Things I read today that I found interesting and worthy of comment August 27th:
- Sony’s New eBook Software Takes Aim at Kindle – Answer to last question: Yes.
Things I read today that I found interesting and worthy of comment August 27th:
Things I read today that I found interesting and worthy of comment August 18th:
Things I read today that I found interesting and worthy of comment August 17th:
I'd used something like that for limited functionality, but increasingly, I'm turning off all but the most basic phone functions of my Blackberry to retain as much privacy as I can in an increasinly overly-connected-n-tracked world.
Lose, Lose When You Talk About Race (Victor Davis Hanson)
http://www.victorhanson.com/articles/hanson080209.html
Superb article, ignore anything I’ve typed here and go read this post from Mr. Hanson. No, really, go on, I’ll wait.
Good stuff, eh? Troubling that those that don’t fall over in a swoon over our current President are presumed to have only one possible reason… his race. Really ticks me off. There are plenty of people of many races for whom I would gladly vote, not because they are that race, but because of their beliefs, values and hence, character. Isn’t that what Martin Luther King, Jr. expressed as the realization of his “I Have a Dream” speech?
I don’t despise Obama because of his race, I despise him as I did Clinton and Carter, because of their hideous world-view that socialism is the direction America should go. Now we can argue about who wanted to make the most changes the fastest in this discredited and proven destructive direction, but 2/3 were plain ol’ white guys and I despised them equally as much as Obama. I do think he may be the most dangerous as so many conservative, supposed leaders remain cowed to point out that the Emperor wears no clothes because that would be racist.
Nuts to that! A wannabe socialist dictator should be opposed and given no quarter just because someone might call us a rude name. Oh and guess what, I equally despise Nancy Pelosi and Steny Hoyer and they are plain ol’ white people. Obama would probably consider them “typical white people” like his grandmother. I don’t despise them because of their color. Heck, I couldn’t pick them out of a lineup as I don’t watch news, but I know what they believe and therefore they are my enemy. Nothing to do with race, theirs or Obama’s.
Things I read today that I found interesting and worthy of comment August 12th:
Things I read today that I found interesting and worthy of comment August 11th:
I keep logging into my account and checking out the supposedly "hot" things to follow and am completely put off by the dizzying stream of short, tiny-url'd and hence, completely useless posts.
VDHs Private Papers: The Great American Debt.
I couldn’t say it any better than he did. The realities of the catch-22 we the voters have put ourselves in with regard to our lack of any discipline is why I don’t believe we’ve yet gotten anywhere near the “bottom” of this economic downturn. There’s a lot of self-delusion at work from the citizenry to the press to the government and until we decide to act like adult citizens and elect adult representatives, we’re in for a long period of pain.
Of course for some that ”hope for change”, this emasculating of America is exactly the goal. Remake America in the image of the rest of the banana republic / statist / second-rate nations. It would be more honest if they just jumped right to the equalization tactics of out-and-out communist regimes of the past and take the doctors out of the hospitals to the fields and the farmers into the hospitals, but then enough true Americanism still runs through enough citizen’s veins that an honest, up front, straight-forward approach wouldn’t be tolerated.
I do have some hope that at least the health care scam has been seen through by enough people that perhaps their vision will be cleared about all else that is being done to “take care of them”. Remember my comment about adults earlier? This is what I mean. Are we adults who care for ourselves and our own or are we mere child wards of the state?
Things I read today that I found interesting and worthy of comment August 10th:
Things I read today that I found interesting and worthy of comment August 5th:
I do take issue with one element of the Password section. Certainly I agree that single factor password systems need to die. Certainly users are resistant to complexity and "extra steps", but are they really? For applications that contain data, items (real or virtual) or even real money which customers care about, they repeatedly show up for the stronger authentication when offered. If you tried for months to get a Blizzard Authenticator for $6.50, but couldn't because they were sold out, then you know what I mean. The real problem is that users are resistant to having to do have "extra steps" that differ from site to site.
Of course this is the holy grail of online identity, to be the entity that issues THE CREDENTIAL for use across everything. Remember Microsoft Hailstorm that became a gimped Passport that is now just another silo'd ID used at MS sites? OpenID, InfoCards and several initiatives are at work trying to at least be the basis upon which THE CREDENTIAL may be issued. Of course THE CREDENTIAL in this age of phishing, pharming, trojans, etc. must be a strong credential. It will be interesting to see what technology and which IDPs (ID Providers) win the day.
I also rely on my phone for connectivity to items in my house such as my security system. Sure, I have backup wireless connection too, since wires are easy to cut, but still POPS (plain ol' phone service) is well tested, reliable and works in power outages unlike my cable modem.
My main phone is my cell phone and indeed that is the only number anyone has for me that I want to actually contact me. My home phone doesn't ring anywhere and consequently that's the number I give anyone I don't want to hear from or who might be selling that to folks I definitely don't want to hear from.
With the ever-growing adoption of cell phones as the primary phone, the growing adoption of smartphones and the emergence of alternate communication services such as Skype and Google Voice, Vonage and its brethren seem like a transitional offering that may have already peaked. Perhaps Vonage should widen its offerings into the Google Voice direction so can gather those that transition beyond their current offering?
I’ve taken a lot of questions lately on the topic of KBA. KBA (Knowledge Based Authentication) is a general term that covers several types of scenarios where users are asked a set of questions to verify their identity for situations where there isn’t another credential available to authenticate the user. There are various cases where this is used:
Typically this is when a user shows up to register for service and likely will end up with an authentication credential at the end of the process, which they will use going forward to authenticate themselves. KBA is generally used in this case to prove or establish the identity of the user and again, generally for services where the user’s true identity really matters because of regulations or other legal “know your customer” types of strictures.
This is for the situation where a registered user who does have a valid credential / identity with you, but for some reason isn’t able to utilize that authentication mechanic to login. Typical use cases for this are when the user is for one of the following reasons unable to login with their proper credential:
There are three methods of accomplishing KBA.
Clearly, KBA Type #1 is great to use for those users you don’t know and want to identify as being exactly the person they claim to be. If you are setting up an online relationship from scratch and don’t have any prior basis upon which to “know your customer” and need to know that John Smith is the John Smith at 123 Main St., Somewhere, Ohio, U.S.A. and want to do this all online, then is a good way to go about it. There are a fair number of services that provide exactly this function, generally used at registration or initial provisioning of login credentials. One of the main considerations to bear in mind when shopping for these services is how well they structure the questions such that the legitimate user can answer them and an attacker can’t obtain the answers from publicly available sources or guess the answers. This can be harder than it sounds as balancing the increased security of this type of KBA vs. static KBA and keeping the questions from frustrating and confusing end users, is a tricky proposition.
This isn’t to say that KBA Type #1 can’t be used for other use cases such as self-service forgotten password resets or “step-up” authentication or other secondary authentication use cases. It can be used for those as well, but may be a higher cost type of transaction than using either KBA Type #2 or #3.
KBA Type #2 is a lower cost option when having an existing cusstomer you know sign-up online for services. This can also be used for other use cases as well, though asking questions that aren’t too readily guessable or aren’t reused too often can be difficult depending on the amount of variable, private or semi-private information you have on your customers. For instance, my mobile phone bill doesn’t vary that much month to month and the people I call are probably pretty easy to guess for anyone willing to spend a bit of time researching me, so those types of questions wouldn’t serve very well.
Which brings us to KBA Type #3. All of us that participate in much of anything online are familiar with this one. You set up an account and at registration are asked to setup at least one or more questions to be asked for any number of reasons including:
You usually get to pick from a list of drop down questions and in some cases even can write your own questions. This is popular since it is inexpensive as there is no service provider to pay and reduces the number of help desk calls for high frequency events, such as “I forgot my password”.
There are a couple drawbacks.
There have been an increasing number of news items about the compromise of politicians, celebrities and even services being “owned” via KBA compromise. Which brings me back to the beginning of this article and why I am hearing so many questions and such confusion over the issue of KBA.
Folks want to know:
These are tough questions to answer in the face of KBA’s growing list of failures. Mark Diodati over at Burton Group has written a ton on the issues of KBA and in a May 29th article states what my personal opinion is with regard to KBA: “Can We Finally Commit to the End of Knowledge-Based Authentication?“.
Yahoo and Google, who in the last year have both had high-profile users in the news with compromised accounts because of hacked KBA, have apparently decided that KBA needs help. They are both offering the ability for end-users to use their mobile phones instead of KBA for resetting passwords and I hope for any other secondary authentication opportunities that may arise in the use of their services.
Yahoo’s wording is: “Having your mobile number will help future password reset attempts. ” I thought for sure I had a security question setup on Yahoo, but now can’t find it anywhere. My test drive of their forgotten password procedure tonight shows that my phone is the default or I can pick a non-Yahoo email to use for the ID verification step. No security question offered. I don’t know how much they are promoting this yet, but hopefully a lot and soon.
Google’s Account setting page lists email, SMS to your phone and a security as options for password recovery. When I ran my test there tonight I was advised that an email and a SMS phone message had been sent to assist me in recovering my password and a link for each was provided so I could pick which I wanted to use. While Google does still have a security question and answer, that can’t be used until my account has been idle for 24 hours. Interesting compromise.
Which brings me to the title of this article “Trend in KBA?”. Google and Yahoo are moving away from KBA, static, Type 3 KBA to be exact, shouldn’t those for whom reputation is even more important consider doing so? I know this is a battle that till now has been dominated by the business and bean counter side of the organization while the security folks get ignored as usual as being unrealistic and alarmist. Time to listen to the security folks and dump KBA.