Security of Mac Keychain, Filevault
Jerry Leichter
leichter at lrw.com
Tue Nov 3 21:07:08 EST 2009
On Nov 2, 2009, at 10:25 PM, Taral wrote:
>
>> The trend is for this to get worse, with
>> network-wide shared authentication via OpenID or whatever other
>> standard
>> catches on.
>
> Not to derail this, but OpenID is flexible enough to permit
> fine-grained authentication as well as non-password-based
> authentication (e.g. smart card) and multi-factor authentication.
That's fine, but how much does it help? Anything you can access,
you'll want to access using your smartphone. In fact, there's already
a push to access some high-value things - like bank accounts - more
through smartphones than through more traditional means. So, yes, you
can have granular access, but if you end up really wanting to put the
high-value "grains" on your smartphone, it doesn't help.
Smart*cards* aren't much help here - if you leave them it the phone,
then a stolen phone means a stolen smartcard. Having to reach into
your wallet to get a smartcard to swipe on your phone is a non-
starter. You need a better interface - something like the Bluetooth
connection I suggested.
Multi-factor doesn't, in and of itself, help much. "Something I know"
can't have much entropy if I need to enter it every time I unlock the
phone. "Something I am" - well, maybe a fingerprint sensor might
help, but all such technologies have well-known issues. "Something I
have" - that's the only one that can help all that much, *if* you get
the UI right.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list