We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Password reminders from power adaptors

by Jago Maniscalchi  //  January 10, 2012  //  News, Risk Management  //  No comments

A recent patent filing in the US (2012/0005747) by Apple, sets out a system for two-factor authentication using computer peripherals.

Authentication mechanisms can make use of one of more ‘factors’. They are typically:

  • Something ‘I know’ (a password)
  • Something ‘I have’ (a token, or in this case, a peripheral)
  • Something ‘I am’ (a biometric)

Standard authentication on a personal computer is single-factor – the user must identify themselves with a username, and then authenticate with a password (something ‘I know’). Forgotten passwords, which this patent filing covers, are typically recovered using either a hint, or providing an answer to one or more secret questions (also in the something ‘I know’ factor). Hints are not particularly secure because they point an attacker (or thief) towards the correct password. Secret questions, unless chosen wisely, are not much better, because the attacker may be able to discover the answers.

Apple’s suggestion is designed to prevent thieves accessing personal computers, but introducing a second factor – something ‘I have’ – into password recovery. From the filing:

One of the threat models which this approach addresses is that in which an opportunistic thief steals a portable device while the user is “out and about” – that is, the device is being carried by the user and is physicaly separate from its associated peripheral or companion device. One example is a student that takes her laptop computer to a university class, but leaves the docking station in her dorm room. Another example is an employee that takes his portable media player to work, but leaves the power cord in a locker.

Apple propose placing a small memory chip in the power adaptor containing a secret which will unlock the computer and allow a user to reset a forgotten password. Without the power adaptor, the password would not be recoverable. The filing goes further to suggest that the computer may also need to receive permission from Apple (perhaps via a user authentication on the Apple website) to reset the password. This really would be two factor – one password on the Apple website coupled with a physical token concealed in the power adaptor.

In order to prevent attacks against the power adaptor, the proposal is that the secret key on the adaptor is itself encrypted with a second key held only on the laptop. Therefore only a complete pairing of adaptor and laptop will allow access.

Of course, if this system is ever rolled out, thieves will learn to steal the power adaptor. Apple suggest that more than one peripheral could be included in this scheme, and that each peripheral could contain credentials for more than one device. The filing also suggests that a third authentication factor could be included – a biometric signature, required by the peripheral before it would release its secret key.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

Leave a Comment

comm comm comm