Options
A security suggestion to the O/S developers
tdenson
Posts: 5,773
Forum Member
✭
In our modern world I completely get why computer security had to become increasingly more robust. However, with it comes inconvenience. There is always a trade off between convenience and security. What I don't get though is why I can be sitting at my computer in my own home and still have to jump through security hoops. Surely it is not rocket science for the O/S to determine my geographical location (GPS) and ip address and take a good guess that I don't need any security at all to log in or access websites - it could be an option to switch it back on for the truly paranoid amongst us.
It could also look at the Mac address of my router and various other features of my home network. I would be quite happy to gamble on the fact that a burglar who breaks in and steals my PC will not have the know how to spoof my Router's Mac address, my GPS location and my ip address
It just seems so obvious to me that it should work like this, I spend 90% of my time at a trusted location.
It could also look at the Mac address of my router and various other features of my home network. I would be quite happy to gamble on the fact that a burglar who breaks in and steals my PC will not have the know how to spoof my Router's Mac address, my GPS location and my ip address
It just seems so obvious to me that it should work like this, I spend 90% of my time at a trusted location.
0
Comments
Not all devices have GPS, and it doesn't work well indoors anyway. Location via IP address is also very suspect; often you just get the address of your ISP.
The MAC address of your router isn't helpful usually either. On a fibre network like Virgin, your router MAC address is checked by the ISP, but it isn't on ADSL. Also, your router's MAC address is only relevant until the next 'hop' which is your ISPs router, so it couldn't be used to authenticate you anywhere else on the Internet.
There are some good authentication methods emerging. Sending you an SMS to confirm works well for me. Biometrics are finally coming of age; TouchID is good on iPhone, and Microsoft Hello looks promising.
What do you mean by "behind that computer" ?
I disagree.
Bear in mind I'm taking of a combination of criteria. My phone has GPS and talks to my computer which could take the last known position as a pretty good indicator. Also, I didn't mean that one's ip address determines your location, simply that a casual burglar is unlikely to know my ip address to be able to spoof it.
A MAC address is a unique identifier and yes I know they can be cloned, however I repeat, a casual burglar is unlikely to stop to log on to my router and check it's MAC address.
I think we may be on cross wires, you talk about "anywhere else on the internet" - I am talking about sitting at MY desk in MY study in MY house in MY street.
SMS doesn't work well for me. I travel a lot, and it drives me potty to have to swap my UK sim back into my phone to do something as simple as log in to my iCloud account.
I agree TouchID is promising but it's taking Apple ages to do anything with it. I suspect it's the "all or nothing" thing again. Why can't I use TouchID to do anything I like as long as I'm sitting at MY desk.
It doesn't have to be you. Someone could have broken in. Or just a family member that should not be able to access it. Such bypasses and shortcuts are always a problem that would compromise the security. As I wrote you are better off using biometric login, fingerprint or face recognition. As an OS provider you have to ensure unauthorised access won't happen. It's a lot of work to achieve that, you can't build in something that may compromise all that and cancel all that work.
I'm sorry but if I can't trust family members not to do bad things to my computer then I have worse problems than computer security. The point though is that if one indeed did have such fears then you wouldn't enable the relaxed security.
what if it's a work computer in an office? how is the internet or whatever you are thinking of going to know if it's a home pc or work one?
don't you think the professionals haven't thought about what you have said already and the state of play is the best way to do it now?
you can amend various settings on your pc and use password utilities if it really bothers you btw
I recently asked about that and was pointed at this page of advice which worked OK for me on Win 8.1.
At least that might go some way to reducing your irritation.
You can relax the security yourself on your responsibility. Don't ask OS maker to compromise their solution for your convenience.
If you read the thread you will see that I said, and I quote " I am talking about sitting at MY desk in MY study in MY house in MY street".
Well, I am a professional, and indeed spent 30 years in the industry either developing O/S software or managing people doing it, so I am thinking about it
Fully aware of that but the whole point is to make it context dependent so you don't have to change anything.
I'm not suggesting compromising anything. This should be an option for those who want it, that means it's optional.
You miss the point. I don't want to compromise my security when I'm out and about. It is more trouble to change my settings each time I log on in my house than it is to put in the password, so that would be absurd.
i did. which is what led me to my reply. what makes you think i didn't read it and just made a reply without reading?
i see that, thus the reply to which you avoid giving a straight answer to a straight question
how is the software, website, or whatever going to know whotf you are, or wheretf you are, or wtf you are doing? how are they able to tell if you are a home user, a business, or someone else accessing your computer or account without your permission?
clearly over those 30 years you didn't put much thought into it
and how to expect that to happen with current technology that most people have in their homes?
I thought it was obvious but let me say it again. The software knows because you switch on an option that tells it that if a certain set of criteria are true then you are happy for it to believe you are in a trusted location. Let's be clear this isn't forced on the user - it is an option
I find that a bit offensive. At one time I developed security and backup software for a living, albeit a long time ago
Given that we are talking about internet security, then by definition everyone has a Mac address of a fixed box in their home (i.e. the router) and they have an ip address. That's a good start. If you don't think it's good enough for you then how many times do I have to say - IT'S OPTIONAL, IT'S OPTIONAL, IT'S OPTIONAL. However, there are many potential refinements to this e.g. the fact that my Apple Watch knows it is still connected to my wrist since it was last security identified then it could provide locational authentication, likewise with phones.
Despite what you may think, I take security seriously, I use two factor authentication where possible, despite it being a complete pain at times. But when I am at home I want the other extreme. The easier it is to have it relaxed at home then the more prepared I am to make it stricter when away from home.
you clearly haven't thought this through. i'm not going to even waste time explaining
so why post such a daft question on this site of all sites? are you completely out of touch with the modern world?
just think about this. how all all the things you want to connect to going to know who you are and what your choices are? what about people using your pc or wifi without your permission? what about the preferences of the people running the things you wish to connect to? if i ran a website i'd take security seriously and specifically want people to authenticate and not avoid log in security. however similar to your opinions, different site owners will have different opinions, so some sites let you stay logged in permanently or semi permanently and others don't
the security of a physical item like an apple watch is a different kettle of fish. it's unlikely someone is going to take it off my wrist or take it from my desk at home. it doesn't hold personal data that anyone can access from another device. and that's partly why some sites are more lenient about security than others
You clearly are not listening so I'm not going to waste any more time discussing it. Suffice it to say that as and when one of the major O/Ss implements such a feature I will come back here and remind you of your ridicule.
You can designate a "trusted place" using GPS. When you're at that place Android won't require a PIN/password to unlock.
You can also use a trusted Bluetooth device (headset, computer dongle, watch or other wearable) to do the same thing when your phone is in proximity to them.
i'm not listening no. i've been READING. there's a difference. thankfully you won't waste any more of my time. no need to come back to ridicule as apart from being against the rules here, i won't really care
if you sat down and thought through the process steps of what you would like and what it would take you should be able to figure things out and see why they are as they are right now
It's normal and common for a phone to not even have a pin at all. I have a pin on mine because of my work email account that enforced it. It's not the same category of protection. So yes, it makes more sense for phones to put a convenience over security in some cases.
I'm not arguing for such a system, merely stating that the features the OP wants already exist.
ChromeOS also supports Smart Lock.
I know, I just wanted to point out why it is more suited for a mobile than a Windows installation. We may eventually see something like that in a home edition, but I think MS is rather going in a direction of biometric login. It simplifies things for the users, but keeps the security measures tight.