CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamai because it provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.
In a nutshell, CloudFlare appears to be a service that can help optimise and protect any websites for no or little money.
What actually prompted me to look into that company, is a recent hacking incident they were the victim of. One that saw its founder’s gmail account compromised through a Google password recovery bypass, using a flawed AT&T voicemail redirection. This was used to leverage a Gmail Enterprise Account flaw in its dual Factor Authentication which resulted in the compromise of one of CloudFlare customer account. Although the hacker had a bit of luck as it needed a phone call to reset Google Mail account password to go to Matthew’s voicemail, it was a fairly sophisticated attack.
But what impressed me the most, and the reason why I see CloudFlare in a very positive light even after this successful hack, is how this company responded and how it disclosed the details of the attack. I really think the timeline as shown below (taken from the CloudFlare website) is a very effective way of representing an attack, its reasons of success and the countermeasures taken. You can read more details about this attack on the company’s blog.
After looking at the new features listed for Windows 8, one in particular caught my attention: The Picture Password Login.
It is a very refreshing approach to authentication!
You are presented with a photo at log in and instead of entering a password, you have to touch the image according to the “allowed” touch sequence you registered your user with. In some respect it is similar to the existing gesture based authentication mechanisms you can find on some smartphones (anyone remember that feature on the Palm V?!), but I think it is taken to the next step.
Microsoft is maybe trying to do to passwords what Apple did to the Walkman.
By providing you with a photo of your choice (i.e.: your own family picture), and a restricted number of gestures (point, draw a line and circle) it is easier to remember a sequence, more natural and more personal. For exemple, you would circle the head of your best friend, touch the feet of your child and stroke your dog…
It is simple, yet secure because there is a very large number of possible combinations. Or is there?
I can see the appeal but I wonder about the following:
a) Could someone who know about you guess what you are likely to touch on that photo first, second and third, etc
b) It would be visually very easy to remember, for you… and also for anyone looking over your shoulder!
I am therefore not 100% convinced, but it would make hardware keylogers more difficult to design (softwares one should just work as well as now by providing a screenshot with logged gestures). And it could actually improve security over a complex password on a post-it or a very simple “hello” password. However, how would this work in an open office environment where everyone can see your screen?
In any cases, well done Microsoft! as stated at the beginning of this article it is a very refreshing approach to authentication and a bold one!
More information can be found in that article and below is a demonstration video of this feature.