A Finextra member 23 June, 2009, 14:09 0 likes

Have you read the the "Analysis of a Botnet Takeover" by Santa Barbara University. Its amazing that inner 10 days more than 15 millions of credential data of users can be observed and misused. These numbers include mailbox accounts, emails, from data, HTTP, FTP , POP, SMTP accounts as well as windows passwords. This study gives a complete overview of how fraud can be made by identity theft via botnets. It ugly.  But on the same time the authors are talking about the weak PASSWORDS that we are all using.
So imagine not to have password any more... no unmasking while typing in, no narrowing by languages or keyboards, no hacking, no trojans, no phishing, no complexity of letters, digits etc. ... Just have a look at weblookon.com

A Finextra member 23 June, 2009, 14:40 0 likes

Thanks for your comment Heinrich, you refer to an authentication flavour I have seen previously (refer www.passfaces.com) or a variation on a theme.

I'm most interested to hear opinions on baking a security layer into the architectural design of e-business applications as opposed to a silo approach of implementing specific authentication projects, and the change management resource intensive approach typically adopted for delivery.

A Finextra member 24 June, 2009, 09:00 0 likes

Hello Stuart,you´re just thinking that you know the method of WebLookOn already. I tell you, you don´t. You mentioned passfaces, vidoop, etc.. they are all weaker than any password because they are unmasked in the moment they appear at login. WebLookOn is (so far) the ONLY challenge&Response method that never unmaskes the secret. This is so important because every other authentication method - also multi factors - unmask at least one of their secrets. So simply thinking: eliminating all methods that are unmasking secrets would be the easiest way to secure the whole web...

A Finextra member 24 June, 2009, 13:03 0 likes

I'm certainly not suggesting I know the finer details of the authentication solution to which you refer....I'm merely highlighting that infrastructure, and architectural design has a huge (if not bigger?) role to play in securing web applications.....and if a security layer was available to an organisation which either was already in existence within their architecture, or could be deployed rapidly with no code changes required, then they'd be free to trial, test, and choose whatever form of authentication the organisation, and more importantly the customer is happy to adopt, whether that be a token, SMS message, static password, scramble pad, and so on...

If I blogged on authentication options we'd be here until eternity...might be an interesting one though to see where it ends up other than a big punch up amongst authentication vendors!

A Finextra member 25 June, 2009, 14:32 0 likes

Stuart you´re right: this blog shouldnt become a vendors punch court.. but I believe it should be a discussion platform on how we could change things that are no more sustainable. I strongly believe that one of these is this fkg password. And as long as guys like you tell, that the user should have the choice of what he wants to use I tell you that there will be no change to the better. Why? I one wants to change something then one must eliminate the weakest and worst things. I do not say anything against SMS, token, biometry, etc. etc but I am striktly fighting against the PASSWORD. And I hope I´ll get some assistance on this blogging. CU

Andrew Churchill - MIDAS Alliance - London 27 June, 2009, 11:01 0 likes

You're getting about aren't you Heinrich!! Not sure which of your blog posts led me to the site, but thanks as it was fun. I've commented on another string, but in case you miss that one ...

I must admit I do like Heinrich's WebLookOn, and think it could catch on. Not as a security solution, mind you, as it fails for the same reason as all the other OTP generating systems, but as a new super-fiendish Su Doku. Too many of the grid based systems coming through at the moment are far too easy to find the known secret and just aren't fun to crack. As the site says 'have fun' and I'll confess I did  - it took over an hour to find the secret given three data sets (though if you wish to play at home you'll have to get a friend to set it up, else you'll know the images you're after), but I've got bored of all the Su Doku Ken Kens in the newspapers, so this was a breath of fresh air (though, if I'm splitting hairs, from the initial 'select the picture of a reptile' I'd point out that a frog is actually an amphibian).

A Finextra member 29 June, 2009, 08:37 0 likes

Hi Andrew, we´ll optimize that captcha :-) so thanks for calling attention to it. I do´nt want to disappoint you, but WebLookon is not an OTP generating system at all, but I 100% agree with you that it is´nt a pure security solution. That´s what we never wanted to be, because it would be senseless to go against hard- and software based, biometry or multi-factor solutions. They are just too weak in comparison to WebLookOn and its patented algorithms - they ALL USE PASSWORDS in parallel !!!! - and they are far to expensive when thinking about global webuse...we want to go WITH them by just eliminating the password.
Andrew, you said you can crack it that easely like a sudoku in the newspaper. OK lets have a try :-) I´ve just generated a WebLookon Key with the Key-ID: "a.churchill" - its yours from now on!. So just enter this key-ID in the foreseen field on our webpage www.weblookon.com. A login console will open, proving your knowledge of the key-secret belonging to the key-ID "a.churchill". So you should make it in half an hour ;-(

Here some hints for Andrew and all of you:
You have four rounds per login (it takes you no longer than 8-10 secs)
If you answer one round incorrect, than the next time two additional rounds have to be answered correctly
If you failed ten times in a row, then you´re out for the next 12 hours.
If answers to rounds are given extremely fast, then the system will interrupt (brute force attack)
If the system realizes suspicious logintrials, IPs get blocked for a period of time (DDoS, DoS)
Remember; the numbers (digits) are one time codes!(man in the middle)
Aah yeah for men in the middle: you see 6 numbers first > therefore 6∧4 = 1296 choices; if you´re wrong once than 6∧6 = 46656; if you´re wrong 3times then 6∧8 = 1679616 and so on. The thing is, you will realize very soon that right guessing one time does not give you the key-secret! Remember Passwords: one time correct = always correct. 
So have fun

A Finextra member 29 June, 2009, 10:53 0 likes

Hi Heinrich - wasn't it you that said "this blog shouldnt become a vendors punch court.."

;-)

ding, ding...round 1

A Finextra member 29 June, 2009, 14:19 0 likes

uups, yeah i did but to kill the password IS THE TREND IN 2009  ;-))

Cu in Vienna ? Ebaday