Sign in / up

back to article Lenovo, PayPal, launch post-password plan

Lenovo, PayPal and lesser-known fellow travellers Agnitio, Infineon Technologies, Nok Nok Labs and Validity, have cooked up a new authentication standard for websites and an alliance to push it to the world. The Fast Identity Online Alliance (aka FIDO), as the group and proposed standard are both known, advances a two-factor …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Graham 24
    Thumb Down

    How many days...

    .... before this is cracked?

    "A browser plugin is an essential piece of the FIDO plan"

    Of course, the coding of the plug in will be to such a high standard that it will be impossible for any rogue web site to read anything from the token (or, heaven forbid, write to it), wont' it?

    See also: Java, ActiveX, Flash.

    0 0
    1. Bronek Kozicki
      Reply Icon

      Re: How many days...

      It might, just might, be open source - or at least open for security researchers. If it is not, I do not quite see how this might be approved by wide enough user base.

      0 0
  2. GrumpyJoe
    Thumb Up

    Just got a Yubikey

    (http://www.yubico.com/) and it seems to be a nice piece of kit - my email provider uses it so I can protect my email in a more secure way. There IS innovation in this space, it's just more vendors need to embrace it.

    Anybody else have one?

    0 0
    1. Brent Longborough
      Reply Icon
      Go

      Re: Just got a Yubikey (Fanboy alert)

      Yes. I've had one for nearly three years, now, and love it.

      I recently bought a Yubikey Nano, which has challenge-response and can be used as an additional token for Windows logon.

      I just have one concern about the original (one-time password) Yubikey. The AES encryption key lives in the Yubikey, where it's safe, and on the authentication server, where, in principle, it isn't. Maybe a challenge-response arrangement might be better.

      0 0
  3. Blacklight

    PAM?

    Or they could just implement one of the PAM based systems already out there, for hordes of people, say - those Android users who can use Google Authenticator. But that's free and thus not something they can charge for :)

    0 0
    1. Comments are attributed to your handle
      Reply Icon
      Coat

      Re: PAM?

      How exactly will lubricating the device make it more secure?

      0 0
  4. The First Dave
    WTF?

    If PayPal are involved, I probably don't want anything to do with it...

    1 1
  5. Anonymous Coward 15

    Would be nice if they'd just accept Google Authenticator.

    0 0
  6. OffBeatMammal

    PayPal's involvement doesn't impress me. I'm more likely to go for something based on the Yubico platform (and I see Google recently announced they're working with Yubi on a similar two-factor auth scheme to do away with passwords)

    I use a Yubi key for personal stuff, and for work have a Gemalto token - the sooner site/domain specific passwords are done with the better, though I would want any two factor auth scheme to provide the ability for me to maintain different personas - "work", "private", "public" etc

    0 0
  7. Anonymous Coward
    Anonymous Coward

    I see the Trusted Platform Module is making another insidious theoretical comeback.

    0 0
  8. Jin

    It sounds another hype.

    2 being larger than 1, it looks obvious that the 2-factor solutions should provide more or less higher security than 1-factor solutions, but with caveats.

    1. What works in the unguarded outdoor environment necessarily works as well in the guarded indoor environment, but what works indoor does not necessarily work as well outdoor.

    However sophisticated the physical tokens may be, the security obtained by the possession of the token would be lost altogether when the PC/tablet/phone gets stolen together with the physical token. We should not assume that attackers who have the chance to steal the PC/tablet/phone will always refrain from stealing the physical token.

    If a password is supposed to stay as another factor against such threats, it is not appropriate to call the scheme a post-password plan.

    2. Biometric solutions could be one of the 2 factors only if their false rejection rates are zero when the false acceptance rates are close to zero in the outdoor environment. For they would otherwise require something else (possibly a password) for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. The overall security cannot be higher than when only that “something” was used.

    Convenience should not be a replacement for security.

    0 0
This topic is closed for new posts.

Other stories you might like