SAN FRANCISCO – Usable Security Systems has announced its first service, UsableLogin, which allows a person to choose one simple codeword to login securely with multi-factor authentication to any Web site.
Passwords and all other Web authentication options available today rest on the assumption that humans are perfect, that they have amazing memories, can keep secrets and don’t lose anything; UsableLogin takes people the way they are and gives them something they can easily do: recognize a familiar picture and remember one simple word.
Usable Security CEO and founder Rachna Dhamija, Ph.D., said that “today’s best practices in security dictate that we follow inhuman password rules such as remembering 8-12 character passwords, and multiplied 25 times because that’s the average number of online accounts we have. Humans can’t possibly do this, and ‘enhanced authentication’ schemes such as hardware tokens or challenge questions only make things worse. At Usable Security, we believe that if it isn’t usable, it isn’t secure.”
Web sites insert a snippet of JavaScript on their site, or individuals download a browser extension that presents a UsableLogin box. The user personalizes their UsableLogin by choosing a picture and a personal codeword, which can be as easy to remember as their cat’s name “Fluffy.” Thereafter, their UsableLogin will appear consistently across every Web site and account they login to, whether it is their bank, social network or a shopping site.
When logging into a site, the person’s familiar UsableLogin box appears and they type in their simple codeword. UsableLogin then goes to work behind the scenes to create a verifier, which is equivalent to a strong, complex password, and is unique for accessing that site. It does this by cryptographically combining the person’s codeword with secret data from different, separate sources, including the computer the person is using and Usable Security’s servers. Usable Security never stores or saves the person’s codeword, and Web sites never see it.
UsableLogin works at any Web site that accepts passwords today, and works with any operating system or browser.
UsableLogin constructs a complex Web-site verifier using split-key cryptography by combining secrets that reside in separate locations, from the user’s computer to multiple locations on Usable Security’s servers. By design, UsableLogin has no single point of failure for an attacker to exploit. In contrast, Single Sign-On (SSO) and password management systems concentrate vulnerability by relying upon a centralized password database, creating a tempting target for attackers. UsableLogin will be available in early 2009. Individuals and Web sites may sign up now
at Usable.Com to receive announcements about UsableLogin’s availability.
This column was written by Mark Cox of ConnectIT, an IntegratedMarCompany
a>>
