AOL Moves Beyond Single Passwords for Log-Ons 309
ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute.
The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."
Security Functionality (Score:3, Insightful)
I tried it...it was slow, often down, and required special software. None of which my cable connection is subject to.
Re:Security Functionality (Score:3, Funny)
Re:Security Functionality (Score:2)
Re:Security Functionality (Score:5, Insightful)
The only thing this really secures is AOL's bottom line, by preying off of peoples' fears and giving them something that makes them FEEL more secure online.
Re:anti spyware / trojan (Score:3, Insightful)
why dont they plop a big donation to spybot and include it ?? Or fine come up with their own.
You mean assimilate, like they did Netscape and ICQ? Thanks, I would prefer Spybot be free of the AO-Borg assimilation.
Re:Security Functionality (Score:3, Interesting)
Any decent ISP has local access pretty much anywhere. AOL hasn't really had an advantage in that regard for four or five years. The only excuse for using AOL is "not knowing any better".
Re:Security Functionality (Score:3, Insightful)
The RSA admin tool allows an administrator (or someone with elevated privileges) to set a card into "lost mode", which allows setting a static password, and an expiry date for the lost mode - after which it disables the static password.
So, sending a card out via mail, should reach the user by the time their static password is going to expire, and they're back in business usin
And... I'f I don't need a password..at all.. (Score:5, Funny)
^^ Average american reply if this gets implemented.
Have fun at the aol sales desk
Re:And... I'f I don't need a password..at all.. (Score:2, Funny)
AOL Employees (Score:4, Insightful)
Re:AOL Employees (Score:2)
SecureID (Score:3, Interesting)
SecureID just seems like the next logical step. I used one for 3 years, and, once you get used to not attempting to log into your VPN when only the last bar is showing (there's a countdown bar indicating how much time is left before the number changes) it's really not so bad.
They appear to run on pseudo random number generators, and are synched up with the server with a known seed. I imagine they'd be very difficult to crack, as our system was configured to only allow 1 login attempt per number, if you t
Re:AOL Employees (Score:5, Interesting)
As for using it for other systems (VPN, etc.) I would be really surprised if they would let you do that, even for an extra fee. Tinfoil helmets and extreme security paranoia are rampant in our IT people, mostly AOL guys. Our network is built on the 'Security Through Confusion' model. Their answer to getting me intranet access from my video production machine was to ship me a low end Dell that they would allow on the network. It still doesn't address the issue of my need to take :30 TV ads from the production machine, and send them to people on the network.
So, no, I wouldn't expect that they would help you use the RSA fob for anything other than getting your spam, er.... email.
Re:AOL Employees (Score:4, Interesting)
Re:AOL Employees (Score:3, Interesting)
Isn't there a much easier way...? (Score:3, Interesting)
To my understanding, you would place a client-authenticating certificate in you web browser program, and during the SSL negotiation that certificate would be used for authentication.
The only two problems were (again, to my limited understanding) first that you had to go through the effort of installing the certificate on every browser you used, and second, the security could be broken if someone had access to your account. (Of course, account login security and browser "first-time-on-launch" passwords helped protect against that.)
Why the bloody SecureID system that's so klunky?
Re:Isn't there a much easier way...? (Score:5, Insightful)
Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.
You can't copy a physical token (Score:5, Insightful)
I obviously can't steal your RSA token without you finding out pretty soon.
Re:Isn't there a much easier way...? (Score:5, Insightful)
Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.
Re:Isn't there a much easier way...? (Score:2)
Re:Isn't there a much easier way...? (Score:3, Insightful)
But does nothing against a client-side compromise. Look at the stats on the number of home PC's with cable modems that are being bought and sold as zombies. In practical terms, the odds of having your pass
Re:Isn't there a much easier way...? (Score:3, Interesting)
Such a thing already exists... in Denmark. It's completely free to get a certificate mailed to you and you can use it to authenticate for a multitude of do-it-yourself online services like tax returns and other state/county forms. I think it works quite well.
noone will get this (Score:2, Insightful)
"Identity theft only happens to other people"
Not a bad idea (Score:5, Insightful)
Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins
Thats the only problems I've seen with them,
--
Re:Not a bad idea (Score:4, Informative)
The server is designed to track slight drifts in time and track/compensate for the cards.
Even if they are out of sync, the most you have to do is enter two codes instead of just one.
Re:Not a bad idea (Score:2)
AmEx [americanexpress.com] provides SmartCard readers [americanexpress.com] for its Blue line, with a program already embedded in the chip on the card.
Pretty cool.
whoo. (Score:3, Informative)
Whoo.
Been there, done that.
All it does is make an attack "more" difficult, but nowhere near impossible:
http://www.tux.org/pub/security/secnet/papers/s
Re:whoo. (Score:5, Insightful)
Yes. Exactly like every other security system ever designed.
Your point is?
Re:whoo. (Score:3, Insightful)
That leaves the rest of the document describing attacks between the machines that verify the value, which hopefully are internal and not snoopable from the outside.
Re:whoo. (Score:5, Insightful)
Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:
1) Targeting users of sdshell and a token card2) Denial of service
3) Require access to the server network
#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.
The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.
The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?
If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)
Re:whoo. (Score:3, Informative)
Re:whoo. (Score:2)
It depends on the client software. Our company uses client-side software which has you type in your password, PIN and token first, and then it logs in. So the "try all last numbers before the person can enter it" idea wouldn't work. Effectively this implements the "LINE_BUFFERED" protection described in the paper.
Key loggers would only get this minute's token, which is already used, so a key logger would have to then physically steal the token to be able to gain acc
Re:whoo. (Score:2)
Sorry this needs to be said, but... (Score:2, Funny)
This will make the problem disappear. (Score:4, Funny)
Re:This will make the problem disappear. (Score:5, Informative)
1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up
Duh? (Score:2)
2) if used , it can't be used again until the minute is up
Yup that will work for 1% of AOL users. The rest are screwed if it ever becomes mandatory. Sixty seconds is not enough time for about 99% of all AOL users. They'll spend the first 30 seconds trying to get the first password in and then type in the second password in the next thirty seconds -- only to figure out they got the two mixed up. Then they will spend all day typing in the same two passwords until they phone AOL at
Re:Duh? (Score:2)
It's evaluated as to what it should be at the moment you hit enter, after punching it in.
We use them all over at work, and it's pretty easy.
Good deal (Score:2)
No wonder they are America's number 1!
Re:Good deal - basic math? (Score:2, Informative)
Re:Good deal - basic math? (Score:2)
What I would like to know is why the IT department at my place of work charges 80 GBP ($145) for these? Someone is on a winner down there, that's for sure.
Re:Good deal - basic math? (Score:2)
AOL...cutting edge security. (Score:2, Insightful)
Re:AOL...cutting edge security. (Score:2, Interesting)
The display on the SecureID is just numbers, synced to the auth server. The average user should have no problem entering 8 numbers when prompted.
- Roach
http://www.speedwerks.com
Re:AOL...cutting edge security. (Score:2)
This isn't new (Score:2)
I'm impressed that AOL is using them. It shows that they're at least a little concerned with security.
I really hope that this is a starting point for web hosting providers to start using these.
Re:This isn't new (Score:2)
Time Drift (Score:2, Interesting)
I suppose eventually they may integrate GPS timing with them, making it a thing of the past, but who wants your fob tracking you...
of course it doesn't mean this (Score:2)
Re:Time Drift - sliding window (Score:5, Informative)
In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.
The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).
Seen it used.. (Score:3, Interesting)
Hmm (Score:3, Interesting)
These people aren't techheads, and most of them write their passwords down on pieces of paper, conveniently attached to their laptops, which is then conveniently placed in their work briefcase, along with the password updater.
Sufficed to say, dozens of these briefcases get stolen, in the same bar frequented by employees of this company every six months (One might ask why they still take their gear there). The thief gets an expensive company fleet laptop, a company password list, and a company satellite password updater, all packed in the same convenient suitcase with a carryhandle ready to go missing.
Ultimately, no matter how many security measures you put in place for a company or organisation, you're going to encounter people who write down their passwords, people who fall for emails from tech support who need to 'verify' their accounts and ultimately people who will have their information stolen and not report it for days, which is plenty of time for the thief, and a less-than-ideal amount of time for people like you and me to have enabled compromised accounts running on the system.
Big Deal :) (Score:3, Insightful)
1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)
2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters.
So yeah, I'm thinking it's a great step. But not for AOL.
Re:Big Deal :) (Score:3, Insightful)
2. You have an established password PLUS the securID password... even if someone you know steals it from you, and they know your login and have your securID, they cannot log into your account unless they ALSO know your private pa
Re:Big Deal :) (Score:2)
IIRC, I think they have a credit-card sized version, and it is possible to have it integrated into a phone/PDA.
Serious business people use AOL? (Score:3, Insightful)
I used AOL years ago, and have used it from time to time recently on other people's computers, and there is nothing in the "AOL package" that I have seen that says "power user" to me.
So I guess what I am wondering is...is this something that AOL users are actually clamoring for....or has AOL finally sucked up all the "n00b" market that there is and is trying to offer services that would appeal to more of the "slashdot crowd"?
Social engineering (Score:2, Interesting)
Re:Social engineering (Score:2)
Well... (Score:3, Funny)
Seriously. If I set my password to "password" and someone picks this up then I'm screwed, right?
Re:Well... (Score:2, Funny)
Seriously - its no different than writing your "simple passwords" on a piece of paper somewhere and someone finding the list. For bonus points, what was the password used in Wargames
Kudos to AOL for at least providing this option to the general public.
Re:Well... (Score:2)
Which one, "pencil" or "joshua"? Or maybe you're referring to the launch codes? :-)
Re:Well... (Score:2)
A company I worked for used to use these things as part of the login process to get into the VPN, and the password you supplied based off of the FOB included a part chosen by you that was static and *not* displayed on the FOB. So the whole password always begins with "xyz" (whatever you decide, or, I believe, whatever was given to you), and ending with the 60-second numeric key.
Regardless, even if they don't do something like that, getting someone's password is now a
Re:Well... (Score:2)
We use SecurID tokens at work. The passcode you have to enter consists of a four-digit PIN, plus the six digits displayed in the token's window. So even if your token is stolen, whoever found it would have to know your PIN. And unless you're dumb enough (whoops, this is AOL) to tape your PIN to your token, the h4x0rz have 10,000 PINs to go through... and the system locks you out if you fail three times.
--Rob
I Used AOL securID (Score:5, Informative)
The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?
Re:I Used AOL securID (Score:2)
Every secureID token had a lifetime of three years, in the old security dynamics days these were printed on the back of the token, I'm not sure this is the case now they are RSA tokens.
Either way, each number is displayed once and once only. The limit on available numbers is reached before the battery dies, after which the token flashes pointlessly for a couple of extra years.
There are no user replaceable parts. You buy the token, we buy
Businesses us AOL?? (Score:2, Insightful)
Just a comment (read opinion), but unless you have no other options, why would you, as a small business owner, use AOL to "conduct large transactions" online.
Mod me troll if you like, but I don't consider AOL to be a very "business friendly" organization.
Lip service toward true security... (Score:2)
What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches lon
Funny Video (Score:2)
Chris
heh (Score:3, Insightful)
The Associated Press reporting, not Yahoo (Score:2)
Get your citations straight! Don't be like the radio!
I've used somethign similar about 5 or 6 years ago (Score:2)
The End is Near!! (Score:2, Funny)
Aol must really care about security... (Score:5, Informative)
RSA sells these devices for $60 each or so in bulk. RSA fobs are programed to expire in 36 months. Let's say AOL got them for $50. The customers are paying 9.95+(1.95*36) or $80.15 over three years. That gives AOL $30.15 or about $10 a year. I'm sure aol could find some other way to fleece their users less than a dollar a month, leading me to believe this isn't just some profit making venture (not to mention the cost of the servers to implement this, which is not insignifigant.)
Re:Aol must really care about security... (Score:3, Insightful)
1) They wouldn't have purchased a small amount of fobs. We are probably talking about an order between 100,000 and 1,000,000. That means they probably received a vast discount. The fobs themselves are glorified calculators that run off of a preset algorithm. They most certainly wouldn't cost upwards of $50 a piece. I am sure that they are partnering with RSA for this business venture.
2) The security features were already put i
Re:Aol must really care about security... (Score:2)
Sure the fobs can be bought in bulk for $xxx. But for every usable fob you have to buy a corresponding ACE server licence, which does also add to the expense. You then have standard maintenance on the ACE servers which is a fixed percentage of the initial server costs.
The branding isn't that special, I think you can get it whenever you order more than 1000, most banks do this for their customers, it isn't a new thing for AOL.
The service is generally very good, The co
I've always wondered... (Score:2)
Is any of it simple enough to perform -- perhaps with some idiot savant-y BIG_NUM manipulation tricks -- in your head?
It might take a bunch of passes, perhaps as many as one for each bit of entropy in your "secret", but I am sure there must be SOME way to set up my webmail so that I can authenticate myself into a "read the subject lines / senders of all NEW messages" session, with password1, or, with password2, into a "read t
roll your own (Score:2)
Got a good screen name? Get one of these. (Score:3, Informative)
When I got my Yahoo account years and years ago I was early enough to get decent screen name. The problem is that today that account is routinely hacked (and once, even pwned, but thanks to the nice security folks at Yahoo, given back to me). People don't like to use something like "%geeba%56672" for Yahoo Instant Messenger. I imagine the same thing is true on AOL. Having a smartID or securiCard or other defense would be nice.
(Then again, auctioning off a nice AOL screen name might be worth a few bucks on eBay...)
But you don't need "two" passwords ! (Score:3, Informative)
The advantage of the automagically generated password is that the password is a temporal function of the account. This means that the server and the password generator both work off the same clock base to calculate a password for your account and authentication succeeds if the two match (within some non-zero time window - to compensate for clock drift). the password is thus valid for a very short duration and makes it very hard for a MIM to capture, replay and use
As far as I can see the first (user memorised password) is merely an artefact of an older system left in there to make the user feel good about having some password control since that is the fator that is most vulnerable to compromise (think social engineering).
A more robust mechanism would be to add a challenge response to this mechanism - the suthenticating system gives you two numbers (n1, n2)which you feed into your password generator and it generates the response thus -
R sub t = f(t, n1, n2)
The authenticating system performs the same computation and accepts your password if it matches with the result generated locally. Banks in Sweden have been using this for quite a while now - the password generator is, of course, protected by a PIN number to unlock it for use and therin lies the weakest link!
Not quite... (Score:3, Insightful)
Two-factor authentication actually has three factors. The username part is so insecure, however, that no one really counts it, because everyone has to know it in order to do any business with you at all. Many graphical login managers even present a list of usernames, because keeping these secret hampers the system'
Re:But you don't need "two" passwords ! (Score:3, Insightful)
Essentially, the two-factor system needs both the user-generated factor and the automatic factor - the automatic protects against social engineering of the user, and the user protects against physical engineering (i.e. theft) of the automatic.
Re:But you don't need "two" passwords ! (Score:3, Informative)
- Something You Know. Generally a shared secret, such as a password.
- Something You Have. Prove that you are in possession of something. By entering the code from a SecureID card, you prove you are in possession of the card. A physical key entered into a lock is also Something You Have. The CVV code on the back of a credit card is a weak form of Something You Have (it could be argued it is something you know, but online sto
Synchronized Clocks? (Score:2, Interesting)
One thing I always wondered about these devices, is how you keep the device synchronized with the server. Since the code changes every 60 seconds, the server and the fob have to be set to within 1 minute of each other in order to agree on the same code.
A typical quartz clock has accuracy on the order of +/-10 ppm (parts per million). To accumulate an error of 60 seconds requires only 60 / (10 / 1M) = 6M seconds = 70 days. Therefore, it would seem after a few months, the fob would 'drift' enough to make
Re:Synchronized Clocks? (Score:4, Informative)
Dead key? (Score:2)
That could be a hurdle to get over.
Does this really help? (Score:2)
If it doesn't show the same #, does AOL generate a new # every 60 seconds for every subscriber? Not sure, but that seems like a lot of work... Anyone know specs on the RSA algorithm used? From TFA:
Re:Does this really help? (Score:2)
Why would you think they would update every second even if nobody is logging in? That would be pretty piss-poor design.
Small Business, Large Transactions and AOL? (Score:3, Insightful)
These people use AOL? I sure wouldn't do business with any company whose e-mail address was companyname@aol.com or whose web page was http://hometown.aol.com/coolguy12345
Re:AOL Security at work again... (Score:3, Informative)
Re:Useless (Score:4, Insightful)
This just creates an illusion of security."
Wrong. You could have a damn key logger on their computer, it doesn't matter. The SecurID password expires every minute.
Re:Useless (Score:2)
Re:Good Idea (Score:2)
Re:Password Bonanza (Score:2)
Re:This has been used internally for years (Score:2, Informative)
Unfortunately, I've found that the fobs tend not to enjoy the abuse that being on my keychain tends to bring. The LCD panels end up pretty scratched by the time I'm done with them.
Re:This has been used internally for years (Score:2, Interesting)
Regards,
Steve
Re:This has been used internally for years (Score:2)
Re:This has been used internally for years (Score:3, Informative)
Incidentally, there's an expiration date on the back of these things (I just thought to check). My current fob has an expiration
Seems to last for a while (Score:2)
This system is really a one time pad generated as a pseudo random sequence by the card and by the authentication server based o
Re:This has been used internally for years (Score:2)
As for damaging the RSA key, it's hard to do more than superficial scratches to those things. They are tough, like digital watches. I've never heard of anyone actually breaking the things, and I've seen them used at every place I work. BTW, in my experiance it is rare for the password to only be the number on the pad. It's alm
Re:All --AOL--TW employees have them. (Score:2)
Just as a note, RSA has also released a software version of the token, which eliminates some of the problems of the keyfob - it doesn't expire, and you can have a copy on every computer you might conceivably use - you just install a token file on the machine itself, which allows the program to be synched