SoylentNews is people
SoylentNews
In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).
For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.
That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.
What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.
(Score: 0) by Anonymous Coward on Thursday March 07 2019, @09:13PM (1 child)
The problem isn't MFA, it's that we're doing security wrong from the ground up.
Most companies store the TOTP seed in the same DB as the user name and password. Thus if they are compromised, your seed is gone.
Same with SMS and phones with the added bonus that SS7 flaws enable easy and undetectable interception of SMS as well as spoofing of the same.
The mere idea of a username and password combo is just ludicrous when you stop to think about it.
I'm not a "blockchain for everything" kind of person, but this is one place where a blockchain could revolutionize the world.
The correct way to handle security on the internet is by a properly constructed Public Key Infrastructure, i.e. PKI, via a PKI focused blockchain.
Imagine an offline, clientside tool which you could use to create your very own self signed identity certificates.
You would start with a master certificate which is kept safely offline and only used to create new device specific keys and later revoke them.
Once you create device specific revocable keys forming a personal ident keychain, you can quickly and easily generate site specific child keys.
Because it is using a blockchain, each device can be authenticated without using a centralized authority and your logins don't leak because the reason for using a blockchain is that the entire PKI DB is cached by the authority. While the ACL DB for the site/service is stored locally with the authority you are trying to auth to, as per normal.
Now if you lose a device it is very simple to use your master certificate to revoke the compromised cert.
Authentication becomes a very simple manner of the claimant using the keychain to sign messages, and the authority using the public key to verify the certificate presented is still valid by looking it up on the PKI chain. From there the authority would match the root identity on the PKI chain vs their own internal ACL to determine what further actions to take.
A PKI focused blockchain could be incredibly tiny.
It only needs to store a publickey and a creation and expiration date, along with a list of the child or delegate keys it has signed that are unexpired. Revocation would just be setting the expiry to "now".
The ACL would be up to the authorizing party and the claimant identity would be part of that initial handshake process between claimant and authority.
Most blockchains are big because they are full of junk transactions and/or their model requires blocks to be generated every n seconds.
But this is because most blockchains are built on the idea of printing their own money and there has to be a race to the finish for blocks to be found in order for money to be printed. Monetary rewards serve as a way of subsidizing miners and incentivizing them to continue. However miners could be completely decentralized and offered as a side-along service with some other paid for service. PKI profit models have a long and well established history, usually tied to certificate purchase.
An example would be a notary public offering to onboard you as part of their normal business.
There are also presently a number of free key servers available for GPG, that could be readily adapted.
For PKI we only need each miner to publish a signed changeset as they occur. Without the monetary incentive, reconciliation becomes easy because each miner is it's own authority and multiple miners validating the changes and publishing their own changesets serves as a web of trust while still providing blockchain levels of security.
(Score: 2) by vux984 on Saturday March 09 2019, @06:26PM
" Without the monetary incentive, reconciliation becomes easy because each miner is it's own authority and multiple miners validating the changes and publishing their own changesets serves as a web of trust while still providing blockchain levels of security."
Hard to see why there would be that many miners without monetary incentive; making the whole thing vulnerable to nationstates or other large actors with a lot of compute putting whatever they want onto the chain.
" PKI profit models have a long and well established history, usually tied to certificate purchase."
That seems like a good way to prevent wide adoption, as it'll make the certificates expensive; at the very least marginally more than running the mining rigs. Running mining operations ins't cheap; and with no currency component, the only revenue is going to be selling certificates?