Re: QuizID?
Marc Branchaud wrote: Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Looks like hardware S/Key, doesn't it? If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system. /r$
Re: QuizID?
--- Marc Branchaud <[EMAIL PROTECTED]> wrote: > Any thoughts on this device? At first glance, it > doesn't seem > particularly impressive... > > http://www.quizid.com/ Surely I'm not the only one that gets the allusion of the photo on the home page of the pensive Bond-looking fellow with colored buttons on his suit sleeve being overlooked by the exotic bimbo to the cover illustration of the '70's-era code-breaking game "Mastermind"? (http://www.abstractstrategy.com/nmbr-mastermind.html) = Opinions herein are exclusively my own, unless you share them. Kevin Calman, codex24 at yahoo dot com, Austin, TX, US Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com
Re: QuizID
On Thursday 17 Oct 2002 3:15 pm, Adam Shostack wrote: > http://news.bbc.co.uk/2/hi/technology/2334491.stm > and www.quizid.com [snip] > > The card works in conjunction with the Quizid vault - a large > > collection of computers that can process 600 authentications per > > second. The system cost millions of pounds to develop. > > (Oooh! six hundred! Impressive! :) Although the "tech info" page at the quizid site claims "Benchmarked at 300 authentications per second"... > I don't see anything on their site about the technology, but I do > question if 4 colored buttons, with a probable pin length of 4-6, is "Five-digit colour key using three different colours leading to 243 individual combinations" - the five digits is a default apparently. Also locks the card after 5 attempts. Just waiting for the "Simon" hack for wholesome downtime repetition fun. It's just about cute enough to make it into the pockets of the masses, along with their phones, PDAs, binoculars...
Re: QuizID?
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote: | Marc Branchaud wrote: | >Any thoughts on this device? At first glance, it doesn't seem | >particularly impressive... | > | >http://www.quizid.com/ | | Looks like hardware S/Key, doesn't it? | | If I could fool the user into entering a quizcode, then it seems like I | could get the device and the admin database out of sync and lock the | user out of the system. Aww, Rich, that trick never works! More seriously, most of the vendors will search forwards and back through the expected codes to make the attack less likely to work. (If authentication is centralized, searching backwards may not be a security risk.) I think the most interesting part of this is the unit looks cool, and its spun slightly differently than other tokens have been. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
QuizID?
Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Lovely idea of two-factor authentication: The user then enters their user name (something they know) and the 8-digit Quizid passcode (something they have) into the login screen of their application. BBC NEWS | Technology | Handy future for online security http://news.bbc.co.uk/1/hi/technology/2334491.stm Excerpt from the BBC article: Users are issued with a card and a personal code, based on a set of colour keys on the card. Each time they wish to conduct a secure transaction, they punch in the colour code and a random number is generated. M.
RE: QuizID?
> Branchaud, Marc writes: > > Any thoughts on this device? At first glance, it doesn't seem > particularly impressive... > > http://www.quizid.com/ > > Lovely idea of two-factor authentication: > >The user then enters their user name (something they know) and the >8-digit Quizid passcode (something they have) into the login screen >of their application. > > BBC NEWS | Technology | Handy future for online security > http://news.bbc.co.uk/1/hi/technology/2334491.stm > > Excerpt from the BBC article: > >Users are issued with a card and a personal code, based on a set of >colour keys on the card. Each time they wish to conduct a secure >transaction, they punch in the colour code and a random number is >generated. > > M. > [Note of vested interests: I work on RSA SecurID, which is a competing product.] Based on the information at the site, and Quizid's statement that their hardware is manufactured by ActivCard, I have to say that this looks an *awful lot* like the ActivCard Keychain Token, repackaged into a bigger form factor. Peter Trei Disclaimer: The above represents only my personal opinion.
QuizID
http://news.bbc.co.uk/2/hi/technology/2334491.stm and www.quizid.com > A credit-card sized device, which could potentially be issued to > thousands of citizens, is being heralded as a major breakthrough in > the search for establishing secure identification on the internet. ... > Users are issued with a card and a personal code, based on a set of > colour keys on the card. Each time they wish to conduct a secure > transaction, they punch in the colour code and a random number is > generated. > The card works in conjunction with the Quizid vault - a large > collection of computers that can process 600 authentications per > second. The system cost millions of pounds to develop. (Oooh! six hundred! Impressive! :) I don't see anything on their site about the technology, but I do question if 4 colored buttons, with a probable pin length of 4-6, is worth 10-70 pounds per year..For that price you can get securid cards, which aren't nearly as pretty, but that's nothing Ideo couldn't fix in a week. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Re: QuizID?
This solution, like others based on the same principle, may not scale past ~150,000 users because of clock drift problems. Cheers -- Ed Gerck Marc Branchaud wrote: > Any thoughts on this device? At first glance, it doesn't seem > particularly impressive... > > http://www.quizid.com/ > > Lovely idea of two-factor authentication: > >The user then enters their user name (something they know) and the >8-digit Quizid passcode (something they have) into the login screen >of their application. > > BBC NEWS | Technology | Handy future for online security > http://news.bbc.co.uk/1/hi/technology/2334491.stm > > Excerpt from the BBC article: > >Users are issued with a card and a personal code, based on a set of >colour keys on the card. Each time they wish to conduct a secure >transaction, they punch in the colour code and a random number is >generated. > > M. > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: QuizID?
On Thursday, Oct 17, 2002, at 19:39 Europe/London, Rich Salz wrote: Marc Branchaud wrote: Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Looks like hardware S/Key, doesn't it? If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system. [Note: I have an interest, since QuizID use nCipher hardware] Their device has a neat way of synchronizing the sequence number to the server which both avoids the clock drift problems that trouble RSA SecurID and mean that you'd have to get the user to pass you a large number of codes before you got them out of sync with the server. It also helps them avoid some of RSA's later patents which deal with their troublesome clock sync problems. Nicko