This is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."
Interesting concept, actually, I wouldn't mind if they actually implemented it.
I have an "interesting" experience with 2-step verification. I used to receive SMS from Google when logging in on a new computer or device. I didn't have Authenticator for Android or backup codes. Then I changed my mobile phone number (so the old number got deactivated). I forgot to update my number in Gmail security settings which locked me out of my account for nearly a month. I contacted support 3 times to no avail. In the and, I had to reactivate my old number (luckily that was possible because it was postpaid) to get back the access to my account.
This just made me realize how safe 2-step verification is. Now I'm using Authenticator and have backup codes stored in safe place and even if someone gets my password (which is complicated as hell) with keylogger or something, they won't be able to do a thing without hijacking my cell phone.
[citation][nom]tirvon[/nom]This is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."[/citation]
Which is why people should stop using public computers to access sensitive accounts. A little common sense goes a long way. It is a completely un-trusted device and should NEVER be used for anything other than browsing junk.
People can fix their own problems with a little effort, people too lazy to do it deserve what comes their way. I am all for this move to a device like the ubikey becoming the standard.
Personally I prefer the LastPass route. Been using it since Sony got hacked (I didn't even know I had an account at the time till I got an email) but I took that opportunity to update all my passwords to at least 64character of random stuff when this happened. Though admitably some website don't allow that such as Yahoo who I think capped me at something like 24 or something low.
This works for 90% of the website out there as LastPass unfortunately doesn't work with all of them out there. For the rest I just save login info in LastPass and access it manually or I go the XKCD way and throw together random words like "Correct Horse Battery Staple" if I have to login to it often and without LastPass (login screen to laptops/desktops/etc).
Having just read the wired description of how Google plans to use a Yubico device vs how Lastpass uses one. It just seems like Googles way of doing things is far less secure. It doesn't sound like it will ask you for a password if you use said device by default (or any mention of the option). Which means if you lose the device you just lost all your passwords which can now be easily used by ANYONE who finds it.
Why don't they just embed the YubiKey in your wrist, kinda liking chipping a dog...that way, in addition to application authentication via NFC, they can keep track of our whereabouts via turnstyles and building entryways.
[citation][nom]lebois kid[/nom]Why don't they just embed the YubiKey in your wrist, kinda liking chipping a dog...that way, in addition to application authentication via NFC, they can keep track of our whereabouts via turnstyles and building entryways.[/citation]
phones already provide that tracking service right now... today... for everyone.
this is nothing more than a convenient way to link all accounts (email, bank, 2nd 3rd & 4th email accounts) back to you... so that Corporations and Governments can track you better.
The Hitch-Hiker’s Guide to the Galaxy explains the function if the Ident-I-Eze card like this:
There are so many different ways in which you are required to provide absolute proof of your identity these days that life can easily become extremely tiresome just from that fact alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an ambiguous universe.
Just look at cashpoint machines, for instance.
Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant genetic analysis.
Hence the Ident-I-Eze.
This encodes every single piece of information about you, your body and your life into one all-purpose machine-readable card that you can carry around in your wallet, thereby representing technology’s greatest triumph to date over both itself and plain common sense.
I think the best method going is the one already mentioned by google. When you login to your bank you put in user name and password, then you are sent a text message with a code to type in. What is more secure than this that doesn't require purchasing any additional devices, its brilliant.
[citation][nom]mrmez[/nom]Yeah, not convinced.Still think the biometric scan idea is the best.Devices will have built in sensors, automatically detecting unique biometric signatures and automatically unlocking.Either that or implant an RFID tag in your scrotum which locks your device when you stop masturbating[/citation]
No, no, and no.
Biometrics are *not* the solution for security. They can be *used* for security, but only as part of a two- or three-factor identification check. Biometrics by themselves are not secure. Also, you have two problems specific to biometrics:
1) Biometrics, by virtue of their "sci-fi", "ooooh, high-tech" factor, have many people fooled into thinking they are impossible to fake. Therefore, there will be a real tendency to tie someone to their biometrics. As in, your fingerprint is used to validate your identify in Belize to withdraw all the money from your account, there will be a tendency to assume it really was you in Belize withdrawing that money (even if you were in Los Angeles at the time).
2) Once a part of your body is copied, whether your face, fingerprint, or retina, it's rather difficult to get a new one. So, what happens when everything depends on your fingerprint being read but your fingerprint is being used by thieves with their high-tech, fingerprint-reader fooling gummy bears?
In any case, there are some things that can easily be done to improve security significantly:
1) Limit the number of password attempts. If someone fails the attempt, say, 5 times, introduce a time-delay and/or require additional verification. This essentially breaks all attempts at brute-forcing.
2) Stop using stupid, easily guessable/obtainable bits of personal verification for ID checks. Your mother's maiden name, your dog's name, the name/age/birthday of you or anyone you know; crap like this has to go.
3) STOP MASKING PASSWORDS, FFS. It reduces security by making users choose passwords that are easier to type, and increases support costs from people who get frustrated and have to reset their password (and then reset their password with the aforementioned low-security ID checks of personal information). How often are you seriously worried about someone looking over your shoulder (nevermind that they could just as easily look at what keys your fingers are hitting), anyway? And you can easily include a checkbox to mask the password if it's an actual concern.
4) Use passPHRASES instead of passWORDS. Easier to remember, harder to crack. This one is a no-brainer, really.
[citation][nom]jarred125[/nom]Which is why people should stop using public computers to access sensitive accounts. A little common sense goes a long way. It is a completely un-trusted device and should NEVER be used for anything other than browsing junk. People can fix their own problems with a little effort, people too lazy to do it deserve what comes their way. I am all for this move to a device like the ubikey becoming the standard.[/citation]
you will be surprised to know how easy it is to hack ANY pc if you know what you are doing...
there is nothing called safe pc any more .. they can even hack your router itself and make it like a spying pc inside your trusted network at home... routers are "small pc" with cpu and ram and flash btw... and the stupid router manufacturers make it possible to flash the device from LAN.. which puzzles me .. it should be isolated from the network the flash process like a serial port or didicated usb port that is not connected to the cpu and ram.
sadly TODAY you need to be a security specialist to secure your PC , or a computer science student and this is wrong ... and this is the responsibility of the manufacturer to make the hardware secure enough without deep knowledge ... and they FAIL to do it. starting from the OS that in the design allows security holes that must be patched in updates (and now they fool the system with auto update that puts a worm into your pc) ... to the hardware router level who make it EASY to hack routers by allowing flashing the firmware using the LAN port STUPID .. and dont say Password .. today a Password is a JOKE if the hacker knows what to do and the MANY backdoors he can try to get your passwords.
when you buy a CAR and use it , you dont have to be a mechanic to use it ... the same should be applied to computers ... it is NT my duty to be a PC security specialist to secure my data on a PC I PAID some idiots MONEY for it and they are making no real effort to make it secure from the ground up. why Design somthing that can be accessed backdoors from the beginning? why design the OS like that ? this is FAIL .. why make everything "connected" inside the OS ... they just want an "easy to program " system ...to sell it to people ... easy to reach easy to connect. but this is WRONG .. if Cars were made that way you would have million accidents on the road.
looks like yet another ploy to harvest data on people.
in reality, google wants to build a fingerprint database on all it's users in the name of 'better authentication measures'.
next, they will try to trick people into using their dna samples saying fingerprint identification and/or facial recognition is inadequate. by then, google will own you.
'be no evil', no - it's more like 'be more and more evil'.