Is there a way to automatically authenticate a user, not the user's
computer, when he logs in to a website? The reason for this is to validate
that a multiple choice test that is taken was performed by Bob X and not by
Charles Y in a distance learning application.
No additional hardware can be used (such as fingerprint reader); there
would have to be no reconfiguration of Bob's computer since Bob is
incapable of performing any such task.
If this is possible, then can Bob also be identified if using *any*
computer not just his own.
--
Drop the alphabet for email
In article <4nvjgbgv8n1b$.vvilhqg3q25z$.dlg@40tude.net>,
Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
> Is there a way to automatically authenticate a user, not the user's
> computer, when he logs in to a website? The reason for this is to validate
> that a multiple choice test that is taken was performed by Bob X and not by
> Charles Y in a distance learning application.
>
> No additional hardware can be used (such as fingerprint reader); there
> would have to be no reconfiguration of Bob's computer since Bob is
> incapable of performing any such task.
>
> If this is possible, then can Bob also be identified if using *any*
> computer not just his own.
Isn't this normally done with a username and password prompt? It can be
improved with token-based authentication like SecurID or Defender.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Ari Silversteinn <abcarisilverstein@yahoo.comxyz> writes:
> Is there a way to automatically authenticate a user, not the user's
> computer, when he logs in to a website? The reason for this is to
> validate that a multiple choice test that is taken was performed by
> Bob X and not by Charles Y in a distance learning application.
This is a notion known as "individual identification" and "individiual
authentication."
It's normally done with a username and password. The username
identifies a unique user. The password set by that person
authenticates that user that hopes to confirm the user is who they say
they are.
If by automatic you mean the user doesn't have to enter anything, the
answer is "no, with your requirements, there's no practical way to do
this."
If you're willing to give up strong authentication, you could email
URL's to specific users, each of them uinque, and containing an
encoded username to uniquely identify them.
However, if someone happens to get hold of that email maliciously or
by a manager forwarding their email to all their subordinates and
saying "take the is test" then you've lost authentication, and
everyone who got the email will be indistinguishable.
On Mon, 15 Aug 2005 20:04:39 -0400, Barry Margolin wrote:
> In article <4nvjgbgv8n1b$.vvilhqg3q25z$.dlg@40tude.net>,
> Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
>
>> Is there a way to automatically authenticate a user, not the user's
>> computer, when he logs in to a website? The reason for this is to validate
>> that a multiple choice test that is taken was performed by Bob X and not by
>> Charles Y in a distance learning application.
>>
>> No additional hardware can be used (such as fingerprint reader); there
>> would have to be no reconfiguration of Bob's computer since Bob is
>> incapable of performing any such task.
>>
>> If this is possible, then can Bob also be identified if using *any*
>> computer not just his own.
>
> Isn't this normally done with a username and password prompt? It can be
> improved with token-based authentication like SecurID or Defender.
Thanks, Barry, for the reply. A user name and prompt can be passed from Bob
X to Charles Y and Charles Y can then take the test for Bob X.
Token based authentication, this I am inexperienced or confused as to your
interpretation.
--
Drop the alphabet for email
In comp.security.misc Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
> Is there a way to automatically authenticate a user, not the user's
> computer, when he logs in to a website?
Can you control the access to the physical terminal?
If so, yes, this access control is good for identifying the users, if the
terminals are secure.
If not, no, you cannot make this secure.
F'up2here.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
In comp.security.misc Barry Margolin <barmar@alum.mit.edu> wrote:
> > Is there a way to automatically authenticate a user, not the user's
> > computer, when he logs in to a website? The reason for this is to validate
> > that a multiple choice test that is taken was performed by Bob X and not by
> > Charles Y in a distance learning application.
> Isn't this normally done with a username and password prompt? It can be
> improved with token-based authentication like SecurID or Defender.
No, it isn't.
Every user, who has the security token, can log in.
Passwords (and any other security token) are only working, if the user
who owns the password has no interest to share it.
In such a test, i.e. the contestant could let anybody "help" him by using
a VNC server on her/his machine.
F'up2here.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
In article <43016b0d@news.uni-ulm.de>, Volker Birk <bumens@dingens.org>
wrote:
> In comp.security.misc Barry Margolin <barmar@alum.mit.edu> wrote:
> > > Is there a way to automatically authenticate a user, not the user's
> > > computer, when he logs in to a website? The reason for this is to
> > > validate
> > > that a multiple choice test that is taken was performed by Bob X and not
> > > by
> > > Charles Y in a distance learning application.
> > Isn't this normally done with a username and password prompt? It can be
> > improved with token-based authentication like SecurID or Defender.
>
> No, it isn't.
>
> Every user, who has the security token, can log in.
>
> Passwords (and any other security token) are only working, if the user
> who owns the password has no interest to share it.
OK, if you don't trust the users, then I don't think there's any way to
accomplish your goal with the stated restrictions. Complete
identification and authentication requires three factors:
1) Who you are
2) What you have
3) What you know
A token implements #2, a password implements #3, but both of these can
be shared. To implement #1, you need to use biometrics, which requires
special hardware. But you specifically said that you can't require
hardware like a fingerprint reader.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Volker Birk wrote:
> In comp.security.misc Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
> > Is there a way to automatically authenticate a user, not the user's
> > computer, when he logs in to a website?
>
> Can you control the access to the physical terminal?
>
> If so, yes, this access control is good for identifying the users, if the
> terminals are secure.
>
> If not, no, you cannot make this secure.
>
> F'up2here.
>
> Yours,
> VB.
> --
> "Almighty Father, who wilt hear the prayer of those that love Thee, we pray
> Thee to be with those who brave heights of Thy heaven and who carry the
> battle to our enemies. Guard and protect them, we pray Thee, as they fly
> the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
Ari Silversteinn wrote:
> On Mon, 15 Aug 2005 20:04:39 -0400, Barry Margolin wrote:
[snip]
>>Isn't this normally done with a username and password prompt? It can be
>>improved with token-based authentication like SecurID or Defender.
>
> Thanks, Barry, for the reply. A user name and prompt can be passed from Bob
> X to Charles Y and Charles Y can then take the test for Bob X.
there are very few things you can use for authentication that are
non-transferable...
even if you were to use one, how would you prevent the situation where
bob enrolls using charles' authentication data?
or maybe charles will just be sitting in the background giving bob the
answers... even if you do manage to authenticate the person, i don't see
a viable means of verifying that they don't have any unauthorized aids
at their disposal...
> Token based authentication, this I am inexperienced or confused as to your
> interpretation.
3 basic authentication schemes - what you know (password), what you have
(token), or what you are (biometric)...
token based authentication involves presenting a security token (one
assigned to you) to a token reader to authenticate yourself with -
however it's transferable just like passwords are...
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
> Ari Silversteinn <abcarisilverstein@yahoo.comxyz> writes:
>> Is there a way to automatically authenticate a user, not the user's
>> computer, when he logs in to a website? The reason for this is to
>> validate that a multiple choice test that is taken was performed by
>> Bob X and not by Charles Y in a distance learning application.
>
> This is a notion known as "individual identification" and "individiual
> authentication."
Traditionally, authentication is one of one and ID is one of many.
> If by automatic you mean the user doesn't have to enter anything, the
> answer is "no, with your requirements, there's no practical way to do
> this."
> In comp.security.misc Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
>> Is there a way to automatically authenticate a user, not the user's
>> computer, when he logs in to a website?
>
> Can you control the access to the physical terminal?
>
> If so, yes, this access control is good for identifying the users, if the
> terminals are secure.
>
> If not, no, you cannot make this secure.
>
> F'up2here.
>
> Yours,
> VB.
Barry Margolin <barmar@alum.mit.edu> wrote:
> 1) Who you are
> 2) What you have
> 3) What you know
> A token implements #2, a password implements #3, but both of these can
> be shared. To implement #1, you need to use biometrics, which requires
> special hardware.
Even biometrics will not solve the problem, because the user can
authenticate with biometrics, and i.e. by VNC a second user can "help"
with the test anyway.
The problem is not solvable without secure terminals and access control.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
It will not do it. You only will have a grinning of the user into your
camera, and a second user, who answers the questions, i.e. via VNC.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
On Tue, 16 Aug 2005 02:55:43 -0400, Barry Margolin wrote:
> OK, if you don't trust the users, then I don't think there's any way to
> accomplish your goal with the stated restrictions. Complete
> identification and authentication requires three factors:
>
> 1) Who you are
> 2) What you have
> 3) What you know
>
> A token implements #2, a password implements #3, but both of these can
> be shared. To implement #1, you need to use biometrics, which requires
> special hardware. But you specifically said that you can't require
> hardware like a fingerprint reader.
Is there nothing unique that would ID the users computer then?
--
Drop the alphabet for email
[alt.cotse deleted. My News server doesn't allow cross-posts to groups
it doesn't carry.]
Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
> On Tue, 16 Aug 2005 02:55:43 -0400, Barry Margolin wrote:
>
> > OK, if you don't trust the users, then I don't think there's any way to
> > accomplish your goal with the stated restrictions. Complete
> > identification and authentication requires three factors:
> >
> > 1) Who you are
> > 2) What you have
> > 3) What you know
> >
> > A token implements #2, a password implements #3, but both of these can
> > be shared. To implement #1, you need to use biometrics, which requires
> > special hardware. But you specifically said that you can't require
> > hardware like a fingerprint reader.
>
> Is there nothing unique that would ID the users computer then?
(I think) You said you didn't want that:
OP> Is there a way to automatically authenticate a user, not the user's
^^^^^^^^^^^^^^
OP> computer, when he logs in to a website?
^^^^^^^^
Same issue with your other response
(<news:qz4fq0xe0sci.jkf9aijps7fv$.dlg@40tude.net>) :
> MAC addresses?
So which one is it? Authenticate/identify the user or his computer or
both?
On Mon, 15 Aug 2005 19:56:22 -0400, Ari Silversteinn
<abcarisilverstein@yahoo.comxyz> wrote:
>Is there a way to automatically authenticate a user, not the user's
>computer, when he logs in to a website? The reason for this is to validate
>that a multiple choice test that is taken was performed by Bob X and not by
>Charles Y in a distance learning application.
>
>No additional hardware can be used (such as fingerprint reader); there
>would have to be no reconfiguration of Bob's computer since Bob is
>incapable of performing any such task.
>
>If this is possible, then can Bob also be identified if using *any*
>computer not just his own.
Yes, this can be accomplished through the use of bar code e-mail.
In comp.security.misc Ari Silversteinn <abcarisilverstein@yahoo.comxyz> wrote:
> MAC addresses?
Sorry, will not do it.
When i.e. remote control like VNC is used, then nothing technical will
do it, because the authentication is from the right user, and the right
terminal is used also.
I think, this is not a topic for sci.crypt BTW.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
Sign On Authentication 
Linear Mode
