Multi-Factor, maybe, but is it really harder to phish?

MIT Tech Review asked me for a general comment on web authentication for their article covering new technology by Delfigo. There wasn’t enough time to look in depth at Delfigo’s technology, so my comments were about multi-factor authentication in general, and whether the additional factors are easily phishable. In other words, it’s interesting if authentication looks at more than just your password, but if it’s just as easy to trick a user into communicating the extra information and replaying it against the authentication server, then it may not be all that useful. According to the Tech Review article, Delfigo looks … Continue reading Multi-Factor, maybe, but is it really harder to phish?

The Beautiful Magic of Cryptography

An election just wrapped up a few hours hours ago [public radio, le soir, RTL info]. The encrypted votes are stored in a redundant database, tied to each voter’s identifier, signed by the voting system, and available to all election participants for auditing. Each voter has a receipt of their encrypted vote they can compare to this database. In other words, the list of cast ballots is frozen, everyone can see it, and attempts to tamper with that list of cast ballots are detectable. And yet, no one knows the results. Not me, the creator of the system. Not the … Continue reading The Beautiful Magic of Cryptography

Trusting Trust and JavaScript

About 2 years ago, I tried to come up with a way to make OpenID and similarly single-sign-on systems less phishing-prone. That turned into BeamAuth (note to self: must publish the source code! Argg, so little time.) Minutes before I presented BeamAuth at CCS, Adam and Collin cornered me and found a subtle but significant weakness in BeamAuth. Those two are crazy smart, how could I not befriend them? Adam and Collin spent some time trying to figure out if they could extend BeamAuth into BeamAuthlet, basically BeamAuth with some JavaScript sprinkled in to make it more powerful. In the … Continue reading Trusting Trust and JavaScript

Open-Audit Elections featured in Documentary

Richard Drury recently completed his documentary “Challenges for Democracy”, which covers a number of voting issues. His work is available for sale, so if you support this kind of in-depth reporting, please go buy his DVD! Richard has graciously agreed to release my segment on Open-Audit Elections under a Creative Commons license. Here it is, and I have to say that Richard has done a fantastic job of capturing the essence of open-audit voting. I only wish he’d given Andy Neff a bit more camera time, since Andy really knows how to capture some of the interesting complexity of the … Continue reading Open-Audit Elections featured in Documentary

The Economist Covers Voting

The Economist covers voting with cryptography, including some of my work. Good to see folks like the Economist paying attention… although the article misses the big point. Voting with cryptography is not about making your vote more secret. It’s about making your vote more verifiable. For those who advocate traditional paper ballots, the point is that open-audit elections are significantly more verifiable. There’s a reason for the extra complexity, promised. But since I spent 3 hours talking to Cyrus, the reporter, I blame myself as much as anyone for not getting that important point across. Continue reading The Economist Covers Voting