Does anyone know about TeddyID ???????

dwkdwk
edited February 2016 in Lounge

I know that teddyid has nothing to do with 1Password but I have nowhere to ask this kind of question.
(1Password's forum lounge was the only place I could think of asking such a question....)

I was reading about google's password free login article from techcrunch and in the comments someone mentioned about teddyid.

So I visited the mentioned site and it all sounded too good to be true.

Does anyone have any knowledge regarding this service ?

http://techcrunch.com/2015/12/22/google-begins-testing-password-free-logins/

https://www.teddyid.com/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @dwk: While it's certainly interesting and new-ish, to me this seems sort of like second-factor authentication...without the first factor.

    Using "something I have" as a way to authenticate isn't new, but it could be compromised (or subpoena'd, or taken by force), whereas "something I know" (like my password) can't as easily be taken from me.

    I'd be interested to hear what others think though.

  • Not sure it's the right place to discuss this product, but since I'm TeddyID team member and stumbled on this thread today, I felt obliged to add my comment.
    Actually, the first factor is your computer (laptop or desktop), and it is a "something I have". Being independent from the second "something I have" (the mobile phone) is what makes the whole scheme secure. An optional "something I know" also exists, it is PIN code that protects the app.

  • brentybrenty

    Team Member

    @tony991: I'll admit I'm not crazy about the "something I have" part for the reasons I mentioned above, but hopefully the "something I know" PIN can be something stronger than 4 digits too. Thanks for the info! :)

  • @brenty: 4-digit PIN is quite strong because the number of failed attempts is limited (exactly why the FBI is struggling to unlock the San Bernardino iPhone).

  • brentybrenty

    Team Member

    @tony991: Interesting. Thanks for your reply! Now, that doesn't mean that a 4-digit PIN is strong, but rather that your guesses at it are limited. ;)

    But in all seriousness, how does the limiting work? Is it a hard limit on attempts, and then the data is deleted? That's secure, but I'd be worried about that for a web service, since that could be a big "kick me" sign for troublemakers. I'd be interested to know the details!

    And as an aside, in the case of the FBI, I don't understand why they don't just go for it. Erase Data isn't the default setting, so there's a good chance that they can have as many guesses as they like...since I doubt Apple is going to be their fairy godmother in this case. :lol:

  • @brenty: That's a good question. We designed PIN verification is a way that makes it extremely hard to break or cause trouble. User-entered PIN is combined and hashed with a strong secret that is unique to each device and stored solely on the device. The hash is sent to the server and the server checks it against the correct hash. If it doesn't match, the counter is incremented, and after 3 failed attempts the server will start giving negative replies even to correct hash. So to try to brute force, or just to cause trouble by triggering the limit, the attacker has to first read the device memory, which is already challenging as San Bernardino case demonstrates. Even then, the attacker will be cut off by the server after 3 failed attempts. This means that the attacker's options are pretty limited:
    1. Hope that the victim's phone is already rooted or jailbroken and try to trick him into installing malware.
    2. Physically hold the phone and face the same challenges as the FBI

    Re why the FBI don't just try all possible passcodes until they find the right one, as far as I know, there is an (exponentially?) increasing delay between attempts, I don't think they have that many years to investigate this case.

  • brentybrenty

    Team Member
    edited March 2016

    We designed PIN verification is a way that makes it extremely hard to break or cause trouble. User-entered PIN is combined and hashed with a strong secret that is unique to each device and stored solely on the device. The hash is sent to the server and the server checks it against the correct hash. If it doesn't match, the counter is incremented, and after 3 failed attempts the server will start giving negative replies even to correct hash.

    @tony991: Very cool! Thanks for satisfying my curiosity. I appreciate the explanation! :chuffed::+1:

    Re why the FBI don't just try all possible passcodes until they find the right one, as far as I know, there is an (exponentially?) increasing delay between attempts, I don't think they have that many years to investigate this case.

    Honestly I think they're really holding out hope that they'll get they're way. The delay does increase, but if it's a 4-digit PIN there are only 10000 possible combinations...and I bet it's something silly like 1111 anyway. :lol:

  • brentybrenty

    Team Member

    @wkleem: I'm sightly out of date on Jailbreaking too (for instance, I'm not sure what the newest release of iOS is that's been successfully Jailbroken), but the gist of it is that in order to Jailbreak you have to be able to execute an exploit — which requires being able to access the device. It isn't something that can be done while it's locked, and of course if the FBI had access to the phone, they'd probably have what they wanted without the need to Jailbreak. I'm sure they're kicking themselves about resetting the iCloud password.

  • Thanks guys for the info!

  • brentybrenty

    Team Member

    Hey, thanks for starting this discussion! :):+1:

This discussion has been closed.