Sophos Cloud Optix
If you hang out in fruit-friendly parts of the web – at CultOfMac, for example – you’ll have heard a fair buzz about a hands-free social networking password manager, based around the iPhone, from Ford.
Yes, you heard that right: Ford Motor Corporation.
Actually, that’s not as weird as it might sound at first. The automotive industry is at the forefront of contactless digital entry.
You can probably open and start your car, assuming you have one, more easily than you can get through the front door of your house. Yet modern cars are more secure and harder to twoc* than ever.
Sadly, Ford’s keyfree social networking product is only videoware at the moment.
The marketing video shows what looks like a keyless password manager in action and invites you to download it, but the URL it urges you towards is still just a Page Under Construction.
And at least some of the video looks like a mock-up: look for the configuration dialog which happily accepts the user’s keystrokes whilst unselected.
The idea is simple: you load your passwords onto your iPhone and – for as long as your iPhone is near your browser, and your browser is Chrome with the right plugin installed – you don’t need to type in your passwords at all.
Your phone talks wirelessly to your Mac (it’s a Mac in the video, at any rate) to supply the needed passwords automatically at the right time. As the narrator of the video enthusiastically explains:
Your smartphone is now your access key to every one of your accounts. Place your smartphone near your computer to unlock your accounts. Moving out of the room will automatically log off.
I particularly like the last part – the auto-logoff. I’m assuming the browser plug-in keeps polling your phone to make sure it’s still around, and clears your session cookies if it isn’t. That’s a fantastic feature.
But perhaps fantastic is the right word for the entire concept. That’s fantastic in the Oxford American Dictionary of English sense of “more appropriate to a fairy tale than to reality or practical use.”
I think that this approach, at least as it is presented in the video, is simply too easy.
If this were a contactless entry system for your car, it would be one which unlocked, started and automatically drove off in your vehicle every time you went near it. Worse, in fact: every time your keys were near it.
We’ve written numerous times on Naked Security about frictionlessness.
That’s the trendy social networking way of saying “in such a way that there are no pesky security warnings to click on first.”
Ironically, my advice is to take exactly the opposite approach to Ford’s password manager application:
1. Don’t get into the habit of automatically logging in to social media sites whenever you are at your computer. Login only when you actually want to use the relevant service, such as Liking an article or Tweeting a news item.
2. Don’t logout from social media sites only when you leave the room or finish using your computer. Logout as soon as you have finished your current transaction.
3. Don’t treat the additional friction caused by (1) and (2) as your enemy. Remind yourself how much safer modern cars are because of improvements in braking. And that’s all about increasing friction, not removing it!
Nevertheless, I would use an app like this if I could skip the autologon part and have just the automatic forced-logout feature. That would take me one step further than just locking my screen after N minutes of inactivity.
A screen lock stops other people doing stuff on my computer, which is important, but doesn’t stop already-running programs from doing things on my behalf behind the scenes.
–
*TWOC = Take Without Owner’s Consent. It’s the crime you commit when you nick a car to go joyriding. Technically, that’s isn’t stealing or theft, since you don’t intend permanently to deprive the owner of his wheels. It’s twoccing.
Image of foot about to slip on banana skin courtesy of Shutterstock.
Is this 2 articles merged together? It makes no sense. And GM has an OnStar app that does a whole lot of things, including starting the vehicle. Try to keep up!
It's one article. (You can tell by counting the number of headlines 🙂
Ford's app is trying to transfer the concept of vehicular-style keyless entry and control from your car to your social networking accounts. So the automotive connection here is largely metaphorical, as is my mention of friction and braking.
(GM's OnStar app, on the other hand, really _is_ a car-control app. It doesn't manage your social networking presence. So it is neither behind nor ahead of this app from Ford. It's merely different.)
Interesting idea, seen something similar in the past regarding keyfobs and USB keys which unlocked and locked based on proximity.____My question would be while this looks good in the home scenario how would this interact with a corporate machine?____If the software is keeping you logged in since your phone is near but your domain policy forces a lock after 20 mins, which one wins???____Could this compromise some of the controls in place within organisations?____If I use this for personal as well as work passwords, could I end up trying to log into a restricted site whilst at work?
One real risk I see – especially at work – is that frictionless social networking logins make it difficult to be circumspect on social networking sites. You'd always be a click away from posting stuff by mistake, even when your intention was merely to look and not to comment or endorse…
The classic example of why autologin is bad on sites like Facebook and Twitter is clickjacking. If you get clickjacked on Facebook but you aren't logged in, the hidden "Like" button behind the clickjack image simply doesn't work. (A logged-out clickjack brings up the "You need to login" dialog, which not only prevents the clickjack but also alerts you to its presence.)
With autologin…
…bad luck! You (or your company) just endorsed some shonky dietary supplement, or invited your followers to win a free iPhone 7 🙂
When approaching the computer does the mobile device require that you have unlocked (via password) the mobile device before transmitting the credentials to the computer? Thinking along the lines of if the mobile device was stolen.
You'd hope so, wouldn't you?
And you'd hope that there is some kind of cryptographic handshake formally pairing your iPhone and your Mac (or whatever other devices) so that an unlocked iPhone won't simply replay the passwords to any other computer you might be able to set up yourself.
Sadly, the app wasn't there when I looked – I got a Page en construction/ Page under construction notice when I visited this morning. (Hang on…yep, still like that now.)
So I can't yet advise just what sort of protections and limitations have been built in. Or even if the app really exists 🙂
i guess the assumption is that you would never loose your phone and laptop at the sametime.
hmmm… i wonder.
Wow. This is one of a kind app. Is it like a sensor or something? how is that even possible that it'll automatically lock and unlock your things? I do hope app development melbourne could use this as an inspiration on their next project.
Its good little bit confusing too. i want to have this one further detailed. i will b thankful if i will have this favor.