[145028] in cryptography@c2.net mail archive
re: Security of Mac Keychain, Filevault
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Fri Nov 6 10:47:57 2009
From: Jerry Leichter <leichter@lrw.com>
To: Cryptography List <cryptography@metzdowd.com>
Date: Tue, 3 Nov 2009 21:07:08 -0500
On Nov 2, 2009, at 10:25 PM, Taral wrote:
>
>> The trend is for this to get worse, with
>> network-wide shared authentication via OpenID or whatever other
>> standard
>> catches on.
>
> Not to derail this, but OpenID is flexible enough to permit
> fine-grained authentication as well as non-password-based
> authentication (e.g. smart card) and multi-factor authentication.
That's fine, but how much does it help? Anything you can access,
you'll want to access using your smartphone. In fact, there's already
a push to access some high-value things - like bank accounts - more
through smartphones than through more traditional means. So, yes, you
can have granular access, but if you end up really wanting to put the
high-value "grains" on your smartphone, it doesn't help.
Smart*cards* aren't much help here - if you leave them it the phone,
then a stolen phone means a stolen smartcard. Having to reach into
your wallet to get a smartcard to swipe on your phone is a non-
starter. You need a better interface - something like the Bluetooth
connection I suggested.
Multi-factor doesn't, in and of itself, help much. "Something I know"
can't have much entropy if I need to enter it every time I unlock the
phone. "Something I am" - well, maybe a fingerprint sensor might
help, but all such technologies have well-known issues. "Something I
have" - that's the only one that can help all that much, *if* you get
the UI right.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
