August 21st, 2012
I had a crazy idea today for a two-factor authentication system that would be more user friendly that anything I’ve experienced so far. Not being a security expert, I figured it was worth putting up for the scrutiny of folks with bigger brains.
Two-factor authentication is a Good Thing™. The idea is that in addition to a password (which could potentially be acquired by brute force or social engineering), a system also requires a second piece of user input to access an account. Access to this input is set up to be difficult or impossible for anyone other than the true account holder.
The problem is that every system I’ve used is either too easy to break (TD Ameritrade uses “security questions” that are researchable) or a pain to use (Google uses short number codes that get texted to your phone).
XKCD brought to our collective attention that long, real word phrases like, “monkey keyboards meteor cloud”, would tend to be more secure for passwords than strings of random characters. For me at least, phrases like that are only slightly more memorable than random text. I prefer full sentences, which is what Passpack encourages for its second authentication factor which seems to work pretty well, but introduces a UX problem: accuracy.
Say I’m trying to type a 50+ character sentence into a password input. I can’t see what I’m typing and the possibility of typos is massive. If the system requires 100% accuracy, as does Passpack, then users are being set up for a very frustrating experience. Getting it wrong, repeatedly, leads to anger which makes inaccuracy even more likely.
A Potential Solution
So why make a user get it exactly right every time? Wouldn’t 95% accuracy on a 50+ character phrase be enough? My thought is this: Use a password and a pass phrase together for log-in but don’t require 100% accuracy on the phrase.
Stored on the server would be the password hash (and salt or whatever) and an encrypted phrase. The plain text of the password is used as the encryption key for the phrase. Once you validate the password against the hash, you then use it to decode the stored phrase and then you compare that against the entered phrase using
similar_text() or similar. If the entered phrase is 95% accurate or higher, the authentication passes. This allows for the honest typo but still necessitates knowledge of the phrase.
Here’s a quick, ugly POC: http://dev.robertadamray.com/accuracy-auth
I’m honestly curious to know if this is a good idea or if it would fail in a way obvious to a security expert. Let me know what you think on Twitter: @raray.