All Things Microsoft > Microsoft as a Company

Microsoft doesn't want passwords for Longhorn

(1/3) > >>

mc0282:
http://news.softpedia.com/news/Microsoft-doesn-t-want-passwords-for-Longhorn.shtml

the news bit old..
15 March 2005

i search the forum to see was posted already but not thing showed up..

so if there is such news accept my apologies.


" Microsoft's Trustworthy Computing"

just those 3 words gives me chills...

Orethrius:

--- Quote ---The authentication device is dependant on two factors, the user having to provide two authentication elements: the token and the PIN.
--- End quote ---


Define the difference between a "trusted device"/token and a password/PIN.  I defy you to tell me a PIN is not a password, and vice-versa.  If they TRULY mean they're dumping passwords in favor of alternate authetication, then I can't help but see a whole new world of insecurity, as people start using fingerprint scanners (subject to rather simple bypasses with Jell-O, a drinking glass, and a confectioner's oven) and makeshift USB dongles (rather trivial to copy to an image these days) to "secure" their systems.  Removing passwords is not just a BAD idea, it's completely ignorant of sophisticated (and even MacGuyver-esque) bypass methods.  On second thought, let's let Microsoft do this, and continue securing our systems with third-party utilities.  :D

Calum:
i saw an ibm thinkpad advert the other day where the laptop has a built in thumbprint scanner, their spin of course was not having to remember your password anymore.

mc0282:

--- Quote from: Calum ---i saw an ibm thinkpad advert the other day where the laptop has a built in thumbprint scanner, their spin of course was not having to remember your password anymore.
--- End quote ---



interesting... how about if you want to sell your laptop ?

muzzy:
Passwords suck, and it's good to get rid of them. However, don't be fooled to think that you wouldn't have to remember anything anymore.

The two-factor authentication is more secure than plain password, because you need to have a physical device to authenticate. The idea is that you need to have something, and you need to know something. The smart card is this something you have, and the pin/password is something you know. The password, however, would not be system specific, but rather specific to the card. This way you only have to remember one password, yet the system you authenticate against won't see your PIN, only the immediate system where you're typing it will see it.

So, you wouldn't want to type it on public terminals, eh? Perhaps not, perhaps you would. While the hardware could be bugged or hidden cameras installed, TCPA should make it pretty tough to trojanize these systems in a fashion that would let anything in the system see the PIN except the security system that's responsible for it. At least, as long as users are educated to not type their PIN everywhere where it's asked. Evil backdoor apps could still try to spoof the authentic looking PIN query form, but there are ways to solve this, such as having a statusline at bottom of the screen always visible which tells if you're in secure IO mode or not.

Moving to a two-factor authentication scheme won't solve all the problems regarding authentication, but it's a damn good thing anyway, and a step to right direction. You can be sure linux and other *nix systems will follow once microsoft shows how to do it :)

Navigation

[0] Message Index

[#] Next page