Tag: authentication techniques

Cloudflare to work on simplified CAPTCHA

Article

CAPTCHA text

Cloudflare is intending to replace CAPTCHA authentication on Web forms with …

CAPTCHAs May Soon Go Extinct (gizmodo.com)

From the horse’s mouth

Cloudflare

Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness (cloudflare.com)

My Comments

The CAPTCHA is being used as a means to prevent spam emails or comments on Websites or to assure that people who register in an online context are real people.

But these measures, typically ranging from transcribing letters or identifying objects, can be very frustrating for many people. This is caused by hard-to-read or small letters or instructions relating to object identification being difficult to understand on a language or cultural context. As well, some of these CAPTCHAs don’t work well for mobile setups like smartphones which is increasingly the common way to use the Internet. That leads to abandoned registrations or online-shopping carts or people not joining in to online services for example.

HP Elitebook 2560p business notebook fingerprint reader

you scanning your fingerprint on your flaptop’s fingerprint scanner or you entering your device’s PIN code to prove that a person is entering the data

CloudFlare are working on a different approach to authenticating the personhood of a device user without resorting to letters to transcribe or objects to identify. Initially they are using USB security keys for this purpose but are moving towards full WebAuthN implementation for this purpose.

This approach will work with WebAuthN-capable browser and operating-system setups and work in a similar vein to password-free authentication for online services using that technology. This will require you to enter your device PIN, use face recognition or use the fingerprint reader, operate a USB security key or an authenticator app on your smartphone to prove your personhood, as if you are enrolling in to an online service that implements WebAuthN technology.

The success or failure of the WebAuthN test will simply allow you to submit that form or not on the Website. The logic won’t cause any extra identifying factors to be stored on the online service’s server under default setups. But it may store a device-local cookie to record success so as to treat the session as authenticated, catering towards data revision approaches in wizard-based forms or long data-entry sessions.

A question I would have with this CloudFlare approach is how it can work with computing setups that don’t support WebAuthN. This will also include shared computing setups and public-access computers where the use of this kind of authentication may not be practicable for a single session.

But Cloudflare’s effort is taking WebAuthN further as a way to prove that a real person rather than a robot is actually operating an online account in a manner that is universal to abilities, languages and cultures.

Chrome OS to gain some credible features

Articles

Dell Chromebook 13 press image courtesy of Dell Inc.

These Chromebooks stand to benefit from WebAuthn Website authentication and improved lockscreens

Your Chromebook now doubles as a smart display – Android Authority

Chrome OS 88 offers a faster way to sign in to websites – by using your fingerprint or PIN code (chromeunboxed.com)

My Comments

The operating system that runs your Chromebook or Chromebox computer has now gained some more key capabilities. This is being seen as important as the Chromebook has gained importance for COVID-19 home-education computing needs.

One feature that is highlighted is the provision of a rich pre-login lock-screen for that platform. Windows 10 users have some sort of richness with their pre-login lock-screen where there is the opportunity for applications to show useable information on that screen.

Now Google has added this functionality by taking cues from their Assistant-powered Smart Displays by showing information like local weather or attractive visual works. You can use the Personalisation option to determine which images will appear on the lock screen, be they images from Google Photos or an art collection that is offered through that platform.

There is some interactivity beyond descending to the login screen in the form of music-player transport controls, something that would be convenient if you are using the Spotify world-wide cyber-jukebox on your Chromebook.

But once you log in to your Chromebook, you can have it provide simplified login with Websites that implement WebAuthn simple-yet-secure login. Here, you need to go to “People” then select “Security & Sign-In” to enable device-based PIN entry that is available on all Chromebooks or use of the fingerprint reader in your suitably-equipped Chromebook. Here, most of the other desktop and mobile operating systems and browsers have support for WebAuthn in some form for their current versions.

The question with Chrome OS is what kind of work will be taken to make this operating system less of an “Android tablet in a laptop housing” or an early-1950s British or European “people’s car” but something that satisfies current expectations for work, home, study and play.

Blockchain, NFC and QR codes work together as a tamper-evident seal for food

Article

Blockchain ensures that your online baby food order is legit | CNet

Video – Click or tap to play

My Comments

On this Website, I have previously covered how certain technologies that work with our smartphones are being used to verify the authenticity and provenance of various foodstuffs and premium drinks.

It has been in the form of NFC-enabled bottle tops used on some premium liquor along with smartphone apps to determine if the drink was substituted along with the supplier being able to provide more information to the customer. In France, the QR code has been used as a way to allow consumers to identify the provenance of processed meat sold at the supermarket in response to the 2013 horsemeat scandal that affected the supply of processed beef and beef-based “heat-and-eat” foods in Europe.

The problem of food and beverage adulteration and contamination is rife in China and other parts of Asia but has happened around other parts of the world such as the abovementioned horsemeat crisis and there is a perpetual question for the US market regarding whether extra-virgin olive oil is really extra-virgin. It can extend to things like whether the produce is organic or, in the case of eggs or meat, whether these were free-range or not. This has led various technologists to explore the use of IT technologies to track the authenticity and provenance of what ends up in our fridges, pantries or liquor cabinets.

The latest effort is to use blockchain which is the “distributed ledger” technology that makes bitcoin, Ethereum and other cryptocurrencies tick. This time, it is used in conjunction with NFC, QR codes and mobile-platform native apps to create an electronic “passport” for each packaged unit of food or drink. This was put together by a Chinese-based startup who created this technology in response to a cat belonging to one of the founders needing to go to the vet after eating contaminated food that the founder had bought from an eBay-like online market based in China.

The initial setup has a tamper-evident seal wrapped around the tin or other packaging with this seal having an NFC element and a QR code printed on it. A smartphone app is used to scan the QR code and it uses the NFC element which fails once the seal is broken to verify that the seal is still intact. Once this data is read on the mobile device, the food item’s electronic “passport” then appears showing what was handled where in the production chain.

At the moment, the seal is like a hospital bracelet which is sturdy enough to be handled through the typical logistics processes but is fragile enough to break if the food container is opened. This could work with most packaged foodstuffs but food suppliers could then design this technology to work tightly with their particular kind of packaging.

The blockchain-driven “passport” could be used to identify which farm was used as the source of the produce concerned, with a human-readable reference regarding the agricultural techniques used i.e. organic or free-range techniques being used. In the case of processed meat and meat-based foods, the technology can be used to verify the kind and source of the meat used. This is important for religious or national cultures where certain meats are considered taboo like the Muslim and Jewish faiths with pig-based meats, British and Irish people with horsemeat or Australians with kangaroo meat.

Once the various packaging-technology firms improve and implement these technologies, it could facilitate how we can be sure that we aren’t being sold a “pig in a poke” when we buy food for ourselves or our pets.

You could be using your phone to sign in to Facebook on the big screen

Article

Apple TV 4th Generation press picture courtesy of Apple

You could be able to log in to Facebook on this device using your smartphone’s Facebook client

Facebook Login Updated for tvOS, FireTV, Android | AdWeek SocialTimes

From the horse’s mouth

Facebook

Developer News Press Release

Improving Facebook Login For TV and Android

My Comments

A holy grail that is being achieved for online services is to allow users to authenticate with these services when using a device that has a limited user interface.

TV remote control

A typical smart-TV remote control that can only offer “pick-and-choose” or 12-key data entry

An example of this is a Smart TV or set-top device, where the remote control for these devices has a D-pad and a numeric keypad. Similarly, you have a printer where the only interface is a D-pad or touchscreen, with a numeric keypad only for those machines that have fax capabilities.

Here, it would take a long time to enter one’s credentials for these services due to the nature of the interface. This is down to a very small software keyboard on a touchscreen, using “SMS-style” text entry on the keypad or “pick-and-choose” text entry using the D-pad.

Facebook initially looked at this problem by displaying an authentication code on the device’s user interface or printing this code out when you want to use it from that device. Then you go to a Web-enabled computer or mobile device and log in to facebook.com/device and transcribe that code in to the page to authenticate the device with Facebook.

Here, they are realising that these devices have some role with the Social Web, whether to permit single sign-on, allow you to view photos on your account or use it as part of a comment trail. But they also know that most of us are working our Facebook accounts from our smartphones or tablets very frequently and are doing so with their native mobile client app.

But they are taking a leaf out of DIAL (DIscovery And Launch) which is being used as a way to permit us to throw YouTube or Netflix sessions that we start on our mobile devices to the big screen via our home networks. It avoids a long rigmarole of finding a “pairing screen” on both the large-screen and mobile apps, then transcribing a PIN or association code from the large screen to the mobile client to be able to have it on the TV screen,

This is where you will end up authenticating that big-screen app's Facebook login request

This is where you will end up authenticating that big-screen app’s Facebook login request

What Facebook are now doing for the 4th generation Apple TV (tvOS) and Android-based TV/video peripheral platforms (Android TV / Amazon FireTV) is to use the mobile client app to authenticate.

Here, you use a newer version of the Facebook mobile client, the Facebook Lite client or the Google Chrome Custom Tabs to authenticate with the big screen across the home network. The TV or set-top device, along with the mobile device running the Facebook mobile client both have to be on the same logical network which would represent most small networks. It is irrespective of how each device is physically connected to the network such as a mobile device using Wi-Fi wireless and the Apple TV connected via HomePlug AV500 powerline to the router for reliability.

What will happen is that the TV app that wants to use Facebook will show an authentication code on the screen. Then you go to the “hamburger” icon in your Facebook mobile client and select “Device Requests” under Apps. There will be a description of the app and the device that is wanting you to log in, along with the authentication code you saw an the TV screen. Once you are sure, you would tap “Confirm” to effectively log in from the big screen.

At the moment, this functionality is being rolled out to tvOS and Android-based devices with them being the first two to support the addition and improvement of application programming interfaces. But I would see this being rolled out for more of the Smart TV, set-top box and similar device platforms as Facebook works through them all.

Spotify login screen

This kind of single-sign-on could apply to your Smart TV

One issue that may have to crop up would be to cater for group scenarios, which is a reality with consumer electronics that end up being used by all of the household. Here, software developers may want to allow multiple people to log in on the same device, which may be considered important for games with a multiplayer element, or to allow multiple users to be logged in but with one user having priority over the device at a particular time like during an on-screen poll or with a photo app.

Another question that could be raised is where Facebook is used as the “hub” of a user’s single-sign-on experience. Here, an increasing number of online services including games are implementing Facebook as one of the “social sign-on” options and the improved sign-on experience for devices could be implemented as a way to permit this form of social sign-on across the apps and services offered on a Smart TV for example. It could subsequently be feasible to persist current login / logout / active-user status across one device with all the apps following that status.

Other social-media, messaging or similar platforms can use this technology as a way to simplify the login process for client-side devices that use very limited user interfaces. This is especially where the smartphone becomes the core device where the user base interacts with these platforms frequently.

USB.org to introduce authentication in to the USB Type-C platform

Article

The USB Type-C connection will now be able to be authenticated irrespective of vendor

The USB Type-C connection will now be able to be authenticated irrespective of vendor

New USB Type-C Authentication spec can stop faulty cables before they do damage | Windows Central

From the horse’s mouth

USB.org

Press Release (via BusinessWire)

My Comments

Increasingly the USB connection standard has shown up a need to verify or authenticate device connections on a hardware level. Initially Apple had engaged in this practice with their iOS devices that use the Lightning connector to make sure that properly licensed Lightning cables are used with these devices. But there have been other reasons that this kind of authentication is needed.

One of the reasons was the existence of fake charging devices that are typically installed in public locations. These espionage tools look like plug-in AC chargers or “charging bars”  but are really computing devices designed to harvest personal and corporate data from visitors’ smartphones and tablets. The mobile operating systems have been worked to address this problem whether through asking users what role the mobile device plays when it is connected to a host computing device or whether you trust the host device you connect your mobile device to it.

But there has also been concern raised about ultra-cheap USB Type-C cables, typically Type-A adaptor cables, that aren’t wired to standard and could place your laptop, smartphone or tablet at risk of damage. In this case, users want to be sure they are using good-quality properly-designed cables and power-supply equipment so that their devices aren’t at risk of damage.

The USB implementers Forum have established a connection-level authentication protocol for USB Type-C connections. This implements some of the authentication methods used by Apple for their Lightning connection to verify cables along with the ability to verify the devices that are on the other end of a USB Type-C connection.

For example, a traveller could rectify the “fake charger” situation by setting their mobile gadgets only to charge from certified USB Type-C chargers. Similarly, a business can use low-level authentication to verify and approve USB storage devices and modems to the computers under their control are connected to in order to prevent espionage and sabotage. Vehicle builders that supply software updates for their vehicles to rectify cyberattacks on vehicle control units can use this technique as part of their arsenal for authenticating any of these updates delivered to customers via USB sticks.

What needs to be established is that the USB interface chipsets installed on motherboards and other circuit boards need to be able to support this kind of authentication. Similarly, operating systems and device firmware would need to support the low-level authentication in order to reflect the user’s choice or company’s policy and communicate the status concerning USB Type-C devices properly to the end-user.

At least it is an industry-wide effort rather than a vendor-specific effort to verify and authenticate USB devices at the electrical-connection level rather than at higher levels.

More classes of premium drink are protected by NFC bottle caps

Articles

Remy Martin thinks an NFC bottle cap is the key to authentic cognac | Engadget

Video

Smart liquor bottles can keep tabs on your bourbon collection | Engadget

Previous coverage

NFC technology to determine if that good wine or whiskey is the real McCoy

My Comments

I had previously covered the use of NFC as a tool to check if that bottle of premium wine or whiskey is the real McCoy and is filled with the real drink. This is based on a technology where an NFC chip is integrated in to the drink’s bottle cap is able to signal to a companion mobile app on an NFC-capable mobile device to indicate the veracity of the drink and what it’s about. As well, these tags become defunct or change their status if the bottle is opened.

Selinko developed the NFC bottle cap as a solution to a problem that has been happening in Asian markets where customers were being sold a “pig in a poke” when it comes to buying premium liquor. This is where a bottle of premium liquor had its contents diluted or swapped for poor-quality drink and is similar to where customers in the Asian countries are buying knock-offs of clothes, luggage and similar products made or designed by respected brands.

Remy Martin, a well-known cognac distiller, is partnering with Selinko to verify the authenticity of cognac bottles and check that the drink hasn’t been substituted with cheaper poorer quality liquor. As well, they are using this technology to allow their customers to find out more about the drink and participate in a promotion. As well, Diageo is using a similar technology designed by Thinfilm to check the veracity of Blue Label bourbon whiskey.

This could lead to you having to install an app on your mobile device for each drink brand you have in your liquor cabinet but each of the companies could also provide a generic interface and API for stock-management systems. Here, consumers, the licensed trade, hoteliers and others can check if a bottle is opened and what is meant to be in that bottle.

As I have said before, I would like to see this technology have applications beyond liquor such as to check the veracity and provenance of other branded items like soft drinks, pantry items and toiletries also at risk of substitution. That is, is the bottle of Coke full of the actual Coca-Cola, that jar of Vegemite full of the real Aussie thing or that bottle of premium aftershave or perfume containing the stuff with the real distinct scent that you love.

Windows 10 to benefit from the FIDO authentication standards

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.

Symantec Symposium 2012–My observations from this event

Introduction

Yesterday, I attended the Symantec Symposium 2012 conference which was a chance to demonstrate the computing technologies Symantec was involved in developing and selling that were becoming important to big business computing.

Relevance to this site’s readership

Most solutions exhibited at this conference are pitched at big business with a fleet of 200 or more computers. But there were resellers and IT contractors at this event who buy these large-quantity solutions to sell on to small-business sites who will typically have ten to 100 computers.

I even raised an issue in one of the breakout sessions about how manageability would be assured in a franchised business model such as most fast-food or service-industry chains. Here, this goal could be achieved through the use of thin-client computers or pre-configured equipment bought or leased through the franchisor.

As well, the issues and solution types of the kind shown at this Symposium tend to cross over between small sites and the “big end of town” just like a lot of office technology including the telephone and the fax machine have done so.

Key issues that were being focused were achieving a secure computing environment, supoorting the BYOD device-management model and the trend towards cloud computing for the systems-support tasks.

Secure computing

As part of the Keynote speech, we had a guest speaker from the Australian Federal Police touch on the realities of cybercrime and how it affects the whole of the computing ecosystem. Like what was raised in the previous interview with Alastair MacGibbon and Brahman Thiyagalingham about secure computing in the cloud-computing environment, the kind of people committing cybercrime is now moving towards organised crime like East-European mafia alongside nation states engaging in espionage or sabotage. He also raised that it’s not just regular computers that are at risk, but mobile devices (smartphones and tablets), point-of-sale equipment like EFTPOS terminals and other dedicated-purpose computing devices that are also at risk. He emphasised issues like keeping regular and other computer systems up to date with the latest patches for the operating environment and the application software.

This encompassed the availability of a cloud-driven email and Website verification system that implements a proxy-server setup. This is designed to cater for the real world of business computing where computer equipment is likely to be taken and used out of the office and used with the home network or public networks like hotel or café hotspots. It stays away from the classic site-based corporate firewall and VPN arrangement to provide controlled Internet access for roaming computers. It also was exposing real Internet-usage needs like operating a company’s Social-Web presence, personal Internet services like Internet banking or home monitoring so as to cater for the ever-increasing workday, and the like. Yet this can still allow for an organisation to have control over the resources to prevent cyberslacking or viewing of inappropriate material.

Another technique that I observed is the ability to facilitate two-factor authentication for business resources or customer-facing Websites. This is where the username and password are further protected by something else in the similar way that your bank account is protected at the ATM using your card and your PIN. It was initially achieved through the use of hardware tokens – those key fobs or card-like devices that showed a random number on their display and you had to enter them in your VPN login; or a smart card or SIM that required the use of a hardware reader. Instead Symantec developed a software token that works with most desktop or mobile operating systems and generates this random code. It even exploits integrated hardware security setups in order to make this more robust such as what is part of the Intel Ivy Bridge chipset in second-generation Ultrabooks.

Advanced machine-learning has also played a stronger part in two more secure-computing solutions. For example, there is a risk assessment setup being made available where an environment to fulfill a connection or transaction can be assessed against what is normal for a users’s operating environment and practices. It is similar to the fraud-detection mechanisms that most payment-card companies are implementing where they could detect and alert customers to abnormal transactions that are about to occur, like ANZ Falcon. This can trigger verification requirements for the connection or transaction like the requirement to enter a one-time-password from a software token or an out-of-band voice or SMS confirmation sequence.

The other area where advanced machine-learning plays a role in secure computing is data loss prevention. As we hear of information being leaked out to the press or, at worst, laptops, mobile computing devices and removable storage full of confidential information disappearing and falling in to wrong hands, this field of information security is becoming more important across the board. Here, they used the ability to “fingerprint” confidential data like payment card information and apply handling rules to this information. This includes implementation of on-the-fly encryptions for the data, establishment of secure-access Web portals, and sandboxing of the data. The rules can be applied at different levels and affect the different ways the data is transferred between computers such as shared folders, public-hosted storage services (Dropbox, Evernote, GMail, etc), email (both client-based and Webmail) and removable media (USB memory keys, optical disks). The demonstration focused more on the payment-card numbers but I raised questions regarding information like customer/patient/guest lists or similar reports and this system supports the ability to create the necessary fingerprint of the information to the requirements desired.  

Cloud-focused computing support

The abovementioned secure-computing application makes use of the cloud-computing technology which relies on many of the data centres scattered around the world.

But the Norton 360 online backup solution that is typically packaged with some newer laptops is the basis for cloud-driven data backup. This could support endpoint backup as well as backup for servers, virtual machines and the like.

Mobile computing and BYOD

Symantec have approached the mobile computing and BYOD issues in two different paths. They have catered for the fully-managed devices which may appeal to businesses running fleets of devices that they own or using tablets as interactive customer displays. But they allowed for “object-specific” management where particular objects (apps, files, etc) can be managed or run to particular policies.

It includes the ability to provide a corporate app store with the ability to provide in-house apps, Web links or commercial apps so users know what to “pick up” on their devices. These apps are then set up to run to the policies that affect how that user runs them, including control of data transfer. This setup may also please the big businesses who provide those services that small businesses often provide as an agent or reseller, such as Interflora. Here, they could run the business-specific app store with the line-of-business apps like a flower-delivery-list app that runs on a smartphone. There is the ability to remotely vary and revoke permissions concerning the apps, which could come in handy when the device’s owner walks out of the organisation.

Conclusion

What this conference shows at least is the direction that business computing is taking and was also a chance to see core trends that were affecting this class of computing whether you are at the “big end of town” or not.

Authenticating users to services on limited-user-interface devices

Sony BDP-S390 Blu-Ray Disc Player

A Blu-ray player that has advanced set-top-box functionality and access to online services

There is an increasing trend to interlink services like photo-sharing and social-networking services with network-enabled devices other than PCs or “lightweight computers” like smartphones or tablet computers. This includes set-top boxes, network printers and digital picture frames and example applications include showing photo albums from Picasa or Facebook on the large TV, printing out pictures from Picasa or Facebook without the need for a computer or showing one’s Facebook Feed on an advanced Internet terminal like the Pure Sensia. One reason that is leading the concept on is the use of device platforms like HP ePrint, Panasonic VieraCast and Google TV, where an operating-system developer or a device manufacture use the platform to build up an “app” library for the device or operating system.

HP Photosmart 7510 multifunction inkjet printer

Printers even now can print material from online services

It will also become more common with VoIP telephony encouraging the development of “personal landline telephone” services as well as “personalised home environments” being brought about by home automation and security functions being part of the connected home.

The current situation

The main problem with these services is that they require the user to log in to the service using an alphanumeric user name and an alphanumeric password. This would be best done using the regular QWERTY keyboard of a computer.

But most of these devices would require one of these methods to enter the credentials:

TV remote control

A typical smart-TV remote control that can only offer “pick-and-choose” or 12-key data entry

  • “Pick-n-choose”, where the user uses a D-pad on the device’s control surface to pick letters from a letter grid shown on the device’s display. This is a method used primarily with set-top-box applications like “Pixel Eyes” (a Picasa / Filckr front-end) for TiVo; or used on most Internet radios to determine the network password for a Wi-Fi network.
  • Small on-screen QWERTY keyboard for a touchscreen device. This is a practice used on smartphones and tablet computers that have this interface but is becoming common with network printers and other devices that use a touchscreen. This interface can be awkward and prone to errors if the device uses a small screen as common with most printers.
  • “SMS-style” with a 12-key keyboard. This is where the device is equipped with a 12-key numeric keyboard not dissimilar to a telephone and the user enters the credentials as if they are tapping out a text message on a mobile phone. This practice may be used on communications devices (dialling phone numbers), security devices (entering access codes) or consumer electronics (direct-entry channel / track selection).
  • 26-key alphabetic keyboard. This is where each letter of the alphabet is allocated a key usually in a 5×5 matrix in alphabetical order. You still may have to press a button to change case or switch to numeric or punctuation mode. This has been used with some of Sony’s MiniDisc decks for track labelling and is still used with some Brother labellers for entering label text, but is not commonly being used as a text-entry method for consumer electronics devices due to size, design or cost limitations.

As well, most of the implementations don’t allow for proper “hot-seat” operation by remembering just the user name; and therefore require the user to provide both the user-name and password when they want to use the service. This can then be made more awkward with the interfaces listed above.

Facebook’s login method

HP Envy 100 all-in-one printer (D410a)

HP Envy 100 all-in-one printer -implementing a simplified device enrollment for Facebook’s HP ePrint setup

Facebook have improved on this with their HP ePrint app which is part of the HP Envy 100 printer which I have on loan for review. Here, the printer displayed an “authentication code” which I had to enter in to the Facebook Devices page (http://www.facebook.com/device). Here, you would have to log in with your Facebook credentials if you haven’t done so already. Then the printer is associated with your Facebook account.

The only limitation with this method is that the device is bound to only one FB account and multiple users can’t switch between their Facebook accounts. This can also make a Facebook user more vulnerable to undesirable control-panel modification to their account if the app allows it.

The reality with most devices

Most devices like network printers or set-top boxes are typically operated by multiple users. What needs to happen is a simplified multi-user login and authentication experience that suits this class of device.

This is also more so as the authentication parameters used by Google (Picasa, YouTube), Facebook and others are becoming central to the “single sign-on” environments offered by these service providers and these “single sign-on” providers could appeal as credentials bases for home network applications like NAS management or even building security.

What could be done

A situation using a combination of the “Facebook limited-device login” method and the login experience that one encounters when using an automatic teller machine or EFTPOS terminal would be appropriate here. This is where a device can keep multiple “device account codes” for multiple accounts as well as securing these accounts with a numeric PIN.

Main points

A credentials service like Facebook, Windows Live or Google could add a simplified “numeric PIN” field for limited user-interface devices as well as the text-based password. The simplified “numeric PIN” which would be four or six digits long would only be able to work on qualified devices and the user would need to key in their text-based password to log in from a computer or smartphone.

Devices that support “limited interface” operation create a “device account passcode” for each account that is to use the device. This allows the device to create a reference between the account on the service and the account on the device. When a user is added to the device, this would be shown on the device’s user interface and the user enters this in to a “Devices Login” page at the credentials service’s Website.

Add user

  1. A user selects the option to “add user” to the device using the device’s control surface.
  2. The device’s user interface creates a “device account passcode” and shows it on the device’s user-interface (LCD display, TV screen, etc). In the case of a network printer, it could also print out this “account passcode”.
  3. The user transcribes this “device account passcode” to the credentials service Website (Google, Facebook, Windows Live, etc) using a regular computer or other Web-browser-equipped device.
  4. If the user hasn’t previously defined a numeric PIN for “limited-interface access”, the service invites the user to enter and confirm a numeric PIN of own choosing if they agree to “protected device access”. This could be done either through the Web browser or continued at the device’s control surface.
    If they have previously defined the numeric PIN, the device will challenge them to enter the numeric PIN using its control surface.
  5. The user’s account is bound to the device and the user would be logged in.

Switching between users on a device;

1 A user would go to the “Users” menu on the device and selects their user name represented as how they are known on the credentials service (Facebook name, etc) from the user list.

2 The user then keys in the numeric PIN using the device’s control surface

3 If successful, the device is “given” to the user and the user then interacts with the service from the device’s control surface

Other points of note

All users have opportunity to “remove themselves” from the device by going to the “user settings” UI and selecting “Remove User” option. Some devices may allow privileged users to remove other users from the device and there could be the option for users to change their numeric PIN from the device’s control surface.

It could be feasible for a device to provide varying levels of access to a user’s account. For example, a device shared by a household could allow “view-only” access to certain data while a user who is directly logged in can add or modify the data.

There could be the option to integrate local user-authentication information on devices that support this by relating the “device passcode” with the local user-authentication data record. This could allow a device like a security system to allow the user to gain access to functionalities associated with the credentials service but the user still uses their regular passcode associated with the device.

Conclusion

Once companies like social-networking or photo-sharing sites work on ways to support multi-user one-device scenarios with limited user-interface devices, this could open up paths of innovation for the devices and the services.