud because the whole transaction is quicker than when you have to go through modem training). In Europe, the transactions had to be do-able in places where phone connectivity was unavailable. So they went with smart cards starting in the 80s.

We use RSA fobs for connecting to our VPN and those run a cool $1,000 each.
Ah, the fobs run about $50 each, the server software starts about $3k. The fancier fobs with usb or number pads run closer to $100 apiece in low quantities.

One of the problems with this stuff is the incredible difficulty with getting a development environment set up to actually work with it and wrestle the bugs to the ground. I’ve been trying to get something out of my local RSA reps to no avail. I get follow up calls from their HQ, and I tell them what I want, they say thanks, and hang up.

We develop software at our company. Some desktop, some web based. Some of our larger financial clients want to integrate our security with theirs. An ideal solution would be to use the existing infrastructure they have, and use their existing tokens to authenticate against their security regime.

I’d like some sort of development version. Maybe with 2 fobs, maybe with one of each sex (RSA has quite a few). Maybe a “knob” on a web page or web service that can be set to each possible setting: bad password, wrong token value, expired token, locked out account and other things like that. But you can’t get that. All you can do is purchase a 25 user server app for $3k and then you have to purchase tokens 25 at a time (for $50 a pop). I wouldn’t mind coughing up $100 or $200 for a dev verion out of my own pocket. Spending thousands of dollars for a dev environment? FTS, I need a new car far more than that. And the management says “we already have one on our network, use that one.”

The sales reps don’t know anything about that RSA SecureID Ready program, or they don’t want to talk to me about it. From my end of the phone, it seems the same.

As for sharing the fobs between applications, the server end takes a digital certificate type thing. Adding a user means buying a new fob, and adding another user license to the server. Could be $100/user total.

Theoretically, you could buy one fob, and to use it with a new bank, send them the digital cert with the details on your fob. That might make sense, so banks won’t do it.

Hmm. Re-reading this, it looks like I’m all wound up about something (Gee, Peter, why don’t you tell us how you really feel).

Good post on basic security.

Anyway, it’s worth mentioning that you can use a keyring with a master password instead of your mailbox.

Sources for smartcard technology:


In general, smart card interfaces are realized by the exchange of formatted application protocol data units (APDUs) over a serial interface. Advanced smart cards can include implementations of asymmetric crypto algorithms, including DSA and RSA. Since storage a processing power are limited, elliptic curve cryptography is fairly popular in security applications. Vendors of ECC-capable smart cards include these guys:


Hope that helps.

Ad smartcard authentication:

At a former employer of mine, they wanted to use a card+PIN authentication system for their fleet of NT4 workstations. The bad news? The custom login program was dynamically linked against MFC, and did nothing to validate the DLL. Since MFC was one of the few components available in source form, it was not difficult to embed a backdoor that would be called by the secure login application.


Speaking of security, you really ought to change to anti-spam word from “orange” to something else.

A global id (ie. http://openid.net/) could save you a lot of trouble. Also there are many services (like http://www.agatra.com/index.php?) that can help you with your password management.

It’s an issue of trust :slight_smile:

Jeff / David H. - Smart cards are trusted processors, whereas a USB memory keys are just a storage mechanism. Have a look at the “How Stuff Works” entry on smart cards: http://computer.howstuffworks.com/question332.htm

Ideally, you use a smart card that can generate its own public/private key pair. You sign the smart card’s public key w/ your enterprise CA and enroll the certificate into your enterprise PKI (publish into Active Directory, etc). The card can accept challenges and emit responses, and PIN entry by the user authenticates the user to the smart card, and permits the processor in the smart card to perform cryptographic operations using the private key. In a more advanced smart card, the private key would be encrypted with a symmetric algorithm using the user’s PIN, and entry of the PIN would cause the private key to be decrypted into volatile RAM on the card that would be erased when the card was removed from the reader.

It would be really, really nice if we’d start using smart cards in place of what we currently use mag-stripe cards for in the US. Our GSM cell phones already provide a great basis for a smart card based payment infrastructure, if we could get anybody to agree on standards to use it.

At least Man-in-middle attacks with two-phase authentication force the fraudulent site to do all their frauds in one login session. They will not be able to surmise the secret key sequence from one or two logins. This will presumably force the cons into much smaller frauds, as it would be easy for banks to put limits on what can be done in one session. One of my banks already requires me to allow a day or two after setting up a ‘new payment’ (i.e. transfer of funds outside of my own accounts). With 2-phase this would be quite strong security.

I used to use a SecureId for my work login. Worked fine for me, even with time-drift: Although the code changes every 30 seconds, the computer can work out the surrounding ‘n’ codes - say 2 minutes forward and back from the correct time (car alarms work somewhat like this, to allow for you pressing the remote when out of range of the vehicle). Even outside of that range, it could still potentially validate you by asking for two codes in succession (though I don’t know if it actually does this, but it could be done to allow more time-drift), and if you login frequently it could monitor the implied time-drift from the code you enter, and use that offset for the next time you log in.

Anyway, the system I used was quite an old one (thick credit card style), so the battery ran out before timing became an issue :wink: