Friday, 15 October 2010

One-time password keyrings

At some point we have to acknowledge that those little RSA random-number one-time-password keyrings are not the answer to our security problems. For one, if every password was backed up with a unique one-time-password token, I would be carrying more of those things than keys on my keyring, and would probably need a big old-style janitor's keyring to keep them all. You know, the kind that's so big you could slide it on your arm all the way up to your shoulder? I'd also have a lot of trouble telling them apart.

Okay, so what do we do instead? Probably the best compromise is SMS as a second factor, since we all have mobile phones. If your objection to that solution is that it's too easy to steal, remember the tokens. They're even easier to lose.

Mokalus of Borg

PS - I'm sure someone could come up with better two-factor authentication.
PPS - As long as it's genuinely two-factor


Nick Owen said...

We have come up with a different solution that is more secure than SMS (not hard! :). We use public key encryption in a software token. Hardware tokens use shared secrets which means you can't share them. Asymmetric encryption solves this.

So, each WiKID token can support multiple WiKID domains across multiple servers. Moreover, each user can have more than one token.

We have released what we can under an open source license as well.

John said...

It's always good to see open-source security systems. It's the only way to really be sure such things are secure. And public-key encryption is good too, assuming each party trusts the other's public key.

I haven't managed to pick out from your website whether the software token is portable - if I need to log on to my internet banking site from grandma's place, am I out of luck?

Nick Owen said...

We have two flavors of PC tokens. One is portable, one is 'locked' to the PC - it creates a hash of info from the PC such as the CPU ID or mac addy and sends it with the OTP request.

You can install the token on a USB, including a truecrypt drive or Ironkey (they are a customer). That would be good for online banking because you can put your own browser on the usb drive too. Never use granny's IE, I always say. ;).