Comments on: Podcast Episode 11

By: Ben Smith

Ben Smith — Wed, 02 Jul 2008 15:55:12 +0000

Two 'something you haves' are obviously better than 1 in some scenarios, but in a number of others there's no benefit at all – a thief can steal my phone and token from a hotel just as easily as the phone alone for instance.

WRT the passcode, M4E enforces a 3 (or is it 5?) attempts then completely wipes the device to prevent brute forcing.

By: Ben Smith

Ben Smith — Wed, 02 Jul 2008 10:55:12 +0000

WRT the passcode, M4E enforces a 3 (or is it 5?) attempts then completely wipes the device to prevent brute forcing.

By: Ben Smith

Ben Smith — Wed, 02 Jul 2008 09:55:12 +0000

WRT the passcode, M4E enforces a 3 (or is it 5?) attempts then completely wipes the device to prevent brute forcing.

By: bogart

bogart — Wed, 02 Jul 2008 02:41:34 +0000

The hope with the tiered idea was that you would encounter the extra authentication bits less often than you currently do. I have not run into what you were talking about (luckily, my phone is just for fun at the moment) so my theory may not mesh well into real-world application.

I get the “something you have, something you know” paradigm, but isn't something you have + something else you have more powerful? Might have to look at what Schneier has to say on that, but it seems like having the phone and having your face/having a fob would be more secure than a passcode that could be guessed, brute forced, etc. Again, something for real-world experimentation as this is just brainstorming at the moment.

By: Ben Smith

Ben Smith — Tue, 01 Jul 2008 23:08:39 +0000

Yes – Jay knows his stuff good 'n proper… a privilege to have him on.

Interesting thoughts re: security. I'm not sure our corporate security types would go for the token approach – they prefer to match 'something you have' and 'something you know'… a token might be one too many 'something you haves'… although it sounds like an option for consumers potentially.

Definitely like the tiered authentication bit – that ties nicely with Nokia's attempt to add dual use personal / business features to the E-series so they could be secured independently… like so much here though I think it would all be in the execution. Anything more cumbersome would be unwelcome on my devices!

By: bogart

bogart — Tue, 01 Jul 2008 20:01:47 +0000

Great podcast all around, I thought Jay Fenton had some great insight into the Symbian announcement.

Ideas for fingerprint-less security: The camera could be used to either recognize your face, or you could carry a 2D barcode "fob" on your keychain (or elsewhere) that could be scanned with the camera. Oh, thought of another: a bluetooth fob that is on your keychain. All of these sound kind of cumbersome, but that's the brainstorming for now.

What might be better would be for only certain apps to rrequire this extended security (another signing mechanism) so that, say, Mail 4 Exchange requires it, but you do not need to jump through those hoops just to make a call. If that were the case, it would be nice to have an area on the file system similarly protected, making the handset a secure file storage device.

By: Ricky Chotai

Ricky Chotai — Mon, 30 Jun 2008 22:15:16 +0000

good podcast guys! Agree with all your comments about Blyk, just waiting for a decent operator to come out with a similar model that works!