Let's see - five keystrokes on four different keys leads to 1,024 possible combinations. If you couple this limited range of unique keystrokes with the fact that most people will use a pattern, like 5 keystrokes clockwise, the device should be fairly easy to defeat. Since size is critical maybe they could embed a thumbprint scanner?
With the proliferation of passwords at work, school, your bank, cell phone messaging ad nauseam why would the manufacturer think 20 passwords is even close to enough? Memory is cheap. If they would throw in a few more KB of memory the limit could easily a 100 or more passwords.
The review does not mention ease of data entry. What is the level of pain to use four buttons to enter the text associated with each generated password? This aspect alone would be a make-or-break user experience.
For an electronic device the size of a keyring with a single-purpose function I'd expect the price to be about a third of what they're charging.
From an initial look, I think I'll wait for at least version 2 to come out.
Discussion on:
View:
Show:
This is Joe Grajewski with Mandylion Labs. I
would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies. This reply addresses your
concerns re access to the device.
You are correct. Access to the device is 4^5
power in keyspace. You are, however, taking
that one safeguard in isolation. You not
considering all the InfoSec arguments that
have bearing and control over the device?s
unauthorized access. For instance, physical
control. Any InfoSec evaluation regards
physical security over the object at risk is the
highest form of assurance. Just ask any
Marine on guard duty. The device is designed
as an item of continuous personal
possession and, as such, affords such
physical control.
The device can be set at various levels of
sanction for repeated failed unauthorized
attempted access. For instance, in high
InfoSec environments, the device can be set
for one failed attempt and DESTROY, where
all codes, obfuscated and stored within the
processor are irretrievably destroyed and
overwritten if an unauthorized logical OR
physical access is attempted.
As an additional measure, in high InfoSec
environments we recommend that
cryptographer type offset techniques (i.e.
applying a simple algorithm only known by the
user to the displayed password to arrive at the
actual password) be employed. Such two
factor authentication to discern the actual
passcodes would render an unauthorized
view of the codes a futile exercise within the
timeframes involved.
Again it?s the combination of all these
safeguards in their entirety that provide the
device with its defense in depth, not a single
safeguard in isolation.
Please visit our site or email me anytime. Let
me convince you that you will want to upgrade
t
would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies. This reply addresses your
concerns re access to the device.
You are correct. Access to the device is 4^5
power in keyspace. You are, however, taking
that one safeguard in isolation. You not
considering all the InfoSec arguments that
have bearing and control over the device?s
unauthorized access. For instance, physical
control. Any InfoSec evaluation regards
physical security over the object at risk is the
highest form of assurance. Just ask any
Marine on guard duty. The device is designed
as an item of continuous personal
possession and, as such, affords such
physical control.
The device can be set at various levels of
sanction for repeated failed unauthorized
attempted access. For instance, in high
InfoSec environments, the device can be set
for one failed attempt and DESTROY, where
all codes, obfuscated and stored within the
processor are irretrievably destroyed and
overwritten if an unauthorized logical OR
physical access is attempted.
As an additional measure, in high InfoSec
environments we recommend that
cryptographer type offset techniques (i.e.
applying a simple algorithm only known by the
user to the displayed password to arrive at the
actual password) be employed. Such two
factor authentication to discern the actual
passcodes would render an unauthorized
view of the codes a futile exercise within the
timeframes involved.
Again it?s the combination of all these
safeguards in their entirety that provide the
device with its defense in depth, not a single
safeguard in isolation.
Please visit our site or email me anytime. Let
me convince you that you will want to upgrade
t
This is Joe Grajewski with Mandylion Labs. I
read your comments regarding our technology
and would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies. This reply addresses your
concerns re biometrics.
Regarding your comment on the thumbprint
scanner, I invite you to visit our site and
download the whitepaper "Are Passwords
Effective?". In that article wediscuss the
version of our device that includes not only a
biometric sensor but also incorporates a
steganographic watermarking of the
passwords generated by a particular token to
arrive at our "asymmetrical biometric
authentication" or ABA. ABA is a method
which creates a mathematical proxy to one?s
fingerprint to biometrically authenticate an
individual to the same degree of information
assurance as conventional biometrics without
the requirements to store or transmit the
biometrics. Further, it obviates the often
overlooked risks associated with conventional
biometrics where transmitting unary codes
preclude any recovery from compromise.
Again, Please visit our site or email me
anytime. Let me convince you that you will
want to upgrade to version 2 when it arrives as
opposed to waiting to when it arrives.
read your comments regarding our technology
and would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies. This reply addresses your
concerns re biometrics.
Regarding your comment on the thumbprint
scanner, I invite you to visit our site and
download the whitepaper "Are Passwords
Effective?". In that article wediscuss the
version of our device that includes not only a
biometric sensor but also incorporates a
steganographic watermarking of the
passwords generated by a particular token to
arrive at our "asymmetrical biometric
authentication" or ABA. ABA is a method
which creates a mathematical proxy to one?s
fingerprint to biometrically authenticate an
individual to the same degree of information
assurance as conventional biometrics without
the requirements to store or transmit the
biometrics. Further, it obviates the often
overlooked risks associated with conventional
biometrics where transmitting unary codes
preclude any recovery from compromise.
Again, Please visit our site or email me
anytime. Let me convince you that you will
want to upgrade to version 2 when it arrives as
opposed to waiting to when it arrives.
This is Joe Grajewski with Mandylion Labs. I
read your comments regarding our technology
and would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies.
This reply addresses your comments re the
number of passcodes managed by a single
device and its costs points.
Although conventional DRAM memory may be
inexpensive, physically secure (potted), high
information assurance nonvolatile obfuscated
processor memory which is used with this
device is not. The need to store more than 20
passcodes, however, is our most frequent
recommendation and we are currently working
on a version with greater capacity that still
lends itself to intuitive fast scroll access to all
the codes. Again, our two primary concerns
with the design of our technology is its InfoSec
value and user convenience.
Please visit our site or email me anytime. I
would personally like to see you take the next
step and become a user of our technology.
Let me convince you that you will want to
upgrade to version 2 when it arrives as
opposed to waiting to when it arrives.
read your comments regarding our technology
and would like to respond to each of your
considerations. Since each response in
TechNet is limited to a small number of
characters, I will have to respond in 3
separate replies.
This reply addresses your comments re the
number of passcodes managed by a single
device and its costs points.
Although conventional DRAM memory may be
inexpensive, physically secure (potted), high
information assurance nonvolatile obfuscated
processor memory which is used with this
device is not. The need to store more than 20
passcodes, however, is our most frequent
recommendation and we are currently working
on a version with greater capacity that still
lends itself to intuitive fast scroll access to all
the codes. Again, our two primary concerns
with the design of our technology is its InfoSec
value and user convenience.
Please visit our site or email me anytime. I
would personally like to see you take the next
step and become a user of our technology.
Let me convince you that you will want to
upgrade to version 2 when it arrives as
opposed to waiting to when it arrives.
We're currently testing a product called BioPassword. It uses a biometric template to store the users typing rhythm. In demonstrations we were unable to login to the presenter's laptop even though we had his user id and password.
Here is their website for more info (and no I don't work for them):
http://www.biopassword.com/home/home.asp
Here is their website for more info (and no I don't work for them):
http://www.biopassword.com/home/home.asp
I noted your comment regarding BioPassword
and would like to add to it.
Mandylion views access control as a
spectrum of differing authentication
requirements. We believe that there is no
single technology that appropriate for all
instances. No silver bullet. Complementary
and mutually exclusive technologies exist and
will also emerge. As with any technology
sector, some technologies will do a better and
more comprehensive job at it than others.
The aim with the Mandylion technology is to
make that portion of the access control
spectrum which employs the password
method more secure and convenient to the
user.
Our technology requires no modification to the
desktop and works seamlessly with existing
password registries within Microsoft, Unix and
Mainframe OS?s as well as with any
application that uses passwords. It can be
used virtually anywhere, from any access point
be it a stationary PC, laptop or PDA such as a
RIM Blackberryor Palm Pilot. We attempt to
perfect the password method, not replace it.
In contrast, other approaches require
additional software and/or hardware to be
added to the infrastructure which adds to
configuration management issues. Because
access control is so systemic, most API?s are
not well published, shared and do change
often. As such, when such technology is
added to the infrastructure it tends to conflict
with the native system or more often, can
create new vulnerabilities when it attempts to
replace it. For instance, does installing a
secondary authentication over an underlying
weak code, create new vulnerabilities in how it
data communicates and stores this weak
access code? Alternatively, with web enabled
hosts, what prevents unauthorized access
utilizing the passcode from points outside of
the software?s control.
and would like to add to it.
Mandylion views access control as a
spectrum of differing authentication
requirements. We believe that there is no
single technology that appropriate for all
instances. No silver bullet. Complementary
and mutually exclusive technologies exist and
will also emerge. As with any technology
sector, some technologies will do a better and
more comprehensive job at it than others.
The aim with the Mandylion technology is to
make that portion of the access control
spectrum which employs the password
method more secure and convenient to the
user.
Our technology requires no modification to the
desktop and works seamlessly with existing
password registries within Microsoft, Unix and
Mainframe OS?s as well as with any
application that uses passwords. It can be
used virtually anywhere, from any access point
be it a stationary PC, laptop or PDA such as a
RIM Blackberryor Palm Pilot. We attempt to
perfect the password method, not replace it.
In contrast, other approaches require
additional software and/or hardware to be
added to the infrastructure which adds to
configuration management issues. Because
access control is so systemic, most API?s are
not well published, shared and do change
often. As such, when such technology is
added to the infrastructure it tends to conflict
with the native system or more often, can
create new vulnerabilities when it attempts to
replace it. For instance, does installing a
secondary authentication over an underlying
weak code, create new vulnerabilities in how it
data communicates and stores this weak
access code? Alternatively, with web enabled
hosts, what prevents unauthorized access
utilizing the passcode from points outside of
the software?s control.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
