This week the press is all agog about how Windows 8 is going to "securely" manage passwords. Win 8 will do this with LiveID, syncing passwords across multiple computer platforms, using "TrustedID" to authenticate the computer, and storing all your long complex passwords in the cloud or on your device. But the sense of security is still misplaced.
When it comes to security, multi-authentication is the first topic that comes up, and these are:
Something you have. (Smart Card, token, etc.)
Something you know. (Password, PIN or pattern)
Something you are. (Fingerprint, iris scan, etc.)
So let's break down Win 8 strategy based upon these factors.
First, storing passwords on the device that you will be using to access applications, sites, servers, etc., is a violation of "something you have." Something you have has to be a completely separate piece of hardware that had to be brought together with another piece of hardware. That's why we use smartcards, tokens, dongles, etc. So synchronizing and Trusted ID adds little to no security.
Second, jumping ahead to biometrics is the "something you are". It does not matter if it is a fingerprint, iris image, facial recognition, voice print, etc. It all is digitally captured and turned into a bunch of 1's and 0's called a template. Capturing the template and doing a playback is a security risk, and storing your templates on multiple devices and sites increases the probability of theft. So off computer or on-token matching is the best solution, which ties back into "something you have". Finally, if you opt out of biometrics then you have also dropped one more authentication factor.
No comments:
Post a Comment