WiKID Strong Authentication - wikid_site_feed

My keyboard is not a US keyboard and my passphrase is not being accepted

admin — Mon, 12 May 2008 09:39:02 -0400

A guide to solving common issues in configuring and installing two-factor authentication from WiKID.

Higher Quality info will cost you - Black Market Economics

admin — Fri, 09 May 2008 12:05:00 -0400

Check out the McAfee Avert blog for look at the black market for banking information. Accounts with high balances cost more, but have guarantees:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

So now the banks know how long they have to spot a compromised account to drive the profits out of the black market.

Hat tip Johannes Ernst

Appease the gods of identity by buying WiKID or at least sacrifice a goat

admin — Tue, 06 May 2008 13:37:11 -0400

Great article on the New York Times site about the psychology of insurance.

So when we think about passing up flight insurance, we conjure up disaster just as easily as ancient Greeks imagined a thunderbolt from Olympus, and we too figure we can avert it through the equivalent of a bull sacrifice. Intuitively, we haven?t made great strides since Homer?s day. But at least our gods take credit cards.

Hat Tip Marginal Revolution

Security through lingual obscurity

admin — Mon, 05 May 2008 08:34:28 -0400

On a recent trip to Mexico, our casita had a safe in it. The instructions for using it and the combination were printed on a covered sheet of paper sitting on top of the safe. As I scanned for directions on how to change the combination, I read:

Don't worry. Anyone here to steal cannot read this paper.

Kim Cameron on Fingerprint readers

admin — Fri, 02 May 2008 16:46:54 -0400

Read the post: Fingerprint charade.

The net of all of this was to drive home, yet again, just how silly it is to use a ?public? secret as a proof of identity. The fact that I can somehow ?apply? a given fingerprint means nothing. Identification is only possible by physically verifying that my finger embodies some fingerprint. Without physical verifcation, what kind of a lock does the fingerprint reader provide? A lock which conveniently offers every thief the key.

Why using SMS for authentication is a Bad Idea

admin — Thu, 01 May 2008 08:41:08 -0400

The core problem is that you are relying on the security of the carriers for the security of your system. Once you cede that control, you are at their mercy. And their idea of security might not be the same as yours. Consider this recent post at Consumerist about how easy it is to hijack a Sprint Account:

Remember, all I knew about this guy was his cellphone number, that he was in his 20's, and that he lived in DC. That's it. That's all it took to completely hijack his entire Sprint account.

There are implications beyond Sprint. Any system that uses credit bureau information is potentially susceptible. Security people knew this because, after all, credit bureaus sell this information, but the implementation makes it much, much worse:

In the comments on this post, a former Sprint rep says it's even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that "none of the above" for "which properties have you owned" was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers," he writes. "Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily."

Companies make security decisions based on acceptable rates of false positives versus false negatives. The bigger the user base, the lower the tolerance for false negatvies. A cell phone company with 10 million subscribers will have a very low tolerance for false negatives. Do you want the same tolerance for your two-factor authentication? It seems highly unlikely.

Google Apps & Two-factor authentication

admin — Wed, 30 Apr 2008 11:15:00 -0400

We previously announced our proof-of-concept for adding two-factor authentication to Google Apps. We have published How to add two-factor authentication to Google Apps over on Howtoforge. Check it out.

Update: I should also mention that it would be trivial to add support for Google Apps SSO into the WiKID server, removing the requirement for a 3rd party product. If there's interest in that...

Password on post-it note reveals affair

admin — Fri, 25 Apr 2008 10:40:30 -0400

According to ComputerWeekly's Downtime blog, a password on a post-it note allowed a temp to access email of a London mayor's office staffer, revealing an affair with a married woman. Downtime's take:

Downtime expects Ken to have already ordered a two-factor authentication scheme to protect those afflicted with short-term memory difficulties, banned 3M?s best-selling product and instructed HR to re-do the background checks to weed out anyone with a malicious sense of humour.

Security and Oil

admin — Thu, 24 Apr 2008 14:23:48 -0400

I've been reading The Prize by Daniel Yergen. I've wanted to read it for quite some time and just ran across a copy at a yard sale. It is excellent. I'm about half-way through.

With gas and oil prices so high, I get very flustered with: 1. The government attempting to make decisions the market should make, a la ethanol subsidies (makes you think ethanol is not the correct answer); 2. Calls for lower gas prices or the temporary elimination of gas taxes (Do you want to stimulate demand or stimulate the market for replacements?); 3. Calls to increase US production.

Oil is a finite resource, so it is very simple: whoever has the most last wins. If you have some extra that never gets used, that's probably OK, you have more than made up for based on the prices at the end. Unless we intend to switch all of our armed forces to something other than oil and gasoline, we should consider places like ANWR our strategic reserves.

Reading Yergen, in particular the WWII chapters, this need hits home. by the end of the war, Japan was trying to make fuel from pine roots. Interestingly, the post- war US administrations seemed most interested in developing non-US sources of petroleum, recognizing the need to save the US's reserves.

We're 71!

admin — Wed, 23 Apr 2008 09:03:03 -0400

According to eSecurity Planet, the WiKID Strong Authentication System is number 71 of the top 75 Open Source Security Apps. Actually, the ranking seems to be random. We are one of two entries under the "User Authentication" section and the sections are listed alphabetically. So, if our category had been "Authentication", we would have been 12th, just after Anti-spyware. :)

100% open source

admin — Tue, 22 Apr 2008 09:00:00 -0400

One of our customers is attempting to go 100% open source, which factored heavily in their choice of WiKID for two-factor authentication. They liked our "appliance in an ISO" model, but were not so fond of our use of Java :)

Corporate Retreat - Expect Slow responses

admin — Mon, 14 Apr 2008 16:15:01 -0400

We are having a first ever "corporate" "retreat" at a secret undisclosed location this week (4/14-4/18), so responses may be somewhat slower than you've come to expect. We apologize for any inconvenience.

Unofficial Review of mutual authentication schemes at consumer banks

admin — Fri, 11 Apr 2008 09:31:15 -0400

For some reason, I really enjoyed this impromptu review of image-based "multi-factor authentication". These image-based site authentication tools are sadly mislabeled as two-factor authentication, which is a personal cocktail party tragedy for me:

Party go-er: You do what? What is two-factor authentication?

Me: Well, you use it all the time at the ATM where you need both possession of the card and knowledge of the PIN to get your cash. Ours is like that, only you need possession of the secret key in our software and knowledge of the PIN to get a one-time passcode that you then use to get access to a corporate VPN or a website.

Party Go-er: Oh, my bank is using two-factor authentication. The second factor is a picture of a cat they have to show me.

Me:Yeahhh, that's not really two-factor. They are trying to prevent a man-in-the-middle attack by trying to identify the site to you in way that is simple. Unfortunately, there is still nothing that prevents and man-in-the-middle from replaying that picture to you because there is no cryptograpy involved. We have a process that combines one-time passcodes and a cryptographically secure mutual https authentication mechanism to prevent network-based man-in-the-middle attacks...

Pary Goner Oh, are they bringing our more pigs-in-a-blanket. I have to get more of those...

Potential XSS in PHP Sample page

admin — Fri, 11 Apr 2008 12:35:00 -0400

It has been brought to our attention by the team at ush.it that the sample.php page in our PHP Network Client has code that could have been exploited via an XSS attack. The sample page is not part of the network client itself, it is just provided as an example of how to add two-factor authentication to PHP applications.

We've touched base with the Enterprise users that we know have used WiKID in their PHP applications. So far, no one has used that code. Rather, they have taken their existing authentication pages and added the WiKID code to bring two-factor authentication into the mix.

More information on the code in question can be found here

Updated: Corrected link.

WiKID tokens for Mac OS X

admin — Mon, 07 Apr 2008 16:55:00 -0400

We realized that our current two-factor software token requires Java 1.6, which is not yet available on OS X. I've added links on the token download page to the last token client which supports Java 1.5 in a plain jar and as an installer jar. Apologies to any Mac users that had trouble with the token.