Codeathon in progress
A Weekend of Data Transparency
Passwords are bad, but security questions are worse
Everyone, by now, has run into those “security questions” – sets of questions you need to answer to set up an online account (or sometimes to continue using an existing one). They ask a number of questions that are supposed to identify you in the event that you forget your password or (less frequently) need to be contacted to confirm that some online activity isn’t fraudulent. The name “security questions” tends to imply that they improve the security of your account, but much of the time the opposite is true. It also points to another problem with the username/password infrastructure we have, and more generally with the use of shared secrets for authentication.
Continue readingPassword management: Don’t blame the user
A colleague recently called my attention to a recent Economist Article, “A security patch for your brain”. The article summarizes several very useful suggestions for devising passwords that are difficult for attackers to guess. But that’s only part of the problem.
Continue readingIdentity Management: Not Necessarily a Privacy Tradeoff
Last Friday, The New York Times Bits blog carried an article entitled, “Identity Companies: Paid to Know About You.” The article discussed three companies in the identity management space, a social login provider and two enterprise identity management companies. The thesis of the article is best summed up by a statement in the second paragraph, “…online identity, which is actually about knowing about the person logging into a Web site, extracting information about them and then passing it on profitably.”
Continue readingWill Passwords Die?
Short answer: No.
Passwords, passphrases, codes, PINs: They’re everywhere. And in many cases they are good enough. Will we have biometric readers at ATMs? Someday, maybe. But for now a four-digit PIN provides sufficient security while maintaining usability.
I recently moved my IP phone into a shared phone room/recording studio at my coworking space. I didn’t want just anyone to pick up the phone and make free calls on OneID’s dime. While I trust the small community that shares the office space with me, I didn’t want just anyone to be able to answer my calls. They might not even know this is a private phone. So I configured the phone to require a password after it’s idle for a few minutes.
Continue readingWhy We’re Creating OneID
4:30 AM. I check out of the hotel. I booked the room online, paid in advance, and gave my company credit card at the front desk for incidentals. 5:00. I pull into a gas station, swipe my card, punch in the zip code, and top off the rental. 5:10. I spiral up the garage ramp and park the car. I’m handed a receipt from a wireless printer, “Thanks, Mr. Kelly. You’re all settled up.”
5:20. I swipe my personal credit card at the kiosk to retrieve my boarding pass. Ten minutes later I hand my state-issued driver’s license and boarding pass to the TSA agent. 5:40. I use my credit card to purchase breakfast. 6:00. The airline agent scans my ticket and I board the plane.
I’m flying back to DC after spending the week out west with the OneID team. When I land at Reagan National I’ll hop onto the Metro and swipe my SmarTrip card as I enter and exit the stations.
I don’t think twice about handing over my credit card or ID during any of these transactions. I’ve never made purchases from most of these vendors, but I’m comfortable sharing my name and credit card with them. The gas station hadn’t even opened yet—I couldn’t have paid in cash even if I wanted to.
Continue reading