BKaF - Brad Kovach and Friends

In the new, digital economy, security is becoming more and more important. Online accounts are available everywhere. Your data needs to be safe. Security engineers have been paying a lot of attention to online security lately. Here are some trends in online security that are making the Internet a safer place.

1. Security Keys

Multi-factor authentication, or a way of using MORE than a username and password to prove your identity, is making serious advances.

Security keys are one popular multi-factor method of securing online accounts. Basically, you’re issued a device that contains a unique code generation algorithm. On the keychain-sized device, a 6-digit code changes every 30 seconds. The algorithm is shared between your device and the server that you’ll be authenticating with, so the server can generate the number, too. When the time comes to login, both ends of the transaction are able to generate THE SAME NUMBER and authenticate.

Currently, eBay/PayPal is mass-marketing these security devices. You can secure (not that it already isn’t) your account for a one-time fee of $5.00 USD. After your account is secured, it needs a username a password AND 6 digits that change every 30 seconds.  Unfortunately, this is ONLY available in the United States, Germany, and Australia.

PayPal.com

2. Key-Based Authentication

Another advance in the identity-proving arena is key-based authentication. Rather than a username and password, a user has a login key that contains a unique set of information–unique only to the visitor.

The authenticating server is equipped with a public-safe variant of that private key giving the user the digital equivalent of a padlock/key system. When a connection is initiated with a server, your computer encrypts your key in a securely-encrypted tunnel, sends it to the server where it is then decrypted (if you added a password) and matched against the key file (padlock). If successful, you are securely authenticated to the service. Essentially, rather than a short password that you have to type in, you have a long (1024 bits isn’t out-of-the-ordinary) password file that takes the password’s place.

Public implementations of this are still in the works; however, SSH has been using it for a long time now.

Learn more: http://www.laubenheimer.net/ssh-keys.shtml
Secure Shell on Wikipedia

3. OpenID

Attempts at central online identity management have been attempted in the past, but many experts say that OpenID is the best, most efficient and most flexible unified sign on system to bless the internet so far.

Logging in with OpenID couldn’t be easier. Rather than a username/password prompt, you’re asked to provide your OpenID identity URL. This URL can be anywhere. AOL, WordPress, and many other websites host your login identities as OpenID identities. In emails I have exchanged with Facebook, I know that they, too, are working to become an OpenID provider.

After entering your OpenID identity URL, you’ll be sent to your OpenID provider (eg: AOL) to verify your identity. It is up to the particular provider to determine the challenges that grant you access to your account. Verisign Labs, who licensed the PayPal Security Key, is providing OpenID solutions WITH your PayPal security key.  Most challenge with a simple username and password.

More information here: http://openid.net/
VeriSign PIP: http://pip.verisignlabs.com

4. Ambiguous Password Failure

When programming an authentication system, care must be taken to not reveal the underpinnings of the system and its structure.

Many websites will reveal the existence of an account to a potentially malicious user by saying “incorrect password.” The problem exists that with that type of verification, a malicious user knows that an account exists under the requested name and can proceed to breaking in with a brute-force or dictionary attack.

Now, many websites are just saying that the username/password is incorrect. Not only does this foil malicious cracker logins, but it causes the user to reassess his or her login credentials.

Conclusion

If you’ve seen good online security practices in the wild, let the world know in the comments area.