Security of Mac Keychain, Filevault

Jerry Leichter leichter at
Tue Nov 3 21:07:08 EST 2009

On Nov 2, 2009, at 10:25 PM, Taral wrote:
>> The trend is for this to get worse, with
>> network-wide shared authentication via OpenID or whatever other  
>> standard
>> catches on.
> Not to derail this, but OpenID is flexible enough to permit
> fine-grained authentication as well as non-password-based
> authentication (e.g. smart card) and multi-factor authentication.
That's fine, but how much does it help?  Anything you can access,  
you'll want to access using your smartphone.  In fact, there's already  
a push to access some high-value things - like bank accounts - more  
through smartphones than through more traditional means.  So, yes, you  
can have granular access, but if you end up really wanting to put the  
high-value "grains" on your smartphone, it doesn't help.

Smart*cards* aren't much help here - if you leave them it the phone,  
then a stolen phone means a stolen smartcard.  Having to reach into  
your wallet to get a smartcard to swipe on your phone is a non- 
starter.  You need a better interface - something like the Bluetooth  
connection I suggested.

Multi-factor doesn't, in and of itself, help much.  "Something I know"  
can't have much entropy if I need to enter it every time I unlock the  
phone.  "Something I am" - well, maybe a fingerprint sensor might  
help, but all such technologies have well-known issues.  "Something I  
have" - that's the only one that can help all that much, *if* you get  
the UI right.

                                                                -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list