Key-Genius Leverages Yubikey to Secure Web-Logins
So I was listening to another Security Now podcast and heard about a promising new authentication technology designed by Yubico that generates asynchronous one time passwords with a simple push of a button. The device can authenticate against the maker’s servers or your own. The device itself registers as a USB keyboard and is therefore compatible with most computers. The device costs less than $25 each, with discounts for bulk purchases.
Key Genius is a product that leverages the Yubikey to provide a more secure platform for logging into websites. It recently won an award in the Yubiking competition, in partnership with Security Now. The site stores site-specific passwords in an encrypted database, and using a browser extension, replies to valid Yubikey passwords by automatically inserting the correct password for the site. Usernames are not stored by Key Genius at all, so it’s up to the user to supply them to the website in question. This is actually a good thing, as compromise of the Key Genius database cannot in of itself bely a user’s logon credentials. This is a neat product that not only enhances convenience, but does so in a secure manner.
Shoulder Surfing by Laserlight
Here’s the first sentence from the source document:
Using equipment costing about $80, researchers from Inverse Path were able to point a laser on the reflective surface of a laptop between 50 feet and 100 feet away and determine what letters were typed.
The gist of the article is that researchers were able to determine key sequences by analyzing the sound waves produced by each key as subjects type. The researchers have also managed to isolate EMI transferred through the power grid to identify keystrokes. Most folks need not worry about directed attacks of this nature, but if you’ve got a secret somebody wants badly, watch your back… and your windows.
Note: Thanks to _dilan for the link!
