[Tfug] Authentication procedures
James Hood
ebenblues at gmail.com
Fri Mar 20 16:06:12 MST 2009
> But, if this becomes "standardized", then virii can just be written
> to sit and watch for the next "authentication cycle" and snarf
> your credentials, etc. I.e., people would be just as bad at
> guarding that "secret" (credential) as they are about their
> "passwords".
I'm talking about key-based authentication via public/private key
pairs. The key that's shared is the public key. The private key never
leaves the local client. If you're talking about viruses on the client
PC that read your private key off of the flash drive, then that is an
exposure. But there should be ways to mitigate that, such as putting
more logic in the key itself (it doesn't have to be just a plain flash
drive) such that the private key is never shared with the client
system.
> I don't see that as any more secure. That's like keeping
> your car key in a standardized place in/on the car and
> hoping only "authorized valets" actually go and use it...
If you make it so the private key never leaves the flash drive (not
even to the client PC), which never leaves your keychain, then it is
more secure.
> I think the problem is that people can understand what's at risk when
> they "give out" the key to their house. They can form a mental
> image of all the things inside the house that they are making
> vulnerable by doing so.
>
> But, they can't put a value on what the password is protecting.
Agreed. But I argue that attaching a software key to their physical
key chain will cause the person to guard their software key the same
way they would guard their physical keys, which is better than how
people currently guard passwords.
James
--
"The humble learn the fastest because they don't waste time on
defending a false image."
More information about the tfug
mailing list