The Safeberg ‘Key on Paper’: Another Two-Factor Authentication Scheme

04 Mar

The Safeberg 'Key on Paper' (or Trusted Paper Key, TPK) unique printed key.

What exactly is this you ask, and how do I use it? What it is, is a Safeberg ‘Key on Paper’ (or Trusted Paper Key, TPK), a uniquely printed key. And how it’s used, according to Safeberg, is as follows:

With this key you can easily access the backup of your files whenever you want. Without the Key on Paper, it is impossible to access your files.

The key can be read by means of a photo, scan, or even your mobile phone. This way, you will not have to retype the extremely long key.

The idea for the Trusted Paper Key was developed as an answer to the question: where could a key to all my data be stored best? Not at Safeberg. And not on your computer, due to its vulnerability. Why not on paper…?

Without your key, you can not access your files. “If you lose your key,” states Safeberg, “we can not offer you any help. We advise you to print the key more than once and store it in a safe place.“

Suggestions on where to save your key:

  • In your own house
  • With friends or family (besides the key, you also need a Safeberg Password to access your files)
  • In a safe

So this is, in effect, merely another method of two-factor authentication: Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: “something you know” (e.g., password or PIN), “something you have” (e.g.,. smartcard or token), or “something you are” (e.g., fingerprint or iris scan).

And yet Bruce Schneier wrote [on the subject of two-factor authentication] a while back on his blog: The Failure of Two-Factor Authentication

Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to prevent identity theft. It’s not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.

The problem with passwords is that they’re too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in e-mail, and that e-mail is intercepted. People use them to log into remote servers, and their communications are eavesdropped on. They’re also easy to guess. And once any of that happens, the password no longer works as an authentication token because you can’t be sure who is typing that password in.

Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it’s harder for someone else to intercept. You can’t write down the ever-changing part. An intercepted password won’t be good the next time it’s needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

These tokens have been around for at least two decades, but it’s only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don’t provide adequate security, and are hoping that two-factor authentication will fix their problems.

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.

While I don’t know if this method [KoP] ‘solves’ much in the arena of data security, the concept is intriguing to me nonetheless.

Leave a comment

Posted by on March 4, 2010 in Computing, Digital Security


Tags: , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: