Dual layer login to resist keyloggers

I mentioned this on another thread - but it is probably worthy of it’s own discussion.

Could we build a SAFE account just to guard our credentials for our real SAFE account?

So - I log into SAFE with username password, PIN, and that could bring up an app that has a visual quiz that is keylogger resistant… Select on the 3 pictures that you uploaded out of the 20 displayed for example. Passing the quiz would log you into your real SAFE account. The first one is just an account to hold your account.

You couldn’t do the quiz with the first login, because the network doesn’t know if you exist or not… But once you are in someplace you could be served content that is user-specific.


As I mentioned before as well, if you are compromised -you are compromised.
Russian banking malware not only logs keyboard strokes, but monitor mouse movements and taking snapshots when you click with your mouse.

The only way to thwart keyloggers is with out-of-band authentication.


Think of computing more fundamentally. Gui is just a layer for visualization. The problem doesnt vanish with additional layer or gui. There is also console command line text mode input output any many other things. Logging in doesnt necessarily mean typing keys or buttons on a keyboard or moving a pointer.

I would think you would want to maximize the number of sensory channels necessary to both surveil and synchronize to have the best security possible…

Once inside, you could also trigger an SMS / email authentication or something along those lines.

You are complicating matters, just use a OTP token and the problem is no longer a problem.


I have a similar idea months ago…

Why don’t use an account and an application in the SAFEnet to avoid keyloggers and other threats?

Might work as follows:
1 / We entered an account with the SAFE App Launcher that only have inside a single App. (We could call this App SAFEBridge)
2 / This application, for example, could have a system of One time
password as two-factor authentication, token proprietary as RSASecurID
or paper hardcopy with Transaction authentication number.
3 / This application, once we authentify, open our true account that will be secured. Now we can close the first account.

In this way an attacker with a keylogger could access the first account but not the second one.

Of course, if we are in a secure environment, we can enter to the second account on a regular basis.

Yes its keylogger resistant, like some things are water resistant. Not proof against the malware.

Your idea would only protect against actual keyloggers but what happens next, the person attempting to steal your credentials has to now only guess your visual “password” which of necessity has to be less complex than a traditional password. They could automate the cracking and get in real quick.

BUT this does not stop the later keyloggers which includes screen shots and mouse movements. These (now old) keyloggers will collect your visual “password” just as easily.

In effect all you have done is eliminate the threat from one type of malware and given a sense of security to the user.

You need to incorporate a challenge-response that cannot be copied. Ideally this would be from a device that is separate from your device that is logging onto the SAFE network. even a OTP like Poloniex’s 2FA would be far better than the visual “password”. But something along the lines of RFC Possibility SQRL adapted for this purpose would be superior.

Maybe for those in Australia &/or NSW where NSW Police or ASIO can now legally enter your house in secret and plant malware on your computer install spy cameras around your house etc. We can have say a USB connected device that receives the challenge and responds from/to the group.

The challenge/response removes the requirement for a password and because it is encrypted and each challenge is used once only the attacker could record everything and never be able to reuse it. Your account is safe as long as you never reveal the challenge/response device’s key.


I love my yubikey’s!

The app would probably have to be commercial, which may be a problem.

It would be even more secure to have two layers of such apps, so that the first app opens a second app of the same kind. :wink:

No reason it needs to be commercial.

A quiz where I have uploaded 100 pictures, and they are intermixed with thousands of pictures other people took – I identify my own. if it showed me 2 intermixed with 25 others, even if somebody spied on me for quite some time, they would have a difficult time passing the test…

A simple key exchange signing may also work. It gives me a random set of characters - I enter that or QR scan into a secondary device and digitally sign it – easy enough - totally secure - and no commercial software needs to be involved.

One time password tokens are fine - but they aren’t always cheap or readily available…

There could be lots of options for the second layer… some for people with OTP tokens, one for folks with smartphones, one for folks with nothing. Or even nothing if you are someone who doesn’t care…

But having the second layer helps a lot because the network can know enough about you to give you a second factor to authenticate at that point.

The following might seem a bit silly but one idea is to prerecord a series of words using your voice. Upon initial account creation, the client gives the user the option to use the second authentication layer were all talking about here. Once chosen by the user, the client begins recording the users voice. A list of words non dictionary terms like “sward, krepec, bloma, creeze, bloice, tranip, graxza, lakelamo, hamur, etc”. The user reads and registers each. When the user logs in, they are then required to say one of the words. Once verified, authentication is then complete. Every word that is used is then black listed until 90 percent of recorded terms are used. The user is then warned that only a few recorded words are left. This prompts the user to record new randoms terms again. This can be done on any machine. This way an attacker monitoring your machine cannot just copy your voice signature for a given word and reuse it to log into your account. As long as the fist time setup of the account is not already compromised, a attacker will never be able to create a perfect rendition of a users voice for a given word. I know its an unusual idea but it might work with some tweaks.

1 Like

I’ve always been skeptical of yubikey. I mean, can’t an attacker just intercept the password programmed into the yubikey? If an attacker is monitoring your system, wouldn’t they know the one time password? I’ve yet to find a technical explanation as to how the yubikey prevents interception of its contents (i.e passwords). This really seems quite odd. I have to be missing something. Wouldn’t a compromised machine mean game over? NFC seems even worse unless an encrypted tunnel is created before password exchange. Please help me figure this out. If yubikey is the holy grail of password security I should not be overlooking it. To think something like this could solve all of our PW woes for 20 - 50 bucks. Seems to good to be true.

Is the private key stored in the picture?

If so, I like the idea. However, it should be more than 3 images. 1/3 margin error is pretty low. Should be like 1/60 or something to increase the difficulty.

Any insight on the yubikey questions?

If there’s 1 million photos, it would take you forever to find your photos.
If there’s 100 photos 2 of which are yours, they need to spin 100 clients and keep trying for (I guess) 2 minutes to get the right combo (10000 tries means 100 tries per each of 100 clients, or 100 or so seconds).

I tend to think it’d have to be out of band and with a way to regain access in case you accidentally forget or lose information that helps you get through that layer.

1 Like

Like I said, there could be lots of different options for the second layer. The advantage of the photo system is that it requires nothing else – (no smart phone, No one time password token etc)

Ideally all options ought to be possible and if you have a cellphone or token you could use that instead.

Finding 2 familiar items against 23 unfamiliar items wouldn’t take more than a few seconds in most cases, if you planned ahead on what photos you would submit…

Yeah, but a bot would just pick any 2 and see if it checks. They don’t need to look.
A chance of success is 1/25 * 1/24 or 0.1666% so only about 6,000 attempts would be required, or 60 per bot if 100 bots with 1 try per bot per second is the speed of trying.

You’d have to select 4 of 10,000 to make it a bit safer, but that would take you 1 hour, and wouldn’t make it much safer against bots.

We already discussed the cellphone idea: who is it that you want to give your phone number to, and why would they contact you (and provide service) for free?

Tokens are a realistic option, but then this was discussed too and the most paranoid members of this forums wondered which token providers “aren’t compromised”. Also I would argue tokens are commercial solutions.

You could probably throttle how frequently it lets you try after errors though… or make them pick 2 out of 50 after 1 miss and 2 out of 100 after 2 misses.

I am not at all stuck on that idea. There are lots of options - In order for somebody to get to this point, they would have had to already keylogger attack you… The object of the game is to make it hard enough that somebody has to intentionally target you to hack – Rather than just install a key-logger and get free pass to anybody who signs onto SAFE from that particular machine…

Have you considered a situation where someone plants a key logger to your system and you protect your access by having a second layer (whatever it is)?

It seems to me you’d still have a key logger that logs everything you type on your device.

1 Like

Seems to me that a keylogger is more likely in a library or public machine. Keyloggers ought not be tolerated - but you can buy them on ebay for a few bucks, so they ought not be ignored as a serious threat too…