LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 1:23 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Google Authenticator for multi-factor authentication by iabervon
Parent article: Google Authenticator for multi-factor authentication

The signature is something you are, not something you know. It comes from too low a part of the brain to be in the same category as a password.

The system really doesn't rely on a semi-trusted point-of-sale agent; the retailer is about as untrusted as anyone by VISA, which is why he used to have to get an imprint of the card, and now has to swipe it through a reader. To prove to a large extent that the card was actually present. In addition, the retailer has to produce a signature that reasonably matches the one on the card, proving to some extent that the owner of the card was there too.

The only thing I've seen change since the early days is that for small transactions, someone - I don't know if it's Visa or the retailer - is now willing to take the risk of fraud in exchange for speed and convenience.

(Log in to post comments)

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 10:20 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:27 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

And yet the main reason signatures exist is that many people do regard them as something you are, being difficult for a fraudster to learn.

I, for example, could almost certainly not reproduce your signature, no matter how much I practiced. So there's one fewer fraudster to worry about.

None of the security mechanisms we're talking about are perfect, so it's all about reducing, not eliminating, the chance of fraud.

In any case, it's not "something you know" -- if it were, then you could instantly disclose to someone how to write your signature.

(Incidentally, the other major purpose of a signature that people often overlook is not as security, but as a statement. The fact that someone wrote his name (or even an X) on a piece of paper makes it impossible for him to argue he didn't mean to commit himself. As most people are honest, whether he signed or not is often not disputed).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds