Hi Andy,
From what I remember, the reasoning behind requiring the user to enter a code on the receiver was to prevent hijacking of the registration by someone reading the displayed registration key from the receiver screen, and using it to register the receiver to their own account.
I.e., it was effectively confirming that the person performing the registration on the web site still has physical access to the receiver (by entering a code into it), before allowing the registration to complete.
However, I think I agree that this is probably a fairly low risk – both in terms of the probability of it occurring, and of the consequences.
If the receiver polls, waiting for registration to be complete, and then displays the user name with which the receiver token is now registered, then it should be obvious to the real user that it’s been registered against a different account. Also, they should find that their own attempt to register will fail – again alerting them to a problem.
One case would be that the registration is started on the receiver, the registration key read, but registration then cancelled on the radio – so that it no longer polls for completion. In this case, someone could later use the copied registration key to register against a different account – and it would not be immediately obvious to the receiver’s user.
It still doesn’t seem like a very likely scenario, and as long as it’s always possible on a receiver to find out whether it has been registered, and with which account – then it sounds like it’s probably OK, and the simpler user experience would be good.
Best regards,
Robin
--
You received this message because you are subscribed to the Google Groups "RadioTAG developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
radiotag-develo...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
One case would be that the registration is started on the receiver, the registration key read, but registration then cancelled on the radio – so that it no longer polls for completion. In this case, someone could later use the copied registration key to register against a different account – and it would not be immediately obvious to the receiver’s user.
To unsubscribe from this group and stop receiving emails from it, send an email to radiotag-developers+unsub...@googlegroups.com.
If you'd like to change the protocol to something similar, you should be prepared to put in quite a lot of work until you're happy with the security aspects of it. Remember Google have a huge pool of talent, and considerable data to draw on when it comes to their authentication systems - by copying the surface form of what they do, we may be missing the subtleties.
At the time of designing the PIN system, we discussed using a more basic "username and password" authentication system on devices that can support more sophisticated text entry.
I'd encourage more user-testing of this if you have concerns about the user experience - we did some originally, which was positive
Hi,
On the point of a shorter device registration process, I'd just like to issue a note of caution. The design of the existing protocol was quite a lengthy process involving several weeks of Sean's and my time on just this aspect. It revealed quite a lot of subtle opportunities for different types of attacks and failure modes. I know that Andy and Robin also spent a lot of time going through what we'd come up with to verify it. None of us are security experts, but I think what we have is pretty robust. A mistake here, and the subsequent loss of user data, could be very damaging to the fledgling service - remember we (RadioTAG) don't necessarily have the traction of a Google or Apple.
If you'd like to change the protocol to something similar, you should be prepared to put in quite a lot of work until you're happy with the security aspects of it. Remember Google have a huge pool of talent, and considerable data to draw on when it comes to their authentication systems - by copying the surface form of what they do, we may be missing the subtleties.
At the time of designing the PIN system, we discussed using a more basic "username and password" authentication system on devices that can support more sophisticated text entry. The listener would enter their BBC, say, username and password into the radio and it would exchange those credentials for a password. I think this is quite a common mode of authentication, and I'd be interested to see it explored and added to the RadioTAG spec. It has the advantage of being common, and fairly secure.
I think the simplicity of the authentication is a bit of a red-herring. If you're the kind of listener to buy an internet-enabled radio and want to view your tags on a website, I think you're likely to be quite tech-savvy. Secondly this procedure is a one-off which for the average listener takes very little time in the scheme of things - although I know when you're testing it multiple times a day, like I did, it doesn't feel like it!
I'd encourage more user-testing of this if you have concerns about the user experience - we did some originally, which was positive, and I remember James C saying that he thought the process on Robin's prototype radio compared very favourably to other devices' attempts at authentication on the market.
Cheers,
Chris
From: radiotag-...@googlegroups.com [radiotag-...@googlegroups.com] on behalf of Ben Husmann [bhus...@emmis.com]
Sent: 02 July 2013 22:02
To: radiotag-...@googlegroups.com
Subject: Re: [CALL] Shorter device registration process
I think keeping the user experience as simple as possible is a good goal. The "hijacking" scenario seems like an edge case to me and shouldn't require us to make user authentication twice as time consuming/confusing.
--
You received this message because you are subscribed to the Google Groups "RadioTAG developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to radiotag-developers+unsub...@googlegroups.com.