[Cryptography] Clever physical 2nd-factor authentication

Natanael natanael.l at gmail.com
Wed Apr 2 20:14:32 EDT 2014 

Den 3 apr 2014 01:42 skrev "Joseph Ashwood" <ashwood at msn.com>:
>
> -----Original Message----- From: Jerry Leichter
> Subject: [Cryptography] Clever physical 2nd-factor authentication
>
>> http://passwindow.com/
>
>
> Since it doesn't seem to have been broken yet, I'll go ahead and do that
right now.
>
> It is a linear collection of 8-segment displays with certain segments
already activated and printed on the card. So shorten the process further,
each of the middle displays shares the left and right segments (2 per side)
and the end displays share one side each (2 segments).

[...]

There are transparent displays. Couldn't you make this into an OTP card by
changing the mask every time?

Just being a mask rather than allowing inversion limits possible entropy
per pixel, but with enough pixels you can do just fine by using visual
cryptography (we don't need XOR where we are going!);

https://en.wikipedia.org/wiki/Visual_cryptography

The GIF example clearly shows how one transparent sheet with one share held
over another share can make any pattern you wish visible and readable,
while the individual shares (the image on the computer and the mask on the
device) separately reveals nothing.

Alignment would be annoying (or frustrating), though.

---

Usefulness of this scheme? Maybe that over-the-phone I-lost-my-token
phishing scams gets harder for the scammers, no code to read over the phone
for them to enter.

Still doesn't block ones where the target can be talked over into
cooperating, but since the server can display any graphics it wants to the
user which can't be tampered with (or else the user can't read the OTP
code!), the server can display all the details about the current action. So
even if the computer is remote controlled and the rest of the screen is
displaying fake info, the target might be alerted and cancel the whole
thing.

Although we all know how well average users respond to warnings. Just see
the responses to the recent Windows XP end-of-life alerts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140403/e76426da/attachment.html>

More information about the cryptography mailing list