Mailing List Archive

Proposed Authentication Schema for Wikimedia projects
I originally posted this idea on G+ and Arthur Richards suggested I cross-post it here. My friend, Isaac Potoczny-Jones is a computer security professional. He developed a new authentication schema that layers on top of existing technologies and leverages a user's smartphone and QRCodes to improve authentication usability, eliminate human-generated passwords, and further improve security by separating the authentication channel from the login session. He's calling this capability "Animate Login" and as part of the proof of concept, he developed a MediaWiki implementation. I believe the Wikimedia foundation should pursue adding this technique as part of the primary login options for it's projects. I would personally love to be able to just point my phone at the login screen and have the system log me in to Wikipedia without having to type anything or remember complex passwords. Wikimedia has worked hard to consolidate logins across the many projects over the last couple years and this would be a great way of providing seamless login. It should be very low overhead and relatively easy to implement. Isaac is very interested in seeing his tool put to use on Wikipedia. Wikimedia could lead the way to improved authentication that also vastly improves the user experience!

Isaac explains the project in some detail on this Google Plus post:
https://plus.google.com/u/0/112702172838704084335/posts/B9UR2zzDY3f?hl=en

His landing page for the project is here:
http://animate-innovations.com/content/animate-login

The website has videos, links to a MediaWiki instance where its in use and more.

From the conversations I've had with him, I know that he has thought long and hard about this application and has sought to address/understand all of the potential attack vectors. Compared to human-generated passwords, this would be vastly more secure and dramatically improve the user experience of logging in. It might even entice new or old editors to login and give it a try and thus re-engage them in editing. I'm also certain it could generate a fair bit of buzz as people learn they can use their smartphone to login to Wikipedia.

I hope you'll consider working with Isaac. I'll point him to this thread so he knows it is here. I know he'd love to see this implemented in Wikipedia.

Don

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Proposed Authentication Schema for Wikimedia projects [ In reply to ]
Looks like an interesting idea. The MediaWiki extension needs some work
though so I'll fork that and work on it today.

On Mon, Oct 17, 2011 at 10:51 PM, <packs-24686@mypacks.net> wrote:

> I originally posted this idea on G+ and Arthur Richards suggested I
> cross-post it here. My friend, Isaac Potoczny-Jones is a computer security
> professional. He developed a new authentication schema that layers on top
> of existing technologies and leverages a user's smartphone and QRCodes to
> improve authentication usability, eliminate human-generated passwords, and
> further improve security by separating the authentication channel from the
> login session. He's calling this capability "Animate Login" and as part of
> the proof of concept, he developed a MediaWiki implementation. I believe
> the Wikimedia foundation should pursue adding this technique as part of the
> primary login options for it's projects. I would personally love to be able
> to just point my phone at the login screen and have the system log me in to
> Wikipedia without having to type anything or remember complex passwords.
> Wikimedia has worked hard to consolidate logins across the many projects
> over the last couple years and this would be a great way of providing
> seamless login. It should be very low overhead and relatively easy to
> implement. Isaac is very interested in seeing his tool put to use on
> Wikipedia. Wikimedia could lead the way to improved authentication that
> also vastly improves the user experience!
>
> Isaac explains the project in some detail on this Google Plus post:
> https://plus.google.com/u/0/112702172838704084335/posts/B9UR2zzDY3f?hl=en
>
> His landing page for the project is here:
> http://animate-innovations.com/content/animate-login
>
> The website has videos, links to a MediaWiki instance where its in use and
> more.
>
> From the conversations I've had with him, I know that he has thought long
> and hard about this application and has sought to address/understand all of
> the potential attack vectors. Compared to human-generated passwords, this
> would be vastly more secure and dramatically improve the user experience of
> logging in. It might even entice new or old editors to login and give it a
> try and thus re-engage them in editing. I'm also certain it could generate
> a fair bit of buzz as people learn they can use their smartphone to login to
> Wikipedia.
>
> I hope you'll consider working with Isaac. I'll point him to this thread
> so he knows it is here. I know he'd love to see this implemented in
> Wikipedia.
>
> Don
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



--
John
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Proposed Authentication Schema for Wikimedia projects [ In reply to ]
Nice idea, but most users hate inputting a password/drawing on the
screen to unlock it. So if you lose your phone or it gets stolen, all
your credentials are lost and in the hands of an unknkown attacker.
Also, phones tend to break during day-to-day usage (beverage spills,
falls from desks).

While these problems were mentioned on the design page, I have another
scenario: colleague comes over to your desk, swaps your phone with his
so you don't notice immediately, pranks you on Facebook or Wikipedia
and then swaps the phone back.

Marco

On Tue, Oct 18, 2011 at 4:51 AM, <packs-24686@mypacks.net> wrote:
> I originally posted this idea on G+ and Arthur Richards suggested I cross-post it here.  My friend, Isaac Potoczny-Jones is a computer security professional.  He developed a new authentication schema that layers on top of existing technologies and leverages a user's smartphone and QRCodes to improve authentication usability, eliminate human-generated passwords, and further improve security by separating the authentication channel from the login session.   He's calling this capability "Animate Login" and as part of the proof of concept, he developed a MediaWiki implementation.   I believe the Wikimedia foundation should pursue adding this technique as part of the primary login options for it's projects.  I would personally love to be able to just point my phone at the login screen and have the system log me in to Wikipedia without having to type anything or remember complex passwords.  Wikimedia has worked hard to consolidate logins across the many projects over the last couple years and this would be a great way of providing seamless login.   It should be very low overhead and relatively easy to implement.  Isaac is very interested in seeing his tool put to use on Wikipedia.   Wikimedia could lead the way to improved authentication that also vastly improves the user experience!
>
> Isaac explains the project in some detail on this Google Plus post:
> https://plus.google.com/u/0/112702172838704084335/posts/B9UR2zzDY3f?hl=en
>
> His landing page for the project is here:
> http://animate-innovations.com/content/animate-login
>
> The website has videos, links to a MediaWiki instance where its in use and more.
>
> From the conversations I've had with him, I know that he has thought long and hard about this application and has sought to address/understand all of the potential attack vectors.  Compared to human-generated passwords, this would be vastly more secure and dramatically improve the user experience of logging in.  It might even entice new or old editors to login and give it a try and thus re-engage them in editing.  I'm also certain it could generate a fair bit of buzz as people learn they can use their smartphone to login to Wikipedia.
>
> I hope you'll consider working with Isaac.  I'll point him to this thread so he knows it is here.   I know he'd love to see this implemented in Wikipedia.
>
> Don
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l