All Hail The Death Of Usernames And Passwords

[DaBees-Knees]

http://www.techweekeurope.co.uk/comment/usernames-passwords-certivox-87127

This is an extract from the full article.

But what’s the alternative? After all, the user has to identify themselves in some way or other. I’ve wasted too much time glaring into uncooperative machines at airports to trust biometrics, and electro-magneto-spiritual life-essence detection would be cool but I haven’t invented it yet. So I’m going to resort to old-school cryptospeak and nail my colours to the two-factor authentication mast.

Here’s how it works. Two-factor authentication means that you have to have something (a physical thing) and know something (a secret) at the same time, in order to be able to authenticate yourself. Real-world example: cash machine. You have something (the card) and you know something secret (the PIN). The card is useless without the PIN. The PIN is useless without the card, and the card doesn’t store the PIN in any way. It’s about as secure as it gets.

Online, it all hinges on how we use the user’s identity. What Yahoo and all the other guys who got hacked were doing was using a fixed correlation between username and password to establish identity. Because it was fixed, it had to be mapped somewhere. The system had to have a documented list, in which usernames went with which passwords, so that the login script could look them up. This is the positively Tolkienesque single point of failure that cybercriminals love. “One ring to rule them all,” and whatnot.

But what if the user’s authentication were powered by something more substantial than a childish game of snap with usernames and passwords? What if the user’s email address was converted into ASCII (American Standard Code for Information Interchange – a character encoding technique) and then hashed to produce an identity-based secret in the form of a numerical string?

Sounds great. But you’ve got to have a minimum of two authentication factors, right? OK, so let’s take a leaf (for once) out of the banks’ book, and use a PIN. Only the user knows the PIN, which effectively turns the user’s cryptographic secret into a “token.” The token is the thing that the user has, even if they don’t actually see it. Token plus PIN equals identity-based secret, which is used as a fixed generator in an authentication protocol – but neither can be reverse-engineered to reveal the other, because the relationship between them does not work in both directions.

Now this is where things can start to get very mathematically heavy, so I’m going to focus on outcomes rather than integers. What this means is that websites have no further need whatsoever to store user login information on the site. The traditional, mapped 1-to-1 relationship between username and password is obsolete. It’s not a login, it’s an ex-login. It’s only there because Yahoo and others nailed it there (in a big old file.) It has shuffled off this mortal web. Mortus est.

Bringer of death, me? You betcha.

It'll be interesting to see this develop.

[silicon_toad2000]

I don't see yahoo or others getting into this at all, those RSA tokens and the like cost a bit, I can't see them handing them out for free.
Plus the "forgot my password" get a bit more interesting, but those are the functions which are part of the problem.

[GhostShip]

This chap has no grasp of what hes talking about, there are multiple mechanisms of attack in the system he has outlined and if you look carefully at his proposal and call the "secret hashed ASCII email address" a "userrname" and the pin a "password" you can see clearly he is playing simple word play games and has no grasp of the weaknesses that are inherent in even the more secure mechanisms, anyone who feels that the banks methods are super secure and I'm sure believes that they have never been broken are deluding themselves, all have been broken and will continue to be able to be broken as even the best mechanism is open to implementational flaws, these can include simple tampering with the authenticational software locally or remotely or even more trivially using malware to hijack the login page and misdirect you to servers that make a nice list of all your inputted "secret" data, the list goes on but the point is he needs a refresher course in security methods and their flaws.