Educause Security Discussion mailing list archives
Re: SQRL (Re: [SECURITY] Image, word, and password login)
From: "Clouse, Michael J" <clousemj () COFC EDU>
Date: Mon, 9 Dec 2013 14:01:59 +0000
SQRL looks promising. I like the concept quite a bit (and have listened to Steve Gibson for a long time). I can't wait to see some implementations of this and of course some real-world testing. [Description: Description: Description: Description: Description: WM - PMS188] ________________________________ Michael Clouse Security, Identity & Access Management, IT 843-953-8207 or clousemj () cofc edu<mailto:clousemj () cofc edu> College of Charleston Protect your Identity - Learn about Phishing !<http://it.cofc.edu/security/phishing/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Marsden Sent: Friday, December 06, 2013 4:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] SQRL (Re: [SECURITY] Image, word, and password login) I hate passwords as an authentication tool... and I side with the concept that biometrics assert identity, not authorization.... So, is anyone else looking at SQRL as a possible implementation option? IMHO it's a pretty nice concept, but it's in the early stages of development. In a grossly oversimplified nutshell, it uses site-specific asymmetric key pairs to identify / authenticate an individual with pretty minimal user interaction -- seems both easy to use (user friendly) and robust (PEBKAC averse + compromise resistant). https://www.grc.com/sqrl/sqrl.htm and http://www.sqrl.pl/ -- for a more graphical description of the process fwiw, -- Ben ============================================ Ben Marsden : Information Security Director, CISSP/GISP ITS, Stoddard Hall, Smith College, Northampton, MA 01063 bmarsden () smith edu<mailto:bmarsden () smith edu> (413) 585-4479 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent! On Fri, Dec 6, 2013 at 3:36 PM, Karl Bernard <karl.bernard () gmail com<mailto:karl.bernard () gmail com>> wrote: A colleague mentioned this thread to me and I'm a consumer of this same technology (site authentication) at a couple of financial sites. Until today, I'd always thought it was pretty cool until I was trying to find the official name for this kind of thing and found some less than stellar articles and studies about using them: http://www.finextra.com/news/fullstory.aspx?newsitemid=16469 http://security.stackexchange.com/questions/19155/effectiveness-of-security-images Karl Bernard UTHealth, Academic Health Center at Houston On Fri, Dec 6, 2013 at 1:18 PM, Joel L. Rosenblatt <joel () columbia edu<mailto:joel () columbia edu>> wrote: Hi, I have an account at a vendor that uses a system like this - I picked a picture and a word, and when you enter your account (before your password) it takes you to a page that displays the picture and word and prompts for the password It makes the login a 2 screen affair, which may bother some of your users who think that everything has to be done in subsecond time. Our web login to our mail system displays Greetings, Joel Rosenblatt (or your own name :-) after you type in your account, but before you type in your password - similar idea, but less pages and it doesn't require the user to do anything except recognize their name :-) Good luck! Joel Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<tel:%20212%20854%203033> http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Fri, Dec 6, 2013 at 2:08 PM, Derek Diget <derek.diget+educause-security () wmich edu<mailto:derek.diget%2Beducause-security () wmich edu>> wrote:
We are thinking about creating a login process where user's pick a picture and/or word before getting a password entry box.[1] The main driver is to prevent phishers from copying our "static" login pages. The process would go something like.... 0) Training, Training, Training...and other carbon based life form user issues...... :) 1) User gets to our login page 2) User enters login ID 3) login process retrieves user's picture and word choice 4) login process displays user's picture with 8 (or 11) others randomly 5) User selects their picture 6) If correct, login process displays user's word with 8 (or 11) others 7) If correct, login process give user a password text box to finish authenticating. (Yes, a phisher could duplicate the pictures and words and disregard what the user picks...so the user would always get to the password box, but our current thoughts is that it would take to much "work" for them to duplicate this new login process and there are other easier fish in the sea to phish. :) I have two questions to the group.... 1) Is there an industry term for this type of authentication process? (It kind of is two-factor, but we want to avoid using that term as most people think of two-factor having a physical component...token card, key fob, phone, etc). 2) Does anyone know of any research on a multi-step authentication process like this? Be it usability issues, increased security, etc. Note 1: We vet the user. As part of the process of setting a password, they also pick a picture out of ~12 (with a library of 100+) choices and store their choice. They then pick a word out of ~12 (with a library of 100 or so words) and store their choice. Then they finish setting a password. -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/<http://www.wmich.edu/> ***********************************************************************
Current thread:
- SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ryan Hiebert (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Mclaughlin, Kevin (mclaugkl) (Dec 06)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ryan Hiebert (Dec 07)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Clouse, Michael J (Dec 09)
- Re: SQRL (Re: [SECURITY] Image, word, and password login) Ben Marsden (Dec 06)