AOL Moves Beyond Single Passwords for Log-Ons 309
ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute.
The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."
This has been used internally for years (Score:1, Informative)
Interesting... this particular feature has actually been a part of AOL for several years now. All AOL employees are issued SecureIDs and are required to use them to log in to various places. It seems they've just expanded the feature to non-employees.
whoo. (Score:3, Informative)
Whoo.
Been there, done that.
All it does is make an attack "more" difficult, but nowhere near impossible:
http://www.tux.org/pub/security/secnet/papers/s
Useless (Score:1, Informative)
This just creates an illusion of security.
Re:AOL Security at work again... (Score:3, Informative)
Re:This will make the problem disappear. (Score:5, Informative)
1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up
Re:Not a bad idea (Score:4, Informative)
The server is designed to track slight drifts in time and track/compensate for the cards.
Even if they are out of sync, the most you have to do is enter two codes instead of just one.
I Used AOL securID (Score:5, Informative)
The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?
Re:Good deal - basic math? (Score:2, Informative)
Re:Time Drift - sliding window (Score:5, Informative)
In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.
The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).
Aol must really care about security... (Score:5, Informative)
RSA sells these devices for $60 each or so in bulk. RSA fobs are programed to expire in 36 months. Let's say AOL got them for $50. The customers are paying 9.95+(1.95*36) or $80.15 over three years. That gives AOL $30.15 or about $10 a year. I'm sure aol could find some other way to fleece their users less than a dollar a month, leading me to believe this isn't just some profit making venture (not to mention the cost of the servers to implement this, which is not insignifigant.)
Re:This has been used internally for years (Score:2, Informative)
Unfortunately, I've found that the fobs tend not to enjoy the abuse that being on my keychain tends to bring. The LCD panels end up pretty scratched by the time I'm done with them.
Got a good screen name? Get one of these. (Score:3, Informative)
When I got my Yahoo account years and years ago I was early enough to get decent screen name. The problem is that today that account is routinely hacked (and once, even pwned, but thanks to the nice security folks at Yahoo, given back to me). People don't like to use something like "%geeba%56672" for Yahoo Instant Messenger. I imagine the same thing is true on AOL. Having a smartID or securiCard or other defense would be nice.
(Then again, auctioning off a nice AOL screen name might be worth a few bucks on eBay...)
But you don't need "two" passwords ! (Score:3, Informative)
The advantage of the automagically generated password is that the password is a temporal function of the account. This means that the server and the password generator both work off the same clock base to calculate a password for your account and authentication succeeds if the two match (within some non-zero time window - to compensate for clock drift). the password is thus valid for a very short duration and makes it very hard for a MIM to capture, replay and use
As far as I can see the first (user memorised password) is merely an artefact of an older system left in there to make the user feel good about having some password control since that is the fator that is most vulnerable to compromise (think social engineering).
A more robust mechanism would be to add a challenge response to this mechanism - the suthenticating system gives you two numbers (n1, n2)which you feed into your password generator and it generates the response thus -
R sub t = f(t, n1, n2)
The authenticating system performs the same computation and accepts your password if it matches with the result generated locally. Banks in Sweden have been using this for quite a while now - the password generator is, of course, protected by a PIN number to unlock it for use and therin lies the weakest link!
Re:whoo. (Score:3, Informative)
absolutely correct in this example but it is quite probable that some variation of the
attack is possible."
Of course, I'm not claiming that the security of a SecureID implementation is unassailable, or that SecureID is a panacea for security problems. I just don't believe an old article that describes some irrelevant not-quite-attacks is sufficient to cast doubt on the extra security provided by SecureID, and that attacks on SecureID are actually much more difficult than you seem to be claiming.
Re:This has been used internally for years (Score:3, Informative)
Incidentally, there's an expiration date on the back of these things (I just thought to check). My current fob has an expiration date in Dec of 2007. I think that's a pretty good duration and it's more likely the thing will get destroyed by being dropped on the pavement, lost, scratched beyond usability, etc. in over 3 years of use on a keychain.
Re:Synchronized Clocks? (Score:4, Informative)
Re:But you don't need "two" passwords ! (Score:3, Informative)
- Something You Know. Generally a shared secret, such as a password.
- Something You Have. Prove that you are in possession of something. By entering the code from a SecureID card, you prove you are in possession of the card. A physical key entered into a lock is also Something You Have. The CVV code on the back of a credit card is a weak form of Something You Have (it could be argued it is something you know, but online stores are using it to 'prove' you are in possession of the card).
- Something You Are. This is biometric authentication, such as voiceprint, fingerprint, iris scan, DNA check, dental records, etc.
Your username is only a bit data -- well-known data at that. It doesn't count for any of the three factors.