AOL Moves Beyond Single Passwords for Log-Ons 309
ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute.
The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."
Security Functionality (Score:3, Insightful)
I tried it...it was slow, often down, and required special software. None of which my cable connection is subject to.
AOL Employees (Score:4, Insightful)
noone will get this (Score:2, Insightful)
"Identity theft only happens to other people"
Not a bad idea (Score:5, Insightful)
Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins
Thats the only problems I've seen with them,
--
AOL...cutting edge security. (Score:2, Insightful)
Re:Isn't there a much easier way...? (Score:5, Insightful)
Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.
Big Deal :) (Score:3, Insightful)
1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)
2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters.
So yeah, I'm thinking it's a great step. But not for AOL.
Serious business people use AOL? (Score:3, Insightful)
I used AOL years ago, and have used it from time to time recently on other people's computers, and there is nothing in the "AOL package" that I have seen that says "power user" to me.
So I guess what I am wondering is...is this something that AOL users are actually clamoring for....or has AOL finally sucked up all the "n00b" market that there is and is trying to offer services that would appeal to more of the "slashdot crowd"?
You can't copy a physical token (Score:5, Insightful)
I obviously can't steal your RSA token without you finding out pretty soon.
Businesses us AOL?? (Score:2, Insightful)
Just a comment (read opinion), but unless you have no other options, why would you, as a small business owner, use AOL to "conduct large transactions" online.
Mod me troll if you like, but I don't consider AOL to be a very "business friendly" organization.
Re:Useless (Score:4, Insightful)
This just creates an illusion of security."
Wrong. You could have a damn key logger on their computer, it doesn't matter. The SecurID password expires every minute.
Re:whoo. (Score:5, Insightful)
Yes. Exactly like every other security system ever designed.
Your point is?
Re:Isn't there a much easier way...? (Score:5, Insightful)
Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.
heh (Score:3, Insightful)
Re:Big Deal :) (Score:3, Insightful)
2. You have an established password PLUS the securID password... even if someone you know steals it from you, and they know your login and have your securID, they cannot log into your account unless they ALSO know your private password, which can't be easy like "mike" or "john", because it's all numbers. Now, sometimes people use stupid numbers (birthdays and so forth), but you are still talking about having two "keys" in order to log into an account.
Re:whoo. (Score:3, Insightful)
That leaves the rest of the document describing attacks between the machines that verify the value, which hopefully are internal and not snoopable from the outside.
Re:whoo. (Score:5, Insightful)
Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:
1) Targeting users of sdshell and a token card2) Denial of service
3) Require access to the server network
#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.
The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.
The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?
If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)
Not quite... (Score:3, Insightful)
Two-factor authentication actually has three factors. The username part is so insecure, however, that no one really counts it, because everyone has to know it in order to do any business with you at all. Many graphical login managers even present a list of usernames, because keeping these secret hampers the system's usability -no one knows who anyone is- for no real security gain.
The user-memorized password is not "an artifact of an older system"; it is still an important part of security, It is no longer the only important part of the security process, but it retains its importance.
Re:But you don't need "two" passwords ! (Score:3, Insightful)
Essentially, the two-factor system needs both the user-generated factor and the automatic factor - the automatic protects against social engineering of the user, and the user protects against physical engineering (i.e. theft) of the automatic.
Re:Aol must really care about security... (Score:3, Insightful)
1) They wouldn't have purchased a small amount of fobs. We are probably talking about an order between 100,000 and 1,000,000. That means they probably received a vast discount. The fobs themselves are glorified calculators that run off of a preset algorithm. They most certainly wouldn't cost upwards of $50 a piece. I am sure that they are partnering with RSA for this business venture.
2) The security features were already put in place so all they had to do was beef it up a bit, so again, the initial investment isn't that great.
3) They are a corporation. They wouldn't do anything if it didn't have the promise of a return on their investment. They wouldn't do something like this unless they researched it and found that there was a need and that they will be able to make a...
4) PROFIT!!!
I of course just don't get it. Why would people want to secure their data on the client end when they should be worrying just as much about the data stored on the server end. What is AOL doing to ensure that the data is kept secure throughout the whole transaction? Is this whole secureID thing just a method of coddling their non-technical customers (Look you get fancy number changers for your keychain!!!).
They even branded the secureID with AOL graphics and colors. Its insane.
Re:Security Functionality (Score:5, Insightful)
The only thing this really secures is AOL's bottom line, by preying off of peoples' fears and giving them something that makes them FEEL more secure online.
Small Business, Large Transactions and AOL? (Score:3, Insightful)
These people use AOL? I sure wouldn't do business with any company whose e-mail address was companyname@aol.com or whose web page was http://hometown.aol.com/coolguy12345
Re:anti spyware / trojan (Score:3, Insightful)
why dont they plop a big donation to spybot and include it ?? Or fine come up with their own.
You mean assimilate, like they did Netscape and ICQ? Thanks, I would prefer Spybot be free of the AO-Borg assimilation.
Re:Isn't there a much easier way...? (Score:3, Insightful)
But does nothing against a client-side compromise. Look at the stats on the number of home PC's with cable modems that are being bought and sold as zombies. In practical terms, the odds of having your password stolen via a local compromise are probably higher than having your password stolen on the internet over an ssl connection.
Yes, and these have their own problems. First, you need a hardware device and an interface to the system--which makes them no less "klunky" than the securid's the OP was complaining about. Second, the interface is a hard problem to solve for the home user. Do you force the user to do something at the hardware device for each use of a client certificate? (Good luck getting that adopted, and good luck teaching the user to distiguish "good" requests from "bad" requests.) Or do you authenticate once per session, which once again leaves you open to attacks if you have a compromised workstation?
Re:Security Functionality (Score:3, Insightful)
The RSA admin tool allows an administrator (or someone with elevated privileges) to set a card into "lost mode", which allows setting a static password, and an expiry date for the lost mode - after which it disables the static password.
So, sending a card out via mail, should reach the user by the time their static password is going to expire, and they're back in business using the card.
I've worked with these things for somewhere around 7 years, and I pity the support people for AOL, and pity those that will need to use these cards. When they work, they work great, but it seems a fairly common thing for the cards to get out of sync with the server, in which case someone needs to resyncronize the card. It's a common enough problem in a smallish (~5000 users) support base (used for VPN, so you could knock that down to a percentage of that 5000) that I can easily see the support costs for AOL going wayyy up. And that's just a minor problem with the system.... there's also the case of a server crapping out (which can be semi-solved with redundant servers - which adds it's own problems to the mix)
Not $60 ... recheck the financials on this. (Score:1, Insightful)
I'd be willing to bet that $9.95 is break-even cost on the fob, and the $1.95 gets split evenly between RSA and AOL.
So far, analysts predict this to only appeal to a narrow range of AOLers, guesstimating 5 to 15% of the member population. On the low side, let's take 5% of 30MM users, = 1.5MM people. At a measley $0.975 each (revenue split with RSA), * 1.5MM users, that's $1.4MM per month, that's about $17MM/year of revenue for AOL and $17MM/year for RSA.
I'd like to be the guy who found $17MM of revenue for my company.
Plus, as it's already there to support employees, the infrastructure is already built in to the AOL login servers, so there is no net new cost there.
Last I knew, only OpsSec had access to bind/unbind fobs, sometimes you also needed to resync them. But, it would be trivial to train the member services team on resetting the fobs, resetting, etc.
From a security perspective, now instead of simply calling up and pretending to be you to get your password reset, I call up pretending to be you, and have lost "my" fob and get the account unbound until I find it... but maybe they'll have some precautions around that.