Secure ID for SL

A friend of mine told me that WoW is enabling this Blizzard Authencator as an option to further secure logins. It's an USB device that provides extra security for your logins. Can it be hacked? Probably. But it's another hoop that someone would have to go through than just a login and password. If it was optional I probably get one. What do you guys think?

Ugg... I had to use SecureID a long, long time ago at a major commercial online service far away. It wasn't USB at that point - all numbers were entered manually. I so so did't like having to have dat darn ting with me all the time.

I am so ready for a chip implant or some universal biometric scanner device thingie. I have to remember more then a dozen passwords and to some things that I seldom log into. And I swear Chase makes me reset my password and security question once a week.
What’s my favorite middle school teachers mother in-laws pets name?

I would get one of those right away.

Brilliant idea!

Cool. A new way to ground the kids. Take the key from them

Great something else for a certain WoW er to lord over all of us

It isn't a USB gadget. It's a keychain tag with a button and an LCD display. You enter your password followed by the 6-digit number that the key tag is displaying at that moment. Each tag is unique, and displays a diffeent number, so someone else with the same system's tag isn't seeing the same number that you are. PayPal now offers a similar service.

I use SecureID for my RL work. It's a great way to prevent someone from using a stolen password to hack acess to an account, since they need the account ID, the pasword, AND the hardware key to produce the correct six-digit code for that particular 30-second moment in time. It's pretty much impossible to hack what a given user's 6-digit code will be, as it changes every 30 seconds. You need that account's hardware "key" to get the number.

There is also a software version of SecureID, that generates the same sort of numbers. But it generates the numbers in such a way as to ensure they are unique for the user and account they are associated with. Had that on my work laptop for a while, so I didn't have to carry the key tag.

Can it be defeated? Possibly, but not by the average script-kiddy hacker.

I'd like to see the YubiKey adopted by Second Life.

It's a super tiny USB security dongle which you plug in to your computer to add a second factor of authentication when logging in (i.e. something you own to go with something you know). It's like the Paypal dongle, only you don't manually type in the numbers. In fact there's no display at all which is why it's so tiny. Instead, you plug it in and press a single button on the dongle and it does the job for you. You don't even need software to handle it, so it works on Windows, Mac and Linux right off the bat.

It's quite neat how it achieves that. It pretends to be a regular USB keyboard (genius!) and when the passkey is required you simply put the focus on the edit box (eg on the secondlife.com website or the SL viewer software) and press a button on the dongle, then a secure code gets squirted across by quickly emulating the keystrokes needed. And because the passkey can contain more characters, given that you don't type it manually, it's much more secure than the big clumsy Paypal dongle. The passkey would then get sent to the server at Linden Labs which verifies that it's the expected physical dongle being used at the current moment in time (all that info gets encrypted into the key before it leaves the dongle).

It's quite new and in the early stages of adoption, but I believe they're being produced now in quantity. It's a free open security platform that Linden Labs could integrate into their servers without relying on any third-party security servers like Verisign. Users buy the usb dongle itself and that's it, which presumably would be purchased by Linden Labs in bulk and made available for sale on the account page on secondlife.com. There's no software fees for users or Linden Labs.

One of Steve Gibson's security podcasts covered it in detail a few weeks ago for those interested. Steve got quite excited about it. He interviewed the creator of Yubikey too.
http://www.grc.com/securitynow.htm (episode #143)

Here's the page about it.
http://www.yubico.com/products/yubikey/

EDIT: I've stuck this on the JIRA if anyone wants to vote for it:
https://jira.secondlife.com/browse/SVC-2576

So, if you lose your physical key, you can't get in, eh? Hmmm...

There's always a backup. For example here's how Paypal does it:

So does this give us some kind of adult verification too?

nope, no real adult verification.

Since George can set up the account to let Junior use it.

Or Junior can still acquire the information to use George's identity to set up the account


Implants and high grade biometrics are the only sure fire way to prove who sets up the account and used it, if they are linked to a national id database

Meh.

The problem with the logic presented in this thread is, when it's transferred over the wire, it's still just data.


All that'll end up happening is keyloggers will move to snarfing "SecureID" data, then emulating the whole thing in software. Worse -- you won't be able to "just change your password" then. Ditto for biometrics.


As for a national ID database, I'd much rather have open access instead of tying my information to my ISP or mandating the rollout of ineffective protection. Because both methods can still be easily broken.


As for an effective method, I'd much rather roll out education on not getting infected in the first place. It's really not that hard.

There's no problem with the logic. It's to add an extra factor of security. It's not claiming to bullet proof things. But it does make things way harder for the average hacker. Yes it could be sniffed if a computer or network gets compromised, but it would (at least with YubiKey or Paypal anyway) become invalid after a few seconds have elapsed anyway, so unless it's made use of within seconds it's useless to a hacker.

The only way a hacker would be able to log in would be to either 1) steal your physical security device (and obtain your username and password too), or 2) plant a trojan on your computer that relays the passcode to a client on the hacker's system (and logs in) in real-time, or 3) sniff-wifi/network traffic (assuming for some mad reason it was sent in clear text). This narrows the window of opportunity quite alot!

The trojan would have to wait for the victim to press the button on the YubiKey for a new passcode to be generated - there would be no way to trigger one using software on the computer. That means a hacker can only log in as the victim within a few seconds of the victim actively trying to log in themselves! Not only would the window of opportinity drive a hacker up the wall but the server could look out for that kind of thing - If a user tries to login twice within a few seconds, using a different IP address, then it logs both out and informs there may of been a security breach. This could be sidestepped by logging in via a special trojan on the victims computer, or a man-in-the-middle network attack, but at this point you have to ask, who in the world is trying to hack you! I'm sure with that skill there are more lucrative activities for them.

One thing for sure is that adding a second factor of authentication is definately worthwhile.

Or 4) steal the private key that fuels the PRNG, either by phish, by man-in-the-middle, or by rooting the box and attacking the hardware. Then generate as many logins as the attacker pleases.


While I disagree that this is making things any safer in the long term, I'll agree that *choice* is a good thing. In that sense, physical keys (and for that matter, RSA public/private pairs, which form portions of my network of trust) are handy to have around.

The part that concerns me is the false sense of security that these objects instill in their users. Realistically, you're looking at a short term boost in security, followed by a longer term decline due to standardization and people believing themselves immune.


To which the better answer is still preventing your box from being rooted in the first place.


PS: Because I use an LCD monitor, that sig of yours did make me think I had an ant on my screen for a split second. Good job.

IMO it looks like a great way for Bliz to milk another $6.50 per sucker out of the biggest cash cow ever invented.

"roflcopter"

I'd rather LL work on stable servers before devoting time to implement extra client security widgets. What good is that if server RC 1.22bbq rolls out with a hole in the login? The most secure client in the world won't help if the server spews.

No, you can still change your password whenever you like. But with these systems, what you type in for the password is your password followed by that moment's 6-digit code. A keylogger will only get you access if you were able to use the logged pasword-plus-code in the 30 seconds or less after capture. Which means SL wouldn't let you do it unless that user that you captured managed to crash in that same 30 seconds, since you can't log in for two concurrent sesions on SL as the same user.

Capturing the ever-changing codes over a long period of time still won't get you a way to emulate the key generation in software. The algorythm and the private key that generates it are not part of the six digits that you keylogged. It's hard-wired into the key tag.

Sooner or later we going to need a passward and secureid code just to breathe

Steal the private key from who? The user can't get access to it - it's embedded into the device, and if the server is compromised then all bets are off anyway.



Umm, you'll need your password and secureid to post that comment. Sorry!

But doesn't SL boot the FIRST login when the second one arrives?

Plus there are trojans that can take over your whole machine including mouse and keys. So if you got infected by the wrong thing and somebody knew it, they could wait til you log in, hyjack your machine and use YOUR session to quickly change your password.

Much like RL security is more peace of mind than real bite. Not much point in putting a heavy deadbolt on your front door if the hinges are held on with duct tape.

I could see using this if you were handling Top Secret Millitary documents or something. It seems a whole lotta overkill for a game like WoW or SL. What's next, The Club for your PS3 game controller?

This is a major issue. Unless the distribution system for these ID keys is unbelievably good (as in you put in a request for a new key, and within a day it's in your hands; the only company I've ever seen come close to this kind of distribution system is Netflix) it would be a huge hassle if you ever were hacked.

I've been trying to find something useful to use a Yubikey for for weeks. Don't spoil the dream lol

But seriously though. An SL account is just as important to some as a Paypal account. Quite a few have alot invested in SL. Not just the balance but their products/projects, other inventory stuff and in-world objects/venues. Harder (and much more time consuming!) to replace than the contents of a Paypal account.

Plus never underestimate the Mission Impossible feeling. SL should have an option which plays the MI theme at the login prompt.

/me quietly paints over the duct tape on her door as she ensures that her deadbolt is secure.

Only in they way kids can't use the car if you don't leave the keys out for them to use.