Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security America Online

AOL Moves Beyond Single Passwords for Log-Ons 309

Posted by CmdrTaco
from the are-you-secure-yet dept.
ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute. The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."
This discussion has been archived. No new comments can be posted.

AOL Moves Beyond Single Passwords for Log-Ons

Comments Filter:
  • by Tyndmyr (811713) * on Tuesday September 21, 2004 @07:49AM (#10307251)
    Its a security improvement yes...but why would I want to use AOL regardless?

    I tried it...it was slow, often down, and required special software. None of which my cable connection is subject to.

    • For the tin foil hat hearing folk you can get a three password login for one low fee of 5.95
    • Whoop-de-do, we've been using SafeWord cards just about forever around here. Nice to see at least one ISP dragging itself into the '90s.
    • by gcaseye6677 (694805) on Tuesday September 21, 2004 @08:51AM (#10307781)
      What I'm curious to see is how this would affect "people who conduct large transactions online", who the article said were one of the target groups for this device. There are currently no plans to integrate this with banks or credit card companies, so how exactly does this protect peoples' account information? If bobbyjoe44@aol.com has an account at Bank One, I can still send them a fake "update your information" email, they put in their Bank One password and other info, and I get into their account. Meanwhile, the keygen thing is only protecting their AOL account and I'm cleaning out their bank account.

      The only thing this really secures is AOL's bottom line, by preying off of peoples' fears and giving them something that makes them FEEL more secure online.
  • by Demanche (587815) <chris.h@rediffmail.com> on Tuesday September 21, 2004 @07:49AM (#10307256)
    Can I have a $2 discount???!??!

    ^^ Average american reply if this gets implemented.

    Have fun at the aol sales desk ;)
  • AOL Employees (Score:4, Insightful)

    by Anonymous Coward on Tuesday September 21, 2004 @07:50AM (#10307264)
    Used to have to use them, smartID or something. ALL internal accounts were locked... its a very secure system, but hard to believe that users would actually want to use it.
    • I still do... RSA SecurID... don't need it to get mail from "outside" if you're happy with the exchange web interface, but I need it in order to VNC inside the Turner (an AOL/TW company) firewalls.
    • SecureID (Score:3, Interesting)

      by Gr8Apes (679165)

      SecureID just seems like the next logical step. I used one for 3 years, and, once you get used to not attempting to log into your VPN when only the last bar is showing (there's a countdown bar indicating how much time is left before the number changes) it's really not so bad.

      They appear to run on pseudo random number generators, and are synched up with the server with a known seed. I imagine they'd be very difficult to crack, as our system was configured to only allow 1 login attempt per number, if you t

  • by MurrayTodd (92102) * on Tuesday September 21, 2004 @07:50AM (#10307265) Homepage
    Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

    To my understanding, you would place a client-authenticating certificate in you web browser program, and during the SSL negotiation that certificate would be used for authentication.

    The only two problems were (again, to my limited understanding) first that you had to go through the effort of installing the certificate on every browser you used, and second, the security could be broken if someone had access to your account. (Of course, account login security and browser "first-time-on-launch" passwords helped protect against that.)

    Why the bloody SecureID system that's so klunky?
    • by dr_dank (472072) on Tuesday September 21, 2004 @07:59AM (#10307335) Homepage Journal
      Why the bloody SecureID system that's so klunky?

      Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.
    • by morzel (62033) on Tuesday September 21, 2004 @08:00AM (#10307352)
      If I get into your PC, I can copy your certificate without you ever knowing it until it's too late.
      I obviously can't steal your RSA token without you finding out pretty soon.

    • by virtual_mps (62997) on Tuesday September 21, 2004 @08:07AM (#10307415)
      Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

      Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.
      • Although it's not perfect, it's hardly snake oil. We use client-side certificates to keep the random crackers away from the login screen - they don't see anything unless they have the certificate. However, we DO NOT use them to identify individuals - it's only a very rough grained and basic bit of authentication to keep random people away.
    • > Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

      Such a thing already exists... in Denmark. It's completely free to get a certificate mailed to you and you can use it to authenticate for a multitude of do-it-yourself online services like tax returns and other state/county forms. I think it works quite well.
  • by Anonymous Coward
    because it costs money.

    "Identity theft only happens to other people"
  • Not a bad idea (Score:5, Insightful)

    by Celt (125318) on Tuesday September 21, 2004 @07:52AM (#10307281) Homepage Journal
    AOL/TW employee's use these so why not offer it to customers, imho if banks gave out these devices for a one-off-fee on-line banking would be ALOT safer and there'd be less scams.

    Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins :)
    Thats the only problems I've seen with them,

    --
  • whoo. (Score:3, Informative)

    by nbvb (32836) on Tuesday September 21, 2004 @07:52AM (#10307285) Journal
    SecureID.

    Whoo.

    Been there, done that.

    All it does is make an attack "more" difficult, but nowhere near impossible:

    http://www.tux.org/pub/security/secnet/papers/se cu reid.pdf
    • Re:whoo. (Score:5, Insightful)

      by k98sven (324383) on Tuesday September 21, 2004 @08:06AM (#10307411) Journal
      All it does is make an attack "more" difficult, but nowhere near impossible

      Yes. Exactly like every other security system ever designed.

      Your point is?

    • Re:whoo. (Score:3, Insightful)

      by lysander (31017)
      For the external attack described in the document you mentioned, it assumes that the SecureID token's value is sent in the clear. I don't know about you, but this seems like a pretty big assumption. If one enters the value over SSL or SSH, observing the value over the network is harder, and makes the first attack not feasible.

      That leaves the rest of the document describing attacks between the machines that verify the value, which hopefully are internal and not snoopable from the outside.

    • Re:whoo. (Score:5, Insightful)

      by bitslinger_42 (598584) on Tuesday September 21, 2004 @08:26AM (#10307564)

      Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:

      1) Targeting users of sdshell and a token card
      2) Denial of service
      3) Require access to the server network

      #1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.

      The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.

      The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?

      If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)

    • Re:whoo. (Score:3, Informative)

      by Fedallah (25362)
      After reading through the paper, I have to say that the attacks contained therein are simply not that impressive. In it, the author describes the following attacks:
      • An race attack that is only valid if the user slowly logs in over an unencrypted non-line-buffered telnet session using the SecureID. I have never seen an implementation of SecureID used like this, and we can be assured AOL's implementation will not be susceptible (as they will undoubtedly be having the token typed into a local window, not tr
    • It depends on the client software. Our company uses client-side software which has you type in your password, PIN and token first, and then it logs in. So the "try all last numbers before the person can enter it" idea wouldn't work. Effectively this implements the "LINE_BUFFERED" protection described in the paper.

      Key loggers would only get this minute's token, which is already used, so a key logger would have to then physically steal the token to be able to gain acc

  • by Anonymous Coward
    like most technologies, this one will never be embraced unless the pr0n industry stands behind it. They've been early adopters on almost everything else that's been successful.
  • by AhabTheArab (798575) on Tuesday September 21, 2004 @07:53AM (#10307292) Homepage
    Great, now phishers will have to ask AOL users for their password twice, and they will gladly comply.
    • by JohnHegarty (453016) on Tuesday September 21, 2004 @08:00AM (#10307346) Homepage
      two points...

      1) it only lasts 60 seconds
      2) if used , it can't be used again until the minute is up
      • by mfh (56)
        1) it only lasts 60 seconds
        2) if used , it can't be used again until the minute is up


        Yup that will work for 1% of AOL users. The rest are screwed if it ever becomes mandatory. Sixty seconds is not enough time for about 99% of all AOL users. They'll spend the first 30 seconds trying to get the first password in and then type in the second password in the next thirty seconds -- only to figure out they got the two mixed up. Then they will spend all day typing in the same two passwords until they phone AOL at
        • The timing of the second password is not dependent on when the first is entered.

          It's evaluated as to what it should be at the moment you hit enter, after punching it in.

          We use them all over at work, and it's pretty easy.
  • AOL rip your card off by another $60 every year - saves small business the time and trouble of going out and finding a genuine internet criminal to perform that vital service.

    No wonder they are America's number 1!
  • This is going to be a complete waste of time IMHO. The AOL user base is such that a typical AOL user has a password like " password" or MikeJohnson". How do they expect users to be able to handle a second password that is strong? " I forgot my password, can you help?" Yes, just read the display on your password generator." "ok what does "dgR23Ls12S" have to do with me? My name is Mike Johnson"
    • I worked for AOL for 8 years ... secureID is easy, and keeps the clueless billing reps (now in india I believe) from giving away your account to social engineering "phishers".

      The display on the SecureID is just numbers, synced to the auth server. The average user should have no problem entering 8 numbers when prompted.

      - Roach
      http://www.speedwerks.com
    • First, it's only numbers. Second, it's two parts - one is your password that you've set up ahead of time (like usual), the second is the "random" number on the securID. I work with a lot of idiots and they all seem to manage.
  • The RSA keys have been avaliable for a long time. They're great.

    I'm impressed that AOL is using them. It shows that they're at least a little concerned with security.

    I really hope that this is a starting point for web hosting providers to start using these.
    • Do you have to enter a pin on the token to get it to work?? I have an Axent Defender token which, if you get the pin wrong 3 times in a row, locks you out. It has be sent back to the company Security folks to be unlocked... Hours of fun for AOLers and their kids... :)
  • Time Drift (Score:2, Interesting)

    by JumboMessiah (316083)
    IIRC, The RSA devices that I've used in the past rely on accurate time synchronization with the server. While it was easy for me to have it reset, I wonder how they plan to handle this on a large scale? It would require the end user to physically send the device back to AOL.

    I suppose eventually they may integrate GPS timing with them, making it a thing of the past, but who wants your fob tracking you...
    • yes, they drift. not much, but a bit: this is why the system accepts a few numbers in the sequence. should it drift *too much* then you just need to phone their access control guys and get it put in "new pin mode" remotely. this happens all over the world, all the time. gps timing and tracking? lay off the crack.
    • by morzel (62033) on Tuesday September 21, 2004 @08:13AM (#10307461)
      IIRC RSA uses a sliding window to correct for time drift.

      In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
      If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
      If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.

      The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).

  • Seen it used.. (Score:3, Interesting)

    by the_dubstyler (810220) on Tuesday September 21, 2004 @07:56AM (#10307323)
    My bank uses one of these for online banking, as a protection against keystroke recorders. I suppose I'm just too lazy to actually get hold of one and try it. I figure they're not a bad idea, given that the majority of people trying to hack your accounts are amateurs who would be put off by it.
  • Hmm (Score:3, Interesting)

    by Bigthecat (678093) on Tuesday September 21, 2004 @07:58AM (#10307333)
    As I'm sure many people here have noticed these before, they've probably also noticed how often they go missing. For instance, the employees of a large company right here in Australia are all given these, along with their laptops and logins.

    These people aren't techheads, and most of them write their passwords down on pieces of paper, conveniently attached to their laptops, which is then conveniently placed in their work briefcase, along with the password updater.

    Sufficed to say, dozens of these briefcases get stolen, in the same bar frequented by employees of this company every six months (One might ask why they still take their gear there). The thief gets an expensive company fleet laptop, a company password list, and a company satellite password updater, all packed in the same convenient suitcase with a carryhandle ready to go missing.

    Ultimately, no matter how many security measures you put in place for a company or organisation, you're going to encounter people who write down their passwords, people who fall for emails from tech support who need to 'verify' their accounts and ultimately people who will have their information stolen and not report it for days, which is plenty of time for the thief, and a less-than-ideal amount of time for people like you and me to have enabled compromised accounts running on the system.

  • Big Deal :) (Score:3, Insightful)

    by purduephotog (218304) <hirsch@inorbi t . com> on Tuesday September 21, 2004 @07:59AM (#10307339) Homepage Journal
    Had this ability for corporate accounts for some times. And the problems have never been addressed, some of which:

    1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)
    2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters. ...

    So yeah, I'm thinking it's a great step. But not for AOL.
    • Re:Big Deal :) (Score:3, Insightful)

      by gfxguy (98788)
      1. The way it gets used is not for establishing an internet connection, but authenticating the user (broadband users, for example, still need to use one). So you establish your connection, then a password prompt pops up then you type in your password. No automation = more secure.

      2. You have an established password PLUS the securID password... even if someone you know steals it from you, and they know your login and have your securID, they cannot log into your account unless they ALSO know your private pa
    • 2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters.

      IIRC, I think they have a credit-card sized version, and it is possible to have it integrated into a phone/PDA.
  • by siliconjunkie (413706) on Tuesday September 21, 2004 @08:00AM (#10307347)
    This is a great feature to have from an ISP, and the technology is sound (we used similar "Crypto Keyfobs" when I worked at PacBell for logging into the system remotely when in the field)...but I must admit I am surprised that it's AOL offering this kind of a thing.

    I used AOL years ago, and have used it from time to time recently on other people's computers, and there is nothing in the "AOL package" that I have seen that says "power user" to me.

    So I guess what I am wondering is...is this something that AOL users are actually clamoring for....or has AOL finally sucked up all the "n00b" market that there is and is trying to offer services that would appeal to more of the "slashdot crowd"?
  • Social engineering (Score:2, Interesting)

    by maximilln (654768)
    How long until the AOL service department implements a policy for allowing users into their accounts when they've lost the SecureID, or their spouse accidentally took it with them, or they're on a business trip and left it at home? I see this being a perfect route for social engineering of unauthorized access.
    • The SecurID system allows for a temporary password to be set in the event of a lost or stolen token. While, it is certainly possible for someone to call up tech support and say they lost the token, so please give me a temp password, it is trivially easy to beat that sort of claim. For instance, at my company which uses SecurID (Not AOL), we will hang up the phone and call back the phone number listed in the SecurID system for the user. So, unless the hacker here broke into the person's home, they won't b
  • Well... (Score:3, Funny)

    by ImaLamer (260199) <john@lamar.gmail@com> on Tuesday September 21, 2004 @08:01AM (#10307362) Homepage Journal
    What happens if I lose my SecurID?

    Seriously. If I set my password to "password" and someone picks this up then I'm screwed, right?

    • Re:Well... (Score:2, Funny)

      by WesG (589258)
      Hmmm...Screwed? Nah..I would call this natural selection.

      Seriously - its no different than writing your "simple passwords" on a piece of paper somewhere and someone finding the list. For bonus points, what was the password used in Wargames :-)

      Kudos to AOL for at least providing this option to the general public.
      • For bonus points, what was the password used in Wargames

        Which one, "pencil" or "joshua"? Or maybe you're referring to the launch codes? :-)

    • What happens if I lose my SecurID?

      A company I worked for used to use these things as part of the login process to get into the VPN, and the password you supplied based off of the FOB included a part chosen by you that was static and *not* displayed on the FOB. So the whole password always begins with "xyz" (whatever you decide, or, I believe, whatever was given to you), and ending with the 60-second numeric key.

      Regardless, even if they don't do something like that, getting someone's password is now a

    • What happens if I lose my SecurID?

      We use SecurID tokens at work. The passcode you have to enter consists of a four-digit PIN, plus the six digits displayed in the token's window. So even if your token is stolen, whoever found it would have to know your PIN. And unless you're dumb enough (whoops, this is AOL) to tape your PIN to your token, the h4x0rz have 10,000 PINs to go through... and the system locks you out if you fail three times.

      --Rob

  • I Used AOL securID (Score:5, Informative)

    by Apple Acolyte (517892) on Tuesday September 21, 2004 @08:02AM (#10307371)
    In addition to being used internally by AOL, securID was offered to some regular users who were targeted by hackers. Like an organization I work for. The securID token is smaller than the average pager, having no buttons, only a display with a string of numbers that would alternate every 30 seconds or so. The biggest shortcoming of the system is that the battery did eventually die, and there was no easy way to replace it. That meant the account in question had to be unbound from the token. And it took a long time to find a rep that could actually handle that request. (Not that that was too big of a deal, since my organization only kept its AOL account alive for legacy purposes.) In terms of use, however, the token was not obtrusive at all. No additional client software was required. Upon sign on, a securID window was presented prompting the user for the key. Otherwise, it was transparent.

    The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?

    • The battery does die, but normally after the lifetime of the token.

      Every secureID token had a lifetime of three years, in the old security dynamics days these were printed on the back of the token, I'm not sure this is the case now they are RSA tokens.

      Either way, each number is displayed once and once only. The limit on available numbers is reached before the battery dies, after which the token flashes pointlessly for a couple of extra years.

      There are no user replaceable parts. You buy the token, we buy
  • by bcarl314 (804900)
    It's aimed at small business and people who conduct large transactions online

    Just a comment (read opinion), but unless you have no other options, why would you, as a small business owner, use AOL to "conduct large transactions" online.

    Mod me troll if you like, but I don't consider AOL to be a very "business friendly" organization.
  • ...also includes implementing ideas like the two-factor authentication for users who re-use their passwords, or write them on stickies, or lose their smartcards once every two weeks, or are simply computer-illiterate, etc.

    What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches lon
  • AOHell Commercial [101kgb.com]

    Chris
  • heh (Score:3, Insightful)

    by H8X55 (650339) <jason.r.thomas@nOSpaM.gmail.com> on Tuesday September 21, 2004 @08:09AM (#10307431) Homepage Journal
    And yet AOL still reccommends to its home users that they store their passwords in a less than secure format on their local PCs.
  • I'm rather concerned of the trend in today's journalism where the news aggregate is quoted as reporting something when it's really the Associated Press that is reporting something.

    Get your citations straight! Don't be like the radio!

  • The company that I was working for had little devices similar to that (They called them Token Cards) that would display a new code each time you pressed the button. It was a financial institution and they used it to protect their dial-up lines from people. They entered the code like this password*hashfromdevice.
  • Oh man, Lucas finally releases the original trilogy on DVD, AOL starts at least trying to have some form of security both in the same day. That has got to be a major sign of the impending apocalypse. If Microsoft announces it's dropping Windows to develop Linux before the day's out I'm heading for the mountains!
  • by SirTwitchALot (576315) on Tuesday September 21, 2004 @08:18AM (#10307502) Homepage Journal
    because they can't be making much money from this:

    RSA sells these devices for $60 each or so in bulk. RSA fobs are programed to expire in 36 months. Let's say AOL got them for $50. The customers are paying 9.95+(1.95*36) or $80.15 over three years. That gives AOL $30.15 or about $10 a year. I'm sure aol could find some other way to fleece their users less than a dollar a month, leading me to believe this isn't just some profit making venture (not to mention the cost of the servers to implement this, which is not insignifigant.)
    • I am sure that the financial hit isn't as bad as you made it out to be.

      1) They wouldn't have purchased a small amount of fobs. We are probably talking about an order between 100,000 and 1,000,000. That means they probably received a vast discount. The fobs themselves are glorified calculators that run off of a preset algorithm. They most certainly wouldn't cost upwards of $50 a piece. I am sure that they are partnering with RSA for this business venture.
      2) The security features were already put i
      • I'm not so sure your maths is correct.

        Sure the fobs can be bought in bulk for $xxx. But for every usable fob you have to buy a corresponding ACE server licence, which does also add to the expense. You then have standard maintenance on the ACE servers which is a fixed percentage of the initial server costs.

        The branding isn't that special, I think you can get it whenever you order more than 1000, most banks do this for their customers, it isn't a new thing for AOL.

        The service is generally very good, The co
  • There exist handshakes for proving I know something without revealing what it is.

    Is any of it simple enough to perform -- perhaps with some idiot savant-y BIG_NUM manipulation tricks -- in your head?

    It might take a bunch of passes, perhaps as many as one for each bit of entropy in your "secret", but I am sure there must be SOME way to set up my webmail so that I can authenticate myself into a "read the subject lines / senders of all NEW messages" session, with password1, or, with password2, into a "read t
  • I love those little digital PIN devices... I thought they cost a lot more than that. Are those feasable for do it yourselfers to use at home for their SSH authentication? Once I was thinking about writing a script that changes the user ID of my remote login account every X minutes, and sends an SMS to my cell phone with the ID each time it changes, like my own cheap ripoff...
  • by YetAnotherName (168064) on Tuesday September 21, 2004 @08:22AM (#10307535) Homepage
    If you're lucky enough to have a decent screen name on AOL, like your first or last name, then you probably want to get one of these devices.

    When I got my Yahoo account years and years ago I was early enough to get decent screen name. The problem is that today that account is routinely hacked (and once, even pwned, but thanks to the nice security folks at Yahoo, given back to me). People don't like to use something like "%geeba%56672" for Yahoo Instant Messenger. I imagine the same thing is true on AOL. Having a smartID or securiCard or other defense would be nice.

    (Then again, auctioning off a nice AOL screen name might be worth a few bucks on eBay...)
  • by syrinje (781614) on Tuesday September 21, 2004 @08:26AM (#10307566)
    Two factor authentication relies on (d'uh) two inputs to the authentication algorithm - something you know (like your username) and something you have (like a password - whether generated by a SecurId or not).

    The advantage of the automagically generated password is that the password is a temporal function of the account. This means that the server and the password generator both work off the same clock base to calculate a password for your account and authentication succeeds if the two match (within some non-zero time window - to compensate for clock drift). the password is thus valid for a very short duration and makes it very hard for a MIM to capture, replay and use

    As far as I can see the first (user memorised password) is merely an artefact of an older system left in there to make the user feel good about having some password control since that is the fator that is most vulnerable to compromise (think social engineering).

    A more robust mechanism would be to add a challenge response to this mechanism - the suthenticating system gives you two numbers (n1, n2)which you feed into your password generator and it generates the response thus -

    R sub t = f(t, n1, n2)

    The authenticating system performs the same computation and accepts your password if it matches with the result generated locally. Banks in Sweden have been using this for quite a while now - the password generator is, of course, protected by a PIN number to unlock it for use and therin lies the weakest link!

    • Not quite... (Score:3, Insightful)

      by Millennium (2451)
      Two-factor is indeed based on something you have and something you know. But "something you know" isn't your username; that's "something you are". "Something you know" is, in fact, your password.

      Two-factor authentication actually has three factors. The username part is so insecure, however, that no one really counts it, because everyone has to know it in order to do any business with you at all. Many graphical login managers even present a list of usernames, because keeping these secret hampers the system'
    • Without the user-memorized factor, the token (secureID or otherwise) becomes the entirety of the password, making it no better than a key for a lock - if it goes missing, your security is nil.

      Essentially, the two-factor system needs both the user-generated factor and the automatic factor - the automatic protects against social engineering of the user, and the user protects against physical engineering (i.e. theft) of the automatic.
    • Authentication can generally be done using any combination of these 3 factors:

      - Something You Know. Generally a shared secret, such as a password.

      - Something You Have. Prove that you are in possession of something. By entering the code from a SecureID card, you prove you are in possession of the card. A physical key entered into a lock is also Something You Have. The CVV code on the back of a credit card is a weak form of Something You Have (it could be argued it is something you know, but online sto
  • Synchronized Clocks? (Score:2, Interesting)

    by ericpi (780324)

    One thing I always wondered about these devices, is how you keep the device synchronized with the server. Since the code changes every 60 seconds, the server and the fob have to be set to within 1 minute of each other in order to agree on the same code.

    A typical quartz clock has accuracy on the order of +/-10 ppm (parts per million). To accumulate an error of 60 seconds requires only 60 / (10 / 1M) = 6M seconds = 70 days. Therefore, it would seem after a few months, the fob would 'drift' enough to make

    • by PalmerEldritch42 (754411) on Tuesday September 21, 2004 @08:56AM (#10307823)
      The server does allow a range of codes to work. I have been using SecurID and you can put in the tokencode from 1-2 minutes ago and it will let you in. So, if the token gets out of sync from the server, it is ok. If it gets too out of sync, then you need to call the help desk and they can resync it using some online tools. It takes less than a minute to do. I've never experienced a time drift problem that resyncing didn't fix, but theoretically, if it cant sync back up, they can always just send you a new card and use that one instead.
  • What happens if your fob/rsa token, dies. They do expire, but sometimes, they die due to "reasons". Either faulty, or too much static etc etc..


    That could be a hurdle to get over.

  • Does my small small device show the same number as everyone else's? If so, how does this help with phishing, as long as Phisher Bob can get his hands on one?

    If it doesn't show the same #, does AOL generate a new # every 60 seconds for every subscriber? Not sure, but that seems like a lot of work... Anyone know specs on the RSA algorithm used? From TFA:

    Gartner analyst Avivah Litan believes a "very narrow set of consumers" -- perhaps 5 percent to 15 percent of AOL's 30 million subscribers -- would sig

    • I have one for work at an investment bank [not through AOL]. Basically it generates an unique number every 60 seconds. AOL doesn't have to generate it nonstop. Basically they just generate it based on the timestamp at the time of login.

      Why would you think they would update every second even if nobody is logging in? That would be pretty piss-poor design.
  • by graphicartist82 (462767) on Tuesday September 21, 2004 @08:55AM (#10307819)
    "It's aimed at small business and people who conduct large transactions online."

    These people use AOL? I sure wouldn't do business with any company whose e-mail address was companyname@aol.com or whose web page was http://hometown.aol.com/coolguy12345

If entropy is increasing, where is it coming from?

Working...