Microsoft to require two factors

Posted Mar 15th 2005 8:15AM by Greg Scher

Microsoft has revealed at a security panel at CeBIT that it is preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows.

Detlef Eckert, the senior director in charge of Microsoft's Trustworthy Computing initiative, did not specify which form of two-factor authentication would be used in the next edition of the company's operating system, codenamed Longhorn

Acknowledging that in this day and age single factor authentication, in other words PASSWORDS, just aren't enough to secure corporate IT assets, Microsoft has announced much tighter integration of two factor authentication technologies into future versions of the Windows OS. While they do exist today, two factor auth is more of an add on to the OS than a core component, as a result, it is inherently not as secure as it could be.

One well known Online Financial Services provider has already begun to head down this route. Who might you ask? E*Trade.

For those of you unfamiliar with two factor authentication schemes, they can be summarized as authentication with two pieces of information. Typically these pieces of information amount to SOMETHING YOU KNOW and SOMETHING YOU HAVE. There are many examples. In the case of RSA SecureID the "something you know" is a PIN number and the "something you have" is a key fob with a code that changes every sixty seconds based on an algorithm that the authentication server knows based on the serial number of the fob and the time. If you lose the device, the PIN is useless and if you lose or forget the PIN, the device is useless.

Other approaches use RFID tags such that if the tag is in proximity to a sensor and the proper PIN is entered, the machine will unlock and when the sensor leaves the area, the machine will lock. Another well known approach to two factor authentication uses biometrics (a thumb/finger print, retina scan, etc…) and a PIN code. Again, if you lose the bio feature…well, you've got bigger problems then not accessing your computer systems unless of your name is Jack Bauer.

Two factors. Very secure.

Reader Comments

(Page 1)

1. Biometric identification is not easily made secure, since (a) it is vulnerable to a replay attack (play back the stream of bits from the retinal/fingerprint scanner), and (b) cannot be changed.

You don't have to have your finger cut off for the black hats to know the digital encoding of your fingerprint. Even if you know that they have your digital fingerprint, you can't do much about it-- you're stuck with your fingers.

Posted at 4:49AM on Dec 19th 2005 by Jonathan Rynd

2. .
Interested in a little more detail about how RSA's SecurID actually works?

For the first 15 years it was on the market, the SecurID used a proprietary algorithm to hash a token-specific 64-bit secret "seed," and a digital representation of Current Time, to continually calculate and display a 6-8 digit (or alphanumeric) "token-code."

RSA still sells those, but in early 2003, RSA also began to sell its 21st Century SecurID design.

The new SecurID token uses a secret 128-bit true-random key to encrypt -- using the US crypto standard, AES, in ECB mode -- a 64-bit representation of Current Time, and two 32-bit seeds (one of which is the serial number of the token, which is embossed on the back of the token) to continuously generate the 6-8 digit SecurID token-codes.

The two-factor paradigm, of course, requires the user to provide both a user-memorized PIN, and the SecurID token-code, to get authorized access to protected resources.

Two factor. Very secure. Yup.

Cheers,
_Vin

Posted at 4:49AM on Dec 19th 2005 by Vin

3. Biometric identification is not easily made secure, since (a) it is vulnerable to a replay attack (play back the stream of bits from the retinal/fingerprint scanner), and (b) cannot be changed.

You don't have to have your finger cut off for the black hats to know the digital encoding of your fingerprint. Even if you know that they have your digital fingerprint, you can't do much about it-- you're stuck with your fingers.

Posted at 4:49AM on Dec 19th 2005 by Jonathan Rynd

4. .
Interested in a little more detail about how RSA's SecurID actually works?

For the first 15 years it was on the market, the SecurID used a proprietary algorithm to hash a token-specific 64-bit secret "seed," and a digital representation of Current Time, to continually calculate and display a 6-8 digit (or alphanumeric) "token-code."

RSA still sells those, but in early 2003, RSA also began to sell its 21st Century SecurID design.

The new SecurID token uses a secret 128-bit true-random key to encrypt -- using the US crypto standard, AES, in ECB mode -- a 64-bit representation of Current Time, and two 32-bit seeds (one of which is the serial number of the token, which is embossed on the back of the token) to continuously generate the 6-8 digit SecurID token-codes.

The two-factor paradigm, of course, requires the user to provide both a user-memorized PIN, and the SecurID token-code, to get authorized access to protected resources.

Two factor. Very secure. Yup.

Cheers,
_Vin

Posted at 4:49AM on Dec 19th 2005 by Vin

VIDEO: 2 Lamborghinis en espectacular persecusión desde el aire VENTAS: ¡Honda supera a Chrysler! Termina la era del Mercedes SLR McLaren	HowNow: How to Make a Wreath Out of Old CD's Unusual Uses: Christmas Lights Outdoors - 5 Fresh Ideas Daily DIY: How to Sew an Extra Layer in Your Garments for Added Warmth
One King's Lane, A New Home Decor Addiction Lockheart Melinda Leather Drawstring Bag, Handbag of the Day What Is Mineral Makeup?	Bernake holds firm on ultra low rates Vulcan Materials: Capitalize on the infrastructure boom SEC charges New Century Financial officers with securities fraud
Cucapá's Chupacabras Pale Ale - Beer of the Week Christmas Treats - Red, Green and Shortbread Celebrity Chefs Plump Down - And Encourage Fans to Follow	Fake fingerprints let woman slip through customs Gadlinks for Monday 12.7.2009 Coming attractions: Colombia