SQRL (Re: [SECURITY] Image, word, and password login)

[Ben Marsden <bmarsden () SMITH EDU>]

I hate passwords as an authentication tool...

and I side with the concept that biometrics assert identity, not
authorization....

So, is anyone else looking at SQRL as a possible implementation option?
 IMHO it's a pretty nice concept, but it's in the early stages of
development.

In a grossly oversimplified nutshell, it uses site-specific asymmetric key
pairs to identify / authenticate an individual with pretty minimal user
interaction -- seems both easy to use (user friendly) and robust (PEBKAC
averse + compromise resistant).

  *https://www.grc.com/sqrl/sqrl.htm <https://www.grc.com/sqrl/sqrl.htm>*
and
    *http://www.sqrl.pl/ <http://www.sqrl.pl/>*  -- for a more graphical
description of the process

 fwiw,  -- Ben
============================================
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden () smith edu     (413) 585-4479
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!



On Fri, Dec 6, 2013 at 3:36 PM, Karl Bernard <karl.bernard () gmail com> wrote:

> A colleague mentioned this thread to me and I'm a consumer of this same
> technology (site authentication) at a couple of financial sites. Until
> today, I'd always thought it was pretty cool until I was trying to find
> the official name for this kind of thing and found some less than
> stellar articles and studies about using them:
> http://www.finextra.com/news/fullstory.aspx?newsitemid=16469
>
> http://security.stackexchange.com/questions/19155/effectiveness-of-security-images
>
> Karl Bernard
> UTHealth, Academic Health Center at Houston
>
>
>
> On Fri, Dec 6, 2013 at 1:18 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:
>
> > Hi,
> >
> > I have an account at a vendor that uses a system like this - I picked
> > a picture and a word, and when you enter your account (before your
> > password) it takes you to a page that displays the picture and word
> > and prompts for the password
> >
> > It makes the login a 2 screen affair, which may bother some of your
> > users who think that everything has to be done in subsecond time.
> >
> > Our web login to our mail system displays
> >
> > Greetings, Joel Rosenblatt (or your own name :-)
> >
> > after you type in your account, but before you type in your password -
> > similar idea, but less pages and it doesn't require the user to do
> > anything except recognize their name :-)
> >
> > Good luck!
> > Joel
> >
> >
> > Joel Rosenblatt, Director Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<%20212%20854%203033>
> > http://www.columbia.edu/~joel
> > Public PGP key
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> >
> >
> > On Fri, Dec 6, 2013 at 2:08 PM, Derek Diget
> > <derek.diget+educause-security () wmich edu> wrote:
> > > We are thinking about creating a login process where user's pick a
> > picture
> > > and/or word before getting a password entry box.[1]  The main driver is
> > to
> > > prevent phishers from copying our "static" login pages.
> > >
> > > The process would go something like....
> > >
> > > 0) Training, Training, Training...and other carbon based life form user
> > > issues...... :)
> > >
> > > 1) User gets to our login page
> > > 2) User enters login ID
> > > 3) login process retrieves user's picture and word choice
> > > 4) login process displays user's picture with 8 (or 11) others randomly
> > > 5) User selects their picture
> > > 6) If correct, login process displays user's word with 8 (or 11) others
> > > 7) If correct, login process give user a password text box to finish
> > > authenticating.
> > >
> > > (Yes, a phisher could duplicate the pictures and words and disregard
> > what
> > > the user picks...so the user would always get to the password box, but
> > our
> > > current thoughts is that it would take to much "work" for them to
> > duplicate
> > > this new login process and there are other easier fish in the sea to
> > phish.
> > > :)
> > >
> > > I have two questions to the group....
> > >
> > > 1) Is there an industry term for this type of authentication process?
> > (It
> > > kind of is two-factor, but we want to avoid using that term as most
> > people
> > > think of two-factor having a physical component...token card, key fob,
> > > phone, etc).
> > >
> > > 2) Does anyone know of any research on a multi-step authentication
> > process
> > > like this?  Be it usability issues, increased security, etc.
> > >
> > >
> > >
> > > Note 1: We vet the user.  As part of the process of setting a password,
> > they
> > > also pick a picture out of ~12 (with a library of 100+) choices and
> > store
> > > their choice.  They then pick a word out of ~12 (with a library of 100
> > or so
> > > words) and store their choice.  Then they finish setting a password.
> > >
> > > --
> > > ***********************************************************************
> > > Derek Diget                            Office of Information Technology
> > > Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
> > > ***********************************************************************