
SnowShoe - Secure, intuitive, cost effective authentication for every device - fat16
http://beta.snowshoestamp.com/
======
VLM
I'm waiting for a startup to use the magnetometer in the smartphone to auth.
So assuming you know how to box the compass you need to face "Northeast by
north" in order to authenticate. This would probably sell pretty well to .mil
navy, maybe no one else, classic security by obscurity.

I'm also thinking there's space out there for celestial navigation startup
authentication system... so your 4sq / google lattitude / whatever claims
you're in Alabama... prove it, point the phone at Antares click OK and Deneb
and click OK and the azimuth / elevation celestial navigation related calcs
had better match up for Alabama. I suppose "daytime people" could point the
phone at the sun or something. Many ignorant people think the sun and moon are
magically at perfect eternal opposition and it would be humorous to see how
much funding you could raise based on that inaccurate assumption.

A Really interesting startup idea for a smartphone would be to use the
victim... errr... the users social media location checkin to convince them to
point the phone at a nearby landmark to obtain a az/el which theoretically an
attacker would have a hard time figuring out ("Point the phone at the tallest
skyscraper in sight and hold it there for 3 seconds")

~~~
StavrosK
Why do something like this when TOTP is more secure and easier to use?

~~~
VLM
That brings us right back to the original startup article, why use what boils
down to a biometric hand geometry scanner with a piece of custom plastic
instead of the hand, when a hand is more secure, easier to use, etc.

If you're going to go for wild stuff for the sake of wildness, go gonzo, go
all the way.

~~~
StavrosK
> why use what boils down to a biometric hand geometry scanner with a piece of
> custom plastic instead of the hand, when a hand is more secure, easier to
> use, etc

I completely agree.

------
M4v3R
Wow, there is quite a competition in authentication right now. A week ago I
only knew about Google Authenticator, and now I already found about:

* Authy

* Duo Security

* GetProve

* MePIN

* LaunchKey

* And now SnowShoe Stamp (it's a physical object you need for authentication)

All these have quite different goals, but strive to solve one problem - secure
authentication. It will be interesting to watch how this develops.

PS. From all these I personally like Authy the most, but for my use case (many
auths throughout the day from many users) it's too expensive. 20,000 API calls
(for $99/mo plan) may seem a lot, but having only 500 users doing 4 auths per
day will use it up already.

EDIT: Actually, the ideal solution would be to have an open source
implementation of Authy, that you could deploy on your own web server,
complete with corresponding iOS/Android Apps. One can dream...

~~~
bowmessage
I'm being pedantic, but 500 * 4 != 20000

~~~
M4v3R
5*400 = 2,000, a day. Multiply this by 30 days and you already have 60,000
auths per month, while only 20,000 are in the $99 plan.

------
StavrosK
I'm not sure how secure this is. It looks like any site you authenticate with
once can then spoof you to any other site you use this with.

~~~
ncw96
The same could be said about passwords. This device is probably best used as
part of a multi-factor authentication scheme.

~~~
StavrosK
That's why everyone says "don't reuse passwords". Making something like this
and calling it "secure" is misleading, at best.

This is useless as multi-factor authentication, because it turns it into
single-factor authentication. Anyone sniffing a single session or seeing it
once knows what it looks like, and can reuse it on any site. It's much, much
weaker than TOTP/HOTP, for example.

~~~
ncw96
I did some more reading on the site, and it appears that the product is not
aiming at user authentication. For example, they suggest that you might use it
as part of a loyalty program. The end user brings in their smartphone with an
app and the business stamps their phone as proof that they were physically
there.

~~~
StavrosK
Ah, it makes much more sense instead of a username. Odd, the title is a bit
misleading, then.

------
Spearchucker
Difficult to tell from a quick glance around the site how exactly this works.
The press release suggests iOS and Android are supported. The landing page
suggests all major manufacturers are supported. Does this then include
Blackberry and Nokia? Is there an HTML -only option? There are some SDKs that
target specific stacks, but no information on what device profiles they
target.

~~~
StavrosK
Looks like it just registers touch events at some points, and then you check
to see if they're the points the user should have. It should work everywhere
where multi-touch is supported.

------
alexvay
What's wrong with NFC? I thought the goal was to walk away from external
tokens like SecureID - far more secure but bulky. At least I can wear an NFC
authenticator as a ring.

