Feeds

First Google wants to know all about you, now it wants a RING on your finger

For those who've always wanted to give the web giant the finger

Combat fraud and increase customer satisfaction

Top Google bods are mulling over using cryptographic finger-ring gadgets and other ways for users to securely log into websites and other services.

The ad giant's security veep Eric Grosse and engineer Mayank Upadhyay have submitted the paper Authentication at Scale to the IEEE Security & Privacy Magazine; their central argument is that weak passwords are a bigger threat to online security than malware infection, hacker attacks or espionage. Passwords, as they stand, need to go, in the pair's opinion, but this process won't happen overnight:

In working to keep cloud computing users' data safe, we observe many threats - malware on the client, attacks on SSL, vulnerabilities in web applications, rogue insiders, espionage - but authentication related issues stand out amongst the biggest. When trying to help hundreds of millions of people from an unbelievable variety of endpoints, attitudes, and skill levels, what can possibly displace plain old passwords? No single thing, nothing overnight, and nothing perfect. A combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation is starting to find adoption towards making a discernible difference.

Google introduced a two-stage login process for its Gmail website two years ago. This optional two-factor verification adds an extra layer of security to Google accounts by linking them to a registered mobile phone number. Users are asked for a code sent to them by text every time they try to log into their accounts from a new computer, a minor inconvenience for legitimate users that makes life far trickier for account hijackers and other criminal hackers.

Looking further ahead, Google is experimenting with Yubico cryptographic USB cards that generate one-time passcodes (OTP) for logging into websites. The YubiKey combines a public ID number unique to the key with a series of bytes generated on the fly to produce a one-off code that, when used with an account username and password, will log the user into the service for that one particular session. The magic code consists of a secret value, a timestamp, some counters and a few random bytes encrypted using 128-bit AES, and then inputted into the computer via USB as if typed into a keyboard.

Pressing the gold disc-like button on the keyboard generates and outputs the new unique code; the incrementing counters ensure no one can copy and reuse the OTP, and the public ID number in the key links the gadget to the account username. One step on from that involves replacing the USB connection with wireless radio tech and building it into a finger-ring. And then getting enough websites and services to use it.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Grosse and Upadhyay wrote.

“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”

It is understood Grosse and Upadhyay have developed a protocol for device-based authentication independent of Google that will also prevent websites from tracking users. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.