As early adopters and technology enthusiasts, we’re known for signing up for every new service presented to us. Due to the sheer number of web sites out there, most of us have devised a system for remembering all those passwords: we make them all the same. (Nod sheepishly if this is you). This system, although easy, is dangerously insecure. A hacker would only need to comprise your password one time in order to gain access to all your accounts. But what alternatives do we have?
At this week’s DEMO conference, I was introduced to two new ways to make authentication on the web more secure, and both of them are truly incredible. This post will look at one of those methods: UsableLogin.
About UsableLogin
UsableLogin is a new application from Usable Security Systems which allows you to choose one simple code word and use it to log into any web site. That codeword can be as simple as your dog’s name (“fido”) or your favorite color (“pink”). Why is this possible? Because the code word is just one layer of security – behind the scenes, the software creates another password for you for the actual web site. The password it creates is strong, complex, and highly secure, just as we know passwords should be.
How It Works
To use UsableLogin, you simply download the browser plugin. After you pick a background image and your easy-to-recall pass code, the login box will appear consistently across every web site you access, whether that’s Facebook or your bank.
Web sites can also choose to support UsableLogin by putting a small bit of JavaScript code on their site.
Here’s what UsableLogin sign-in boxes look like:
When you log in to a web site, UsableLogin cryptographically combines your simple code word with secret data pulled from separate sources: your computer and Usable Security’s servers. This data is combined to create a secure verifier which is used as your complex password. Your code word is never stored and web sites never see it.
UsableLogin can be used on any web site that accepts passwords. It will also work on any operating system and browser.
UsableLogin on Gmail
The Usable Login Dashboard
From the UsableLogin homepage, you can manage all your accounts and view your history – when you last logged on and from which computer. You can also authorize and deauthorize computers from this dashboard, so for example, if your laptop was lost or stolen, you could make sure that no one who got a hold of it could log in to your accounts.
Security Made Easy
Ask any I.T. professional about “multi-factor authentication” and they’ll tell you how much more secure it is against attacks. Think of it this way: on your front door you have a doorknob with a lock – that’s the extent of protection you have today. Add a deadbolt to the mix, and even though your door’s lock is so much easier to pick, the extra lock (the deadbolt) makes it much harder to get into your house. That’s multi-factor authentication. (OK, it’s actually much more complicated than that, but that’s the easiest way I could think to explain it.)
If you want to learn more about UsableLogin, you can watch their entire presentation from DEMO08 here:
UsableLogin will become available in early 2009. You can sign up on their homepage to be notified when it’s released.