Channel 9 Forums - Coffeehouse - USB over password? did i just missed something?

Coffeehouse - USB over password? did i just missed something?

magicalclick — Fri, 18 Jan 2013 21:00:13 GMT

I thought it is common sense that USB is the last thing you want to touch in regards to security. And people actually trying to consolidate their password into a single attack surface on a USB device that can easily be cloned or modified or misplaced. On top of that, the famous power plant virus is USB based regardless how the system is build with high security protection. And not to mention it is also sounds a lot more reasonable to ask for new USB when it is physically misplaced, as a know some people tends to lost their keys a lot more than they forgot their password. I really don't know what is going on with these people.

Coffeehouse - USB over password? did i just missed something?

kettch — Fri, 18 Jan 2013 21:32:11 GMT

@magicalclick: Is there a link or some context to go with this? It sounds interesting, but I have no idea what you are talking about. USB device as an authentication device? Storing passwords on a USB drive?

Coffeehouse - USB over password? did i just missed something?

Duncan Mackenzie — Fri, 18 Jan 2013 22:10:14 GMT

There are a few products that do this... or can do this as an option: http://www.dobysoft.com/products/keypass/

Coffeehouse - USB over password? did i just missed something?

magicalclick — Fri, 18 Jan 2013 23:31:51 GMT

Here. http://www.engadget.com/2013/01/18/google-experiments-with-hardware-based-authentication/

Coffeehouse - USB over password? did i just missed something?

cheong — Sat, 19 Jan 2013 01:18:29 GMT

I remember there's already software for Mac like 10+ years ago that use bluetooth device (headset or mobile phone, etc.) to do that. When the device is not within range (disconnected) that screen will lock immediately. When that devicee is within range again the screen is automatically unlocked. With old bluetooth's receiving range this is pretty nice help for people who keep forgetting to lock their PC when not in use.

I suppose others can make similar application to work with RFID enabled staff cards.

Coffeehouse - USB over password? did i just missed something?

kettch — Sat, 19 Jan 2013 06:45:23 GMT

5 hours ago, cheong wrote
I suppose others can make similar application to work with RFID enabled staff cards.

Wasn't HP showing off something like that with the Spectre ONE and a phone? Or was it just with a tag. I'd prefer if I could tap my phone on an NFC sensor and then have the phone ask for a PIN before it let the PC unlock.

Coffeehouse - USB over password? did i just missed something?

cheong — Mon, 21 Jan 2013 02:49:52 GMT

Not exactly. I don't want to tap it. I wish it can unlock for me when I come near, so when my fingertips are on keyboard, it should be ready to work.

I think it could be done with the RFID technology like the one on passports.

Coffeehouse - USB over password? did i just missed something?

William Kempf — Tue, 22 Jan 2013 16:22:16 GMT

3 days ago, magicalclick wrote
I thought it is common sense that USB is the last thing you want to touch in regards to security. And people actually trying to consolidate their password into a single attack surface on a USB device that can easily be cloned or modified or misplaced. On top of that, the famous power plant virus is USB based regardless how the system is build with high security protection. And not to mention it is also sounds a lot more reasonable to ask for new USB when it is physically misplaced, as a know some people tends to lost their keys a lot more than they forgot their password. I really don't know what is going on with these people.

You didn't understand the article. It's not "USB over password", it's USB key + password. This is two factor authentication, and it's more secure than simple passwords. Hijacking/cloning the USB key isn't going to get the hackers anywhere, so that's simply not a concern.

Coffeehouse - USB over password? did i just missed something?

magicalclick — Tue, 22 Jan 2013 16:52:53 GMT

@wkempf: oh my bad, my title is a misrepresentation.

Coffeehouse - USB over password? did i just missed something?

William Kempf — Tue, 22 Jan 2013 18:07:25 GMT

1 hour ago, magicalclick wrote
@wkempf: oh my bad, my title is a misrepresentation.

It was more than the title. The entire post was full of comments like "trying to consolidate their password into a single attack surface" and "that can easily be cloned or modified or misplaced". That's not how these USB authentication devices work. They just take the "something I have" role in two factor authentication. Losing the device, having it stolen, or having it cloned are all non-issues, at least from a security perspective. If you lose the device you will have to replace it and update all programs/services that you authenticate to, which could be a hassle. But the end result is better security.