Identify yourself! There has to be a better way

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 4270 Views - Last Post: 19 July 2013 - 10:12 AM

#1 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1134
  • View blog
  • Posts: 7,094
  • Joined: 07-September 06

Identify yourself! There has to be a better way

Post icon  Posted 16 July 2013 - 09:45 PM

This thread is to discuss the theories that various people have and in general be a brainstorm for how people can better create identification systems such as those seen on websites / computer logins for the future.

Currently, as we all know, there are two very common ways of identifying yourself on a computer system. You can either provide a username and password, or you can provide a username and ssh/security key. That is known and as common as websites and computers these days.

The problem is that the majority of them don't pan out to be overly secure, and once your password is stolen many people have to go through more work than they want to (a ) regain their account and (b ) ensure that other accounts tied to the previously stolen one are still secure. After all that is why sites are starting to do 2 or 3 system authentication. While this isn't a bad idea it does get in the way and slow things down overall. It also requires that you have the means by which the website/ corporation wants to authenticate you.

I believe we can all agree that certain aspects of current authentication and identification systems are flawed. Just so we are all on the same page I am going to make my assertions (for you to agree with or otherwise as you see fit).

First: Passwords are bad. People either come up with a crappy, insecure, password which is easily stolen or brute forced or they come up with something that is so convoluted they can't remember it and are forced to write it down. I have run across instances where people have had their passwords in plain text on their desktop, it isn't secure by any stretch of the imagination. There are others which simply follow a pattern with their passwords, this works alright as long as the sites they visit allow them to use the characters they are used to in their passwords. Otherwise the password is easily forgotten because it doesn't follow the standard pattern. Furthermore, if the pattern is found out all other sites' passwords are at risk.

Second: Tying an email or cellphone to an account is bad. If you tie an email to an account all someone has to do is steal the email account then they don't even need to get your other account passwords, just your email address; and they already have that. They simply request that the site sends them a "forgot my password" link, reset it to something else and they are done. Cellphones are much in the same boat, but also require that you don't lose your phone, have it stolen, break it, or change numbers without first updating your appropriate accounts. Given the way I have seen people treat their phones this just screams of a bad idea.

Third: SSH keys are dubious. They certainly work wonders when in use, but the private key is stored on a drive somewhere. As a result you have to keep a backup copy; if you don't you stand the risk of losing your login if your drive dies, your computer is stolen, or any number of other possible things happen. But now you have to keep track of an additional bit of persistent storage, what's to say that something doesn't happen to both of your disks? Mean time between failure is not good enough to ensure you will always have your data stored on multiple devices (hence the reason things like RAID 6 and the CRUSH algorithm were invented - faster recovery times), but how many individuals have the money for these methods of data maintenance and recovery? I know I don't. There is always the option of memorizing your private key, but the majority of people seem to have difficulty remembering their 6 to 18 character passwords much less a 1K+ file's contents. Beyond that when quantum computing comes about factoring will be a linear-time operation at which point RSA encryption won't hold water for very long.

Finally: None of the above methods for authentication and identification are more secure than the computers which have access to them. If you get a virus you will want to change all of your passwords. If the websites you visit are hacked you will just lose your password outright. That's not good.

Now, I pose the following question: How do you go about creating a better method of identification and authentication? What information do you maintain as important? What needs to be remembered by the user? Where is the information stored?



To get things started:

One possible solution is as follows: Store all users' information on multiple servers distributed around the world. Then use a transactional hash to continually modify users' identifier such that each new hash in the chain uses the previous hash as one of its transactions. Require that only one of the trusted, distributed servers is allowed to claim a new transaction has happened with any given user and have all other servers check to ensure that they agree the new identifying hash is proper. If over, say, a quarter of the servers claim that the hash is invalid you throw it back as never having happened (or someone is attempting to steal an identity). For those of you who explore the web, this is somewhat like the bit-coin model, except applied to identification instead of currency.

Remember, this is meant to be a brainstorm to see what people can come up with, so no idea is too outlandish. Discuss.

Is This A Good Question/Topic? 2
  • +

Replies To: Identify yourself! There has to be a better way

#2 cfoley  Icon User is online

  • Cabbage
  • member icon

Reputation: 1937
  • View blog
  • Posts: 4,022
  • Joined: 11-December 07

Re: Identify yourself! There has to be a better way

Posted 16 July 2013 - 11:37 PM

Go Biometric!

Posted Image
Was This Post Helpful? 3
  • +
  • -

#3 Flukeshot  Icon User is offline

  • A little too OCD
  • member icon

Reputation: 415
  • View blog
  • Posts: 1,030
  • Joined: 14-November 12

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 12:04 AM

I failed to make a gmail account purely because I don't have a mobile phone at the moment.

As for going biometric, cfoley, you might apreciate the following quote as a fellow Scotsman.

"Oof, I've left my wallet at the hotel! I'm going to need new eyeballs and a finger transplant."
Was This Post Helpful? 0
  • +
  • -

#4 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4422
  • View blog
  • Posts: 7,690
  • Joined: 08-June 10

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 08:47 AM

One mechanism of authentication that's really becoming popular is to offload it to a third party. You have a "web identity" that's tied to some major provider, like Facebook, Twitter, or Google. An app developer will request you "sign in with X", and allow the third party to assume the risk of authentication and authorization.

It's a good model, assuming you trust the third party. You still may end up with a username/password set, but you're not the one responsible for maintaining that. Google or Facebook assumes the risk and responsibilities. Also, if they add new security features, you automatically get them as well.
Was This Post Helpful? 0
  • +
  • -

#5 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8898
  • View blog
  • Posts: 33,369
  • Joined: 12-June 08

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 09:06 AM

... and those folks now know where you are logging into.
Was This Post Helpful? 0
  • +
  • -

#6 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4422
  • View blog
  • Posts: 7,690
  • Joined: 08-June 10

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 09:31 AM

That's the tradeoff. There has to be some reason for these providers to give you this functionality. It's either money or data (which might as well be money).

But that's what security is: tradeoffs. Seriously, security is always a balance between usability, protection, and cost. You trade features for protection, or protection for features, or both for cost, but there's no such thing as a system that you don't have to balance these.

In the case of OAuth, you're trading privacy for significantly reduced risk and convenience of a shared set of credentials.
Was This Post Helpful? 0
  • +
  • -

#7 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8898
  • View blog
  • Posts: 33,369
  • Joined: 12-June 08

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 09:52 AM

I figured, eventually, we would all have cerebral jacks or rfid tags to assist in the process. Something you can't loose and is the end-all, be-all of "me-ness".
Was This Post Helpful? 0
  • +
  • -

#8 baavgai  Icon User is offline

  • Dreaming Coder
  • member icon

Reputation: 5761
  • View blog
  • Posts: 12,574
  • Joined: 16-October 07

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 10:47 AM

I wrote a file passing system for work. We needed to send and receive large files outside the company. The only thing I needed to know, authentication wise, was that the user was part of the company.

Rather than deal with maintaining users and logins, I just used their email. The user enters their email and is sent a ticket, a URL with a big ole UUID 128bit value on the end. The user follows the url back and they're off and running. The url is good for one transaction. Functionally, the user needs only have access to a valid email account. The particulars beyond that, not my problem.

The "if you can access it you're good" model works pretty well. The trick is defining a trusted "it." Phone numbers, emails, home addresses, po boxes, all are used. All, of course, can be hacked in various ways.

The problem is that identity itself is rather nebulous. What makes an individual individual? When they get those DNA scanners online, there might be a way, but until then...
Was This Post Helpful? 0
  • +
  • -

#9 BenignDesign  Icon User is offline

  • holy shitin shishkebobs
  • member icon




Reputation: 5910
  • View blog
  • Posts: 10,327
  • Joined: 28-September 07

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 11:05 AM

View Postmodi123_1, on 17 July 2013 - 12:52 PM, said:

I figured, eventually, we would all have cerebral jacks or rfid tags to assist in the process. Something you can't loose and is the end-all, be-all of "me-ness".


My mother would tell you that's the mark of the beast.

Technology is teh debil!
Was This Post Helpful? 0
  • +
  • -

#10 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8898
  • View blog
  • Posts: 33,369
  • Joined: 12-June 08

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 11:06 AM

Some days I agree.

*glaring at my flip phone*
Was This Post Helpful? 0
  • +
  • -

#11 snoj  Icon User is offline

  • Married Life
  • member icon

Reputation: 84
  • View blog
  • Posts: 3,564
  • Joined: 31-March 03

Re: Identify yourself! There has to be a better way

Posted 17 July 2013 - 11:19 AM

Using bio-metrics or DNA is still tricky. You're now tied explicitly with a password that can change or is readily available (cuts to the fingers, pictures of your face) or can easily be user by others just as easily anyway (Gattaca anyone?).

View Postbaavgai, on 17 July 2013 - 12:47 PM, said:

The "if you can access it you're good" model works pretty well. The trick is defining a trusted "it." Phone numbers, emails, home addresses, po boxes, all are used. All, of course, can be hacked in various ways.

Baavgai hits the head pretty well. The whole thing is tied with trust. Without it there is no point. Even public/private keys can be defeated by a middle man replacing everyone's public keys with his own. Hak5 spoke briefly about this a while ago, I forget the season/episode. But their point was that if someone had been watching the initial ssh connections, they could quite easily rewrite packets to insert the wrong keys and you wouldn't know the difference.
Was This Post Helpful? 0
  • +
  • -

#12 anuvab  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 18-July 13

Re: Identify yourself! There has to be a better way

Posted 18 July 2013 - 09:32 AM

Passwords are by far the best methods for authentication on the web.I mean the system is accessible to everyone,without the need for any other facilities like bio-metric devices used in the process.However,it is another fact that even complex passwords as long as 16 characters or so.Password breaches are something to be taken care of on the server-side.Honeywords could be used in case of breaches.Another case is password guessing,nothing can be done about that.A certain way to limit that would be to ask for a preferred location of the use from which (s)he signed up,save it and compare that with the location basing on the IP address at login.If logging in from a different location,ask them to enter a second password(just another layer of security which is to be stored in another server,I mean secure and in a format which does not link an account to the second password directly,meaning some obfuscation),also send them an E-Mail.Proxies may circumvent this and a user has to remember two passwords,but it's worth it.Also multiple logins are a good and bad thing.If a service is such that it involves money or something similar important,then avoid multiple logins i.e force the user to logout of a session before (s)he logs in somewhere else.Else,the account should be inaccessible and if in case of emergency/extremeness,they should like fill out some special form which sends an email to them and then clicking on the link,it destroys the previous session and gives them a new one.

Much of above might not be feasible.Just proposing methods.
Was This Post Helpful? 0
  • +
  • -

#13 ccubed  Icon User is offline

  • It's That Guy
  • member icon

Reputation: 159
  • View blog
  • Posts: 1,402
  • Joined: 13-June 08

Re: Identify yourself! There has to be a better way

Posted 19 July 2013 - 08:16 AM

I think you're asking the wrong question. The question isn't 'What is the best way of verification?' That question is moot. Ultimately, you're on the internet or you're communicating with a server. The process of verification in and of itself is public. You aren't verifying yourself with yourself, you're verifying your identity to someone or something else. Which means that there's always the danger of someone stealing your verification. The same way that standing behind you as you say your social security out loud allows me to hear your social security number. The real question is...

'What can the verifier and the person doing the verification do to make this process more secure?'

Let me explain. Passwords for instance are a perfectly acceptable, secure form of verification in and of themselves. A password is no more insecure than an encrypted folder is by definition. What makes both of these things insecure is other people. As was mentioned, people reuse passwords, they use simple passwords, hell, the average user doesn't realize that just the act of putting a number in their password can exponentially increase the time it takes to break their password. So what we're getting at is this.

The problem isn't the verification method, it's the people using and providing them.

You can run a perfectly suitable, secure HTTP server. You can stealth ports, ghost ports. You can do anything you want. That doesn't happen however. Part of the onus on what's wrong with verification methods is on the people providing the mechanisms. Facebook gets hacked because they leave security vulnerabilities open. And let's be honest, none of the ones that have been used to get to them have been unheard of.

On the other hand, part of the problem falls on users who do stupid things. Stupid things like using 12345abcdef as a password. It's at least better than abc and miles better than their name or some other information, but it's still bad. On the user's part, they fail to realize that they have no private information. If their password is their birth place, well, I can probably find that. Unless you're invisible on the internet and the average user isn't, then you've probably got your birth place listed somewhere (helllo classmates.com). Also, generally speaking, users are stupid. I'm guilty of using the same password on multiple sites. I admit it, so I can't entirely blame anyone else if my password is hacked and someone is using my accounts for personal info. At the same time, if they ever did hack my accounts, there's not much there to salvage, and every time financial data gets hacked I just get a new credit card because I don't use them that much in any case. Ultimately, a lot of this falls on users, but not just on users, it's education too. Some users are just stupid and won't listen, some though will and just haven't had anyone tell them what they should and shouldn't do.

Ultimately, the real question this thread should be about is how to improve the verifiers and the person doing the verification. Users and Systems. There's nothing inherently wrong with our current verification methods, they're made insecure by the services that use them.

So basically: How to make verification better.

1) Teach users
2) Slap services that refuse to secure themselves
3) Stop expecting privacy and be aware of what you put on the internet
Was This Post Helpful? 0
  • +
  • -

#14 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8898
  • View blog
  • Posts: 33,369
  • Joined: 12-June 08

Re: Identify yourself! There has to be a better way

Posted 19 July 2013 - 08:36 AM

View Postccubed, on 19 July 2013 - 10:16 AM, said:

...snip...

Ultimately, the real question this thread should be about is how to improve the verifiers and the person doing the verification. Users and Systems. There's nothing inherently wrong with our current verification methods, they're made insecure by the services that use them.

So basically: How to make verification better.

1) Teach users
2) Slap services that refuse to secure themselves
3) Stop expecting privacy and be aware of what you put on the internet



That's good and dandy, but clearly that is not working 100% of the time. Folks are expecting this sort of security to be baked in _BECAUSE_ the manufactures/sellers/TV commercials imply it already is and clearly it is not. Better validation of the 'my-ness' of the transaction, identification, etc is not a bad question to ask. Of course this is coming from a guy who still rocks the 'dumb' phone and believes smartphones are just a fad until folks wise up.
Was This Post Helpful? 0
  • +
  • -

#15 ccubed  Icon User is offline

  • It's That Guy
  • member icon

Reputation: 159
  • View blog
  • Posts: 1,402
  • Joined: 13-June 08

Re: Identify yourself! There has to be a better way

Posted 19 July 2013 - 09:07 AM

View Postmodi123_1, on 19 July 2013 - 09:36 AM, said:

That's good and dandy, but clearly that is not working 100% of the time. Folks are expecting this sort of security to be baked in _BECAUSE_ the manufactures/sellers/TV commercials imply it already is and clearly it is not. Better validation of the 'my-ness' of the transaction, identification, etc is not a bad question to ask. Of course this is coming from a guy who still rocks the 'dumb' phone and believes smartphones are just a fad until folks wise up.


You can't bake that in. There is absolutely nothing unique about you or your equipment that can't be copied, identified, or found out and used against you to get into your accounts.

That was the larger point of what I was saying.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2