Comments on: Two-Factor Auth for World of Warcraft http://perimetergrid.com/wp/2008/06/30/two-factor-auth-for-world-of-warcraft/ Building Security in a Networked World Fri, 03 Sep 2010 18:55:09 +0000 hourly 1 http://wordpress.org/?v=abc By: Gunslinger http://perimetergrid.com/wp/2008/06/30/two-factor-auth-for-world-of-warcraft/comment-page-1/#comment-90 Gunslinger Thu, 03 Jul 2008 04:34:00 +0000 http://perimetergrid.com/wp/?p=51#comment-90 I guess this article just highlights what you're saying. http://www.signonsandiego.com/news/state/20080701-1138-tec-atmbreach.html I guess this article just highlights what you’re saying.
http://www.signonsandiego.com/news/state/20080701-1138-tec-atmbreach.html

]]> By: Grant Bugher http://perimetergrid.com/wp/2008/06/30/two-factor-auth-for-world-of-warcraft/comment-page-1/#comment-89 Grant Bugher Wed, 02 Jul 2008 18:29:55 +0000 http://perimetergrid.com/wp/?p=51#comment-89 What would be ideal is a dynamic-password-based or smart-card-based federated identity management system. That way you could have one ID, used on multiple sites or services, but only one keyfob. So long as you kept hold of your keyfob, it wouldn't even necessarily be less secure, though designing federated identity systems that are both usable & secure turns out to be really hard. Imagine if OpenID had you use your URL and a dynamic password and PIN, rather than a normal static password. What would be ideal is a dynamic-password-based or smart-card-based federated identity management system. That way you could have one ID, used on multiple sites or services, but only one keyfob. So long as you kept hold of your keyfob, it wouldn’t even necessarily be less secure, though designing federated identity systems that are both usable & secure turns out to be really hard.

Imagine if OpenID had you use your URL and a dynamic password and PIN, rather than a normal static password.

]]> By: Anjela http://perimetergrid.com/wp/2008/06/30/two-factor-auth-for-world-of-warcraft/comment-page-1/#comment-88 Anjela Tue, 01 Jul 2008 17:18:16 +0000 http://perimetergrid.com/wp/?p=51#comment-88 Irony: I look at the RSA keyfobs and think "OMG MUST HAVE!", even though I'm not the kind of person who downloads illegitimate software. Apparently I am that sort of geek. The real trouble is going to come in when you have a dozen of these and need to know what goes with which. (And what do you store them in?) Of course, if they're branded like the Blizzard one, that helps with identification, but for banks, it might be in their best interest not to identify the keyfob quite so obviously. But then you run into the trouble of customers who need that identification, because otherwise they'll forget what the thing is for. But then, I really don't think it's a good practice to design <I>security</I> software and protocols for the dumbest user out there -- truly secure systems are going to require a level of sophistication to use, and in the end, people learn to deal with that. Actual housekeys haven't always existed, and I'm sure there was a real fuss about it when they started becoming common ("What if I lose it?! Why should I need one of these? Won't thieves realize my house has valuables in it if I take the trouble to lock it?"), but people dealt. Of course, we live in a society where people are almost always willing to trade security for convenience. I think part of my "OMG MUST HAVE" of the Blizzard keyfob is because I like the idea of being able to make my own decisions about <I>when</I> to trade security for convenience. This hasn't been forced on me by anybody, but it's there if I want it. It's definitely something I find appealing. Irony: I look at the RSA keyfobs and think “OMG MUST HAVE!”, even though I’m not the kind of person who downloads illegitimate software. Apparently I am that sort of geek.

The real trouble is going to come in when you have a dozen of these and need to know what goes with which. (And what do you store them in?) Of course, if they’re branded like the Blizzard one, that helps with identification, but for banks, it might be in their best interest not to identify the keyfob quite so obviously. But then you run into the trouble of customers who need that identification, because otherwise they’ll forget what the thing is for.

But then, I really don’t think it’s a good practice to design security software and protocols for the dumbest user out there — truly secure systems are going to require a level of sophistication to use, and in the end, people learn to deal with that. Actual housekeys haven’t always existed, and I’m sure there was a real fuss about it when they started becoming common (“What if I lose it?! Why should I need one of these? Won’t thieves realize my house has valuables in it if I take the trouble to lock it?”), but people dealt.

Of course, we live in a society where people are almost always willing to trade security for convenience. I think part of my “OMG MUST HAVE” of the Blizzard keyfob is because I like the idea of being able to make my own decisions about when to trade security for convenience. This hasn’t been forced on me by anybody, but it’s there if I want it. It’s definitely something I find appealing.

]]>