Sunday, 28 September 2008

Authentication tokens

Devices like hashing fobs or tamper-proof smart cards are technically the best solutions for secure authentication - but they have a number of drawbacks for proactical applications. By far the biggest one is that they are not universal - I can't use my Paypal fob to log onto my LAN, I have several smart cards in my wallet, but where do I get a reader? Even if I did, how would I get Google to support the use of the card for accessing my gmail account?

Instead we seem doomed to endure badly implemented wish-it-was-2-factor-authentication and Capchas which even those of us lucky enough not to be visually impaired, cannot read.

While kitten capchas are undoubtedly cute, do they really help solve the problem?

It occurred to me that not entering the same password more than once is a good way to avoid the risk of compromise (essentially this is the common factor in Capchas, smart cards and key fobs) and here is a simple way to achieve this:

When you create an account for your user, issue them with a grid of letters and digits, 6x6 seems about right.


Then, each time they log in, ask for, say 5 of the entries, the grid holds more than 8000 passwords.

Given say 32 possible keys (omitting the letter O and number 0, lower case L and digit 1) the chance of guessing the password are one in 33 million.

Someone's probably already thought of this. But I thought I'd write it down before it gets patented.

No comments:

Post a comment