
Anything that can be plugged in can get infected.....
Google has started testing NFC keyrings from one-time-pad makers Yubico, with a view to offering them to ordinary punters next summer as a secure way of accessing the Google cloud. The keyrings feature a USB interface and an embedded NFC tag, either of which can supply a one-time password securing connection. The technique is …
Good idea for a software-less solution. Just a shame it's for security from a company that no one wants to use anymore because they also give the NSA/GCHQ the keys too. The browser url will be tracked too.
Not to mention the fact one may be a bit dubious about putting usb devices in their pc that come from companies that are elbow deep with those spooks.
Of course you are still vulnerable to being tapped by Man In The Middle attacks but thats not the fault of the key generator
Assuming they can perform a MITM attack on SSL, in which case it doesn't matter whether the user types in the 2nd factor, or it is read from a NFC chip or even assembled by firing photons from a massive space gun at your phone.
NSA compromises aside it still seems flawed.
Today I've got a keyring device I can type a code into and it gives me a number to use for my bank.
This device replaces my device and doesn't need a password. So, I imagine I have to type the password into the phone instead and the device passes a secure password too.
I can't see the difference between that and having a program on the phone which generates the password (like the device in the article) and then I type my password in. What's the advantage of having the device separate once I don't type a password into it?
It's true that phones can be compromised but if that happens the attacker could take my passwords, as they are passed to the phone and perpetrate whatever skulduggery they desire.
Two factor authentication is called such because you must supply two things to authenticate, e.g. something you know and something you own, such as a pin and a hard token.
If you make it single factor by removing the requirement of one of those things then you weaken the security in different ways. So I don't see it likely that adding a NFC based token would mean they take away another form of authentication. Most likely you would have to supply both, if not to see your account balance then at least for operations which involve transferring money into or out of your account.
Indeed.
As someone who already uses 2 factor authentication with their bank, the token was added to the security, they don't remove the 'something you know' bit.
As pointed out, for 2 factor, you need two separate types of information. The types being (genrally):
* Something you know (passwords, secret question/answer, fixed pins etc.)
* Something you have (tokens. pin generator eyc.)
* Something you are (fingerprints, retinal scans etc.).
You need at least one item from two of the above three options for it to be multi factor.
So a username, password and a secret question is still single factor. As they are still all things you know.
Isn't it about time a proper standard was defined for multi factor authentication? Including APIs etc.
Then once defined, and accepted, newer ISO standards and such for security, such as how banks, the government and other organisations do authentication and identification, could then be updated to insist they support this one standard.
That way you could get one token, but it then works universally for anyone complying with the standard.
Otherwise we are going to just end up with a pocket full of these, one for each service or set of services you use.
This would also help get round the growing issue of being able to prove who you are, such as when applying for loans or a new passport etc. ("Please bring in 3 recent utility bills with your name and address on it", "erm, I do everything on line, I don't get bills in the post!")
Surely on an Android phone it could 'type' in the password the same as when you insert it in a computer as a USB device. Then it would actually be sort of convenient. Why would they have it providing a URL and unnecessarily difficult to use? This makes no sense at all.
I don't always bring my keys with me when I leave the house and wouldn't want to have to, and I certainly don't want to have to keep them by my computer to log into my bank. What a pain. Maybe the "something I have" for two factor security could be something that I do have by my computer....like, say, my phone? No, that would be too obvious.
Couldn't phones have (if they don't already) a private key built into them so they could be uniquely identified and thus be your security device instead of requiring something separate? Yeah, a phone can be compromised, but a security solution that isn't convenient to use won't get used, and therefore does nothing to improve security. Google could put the access to the security routine in some low level firmware that can't be touched and thus would be secure even on a compromised Android device.