Apple Invents an Ingenious Security System for the iWallet Era
Make no mistake about it. As we move closer to a point in time when the iPhone could double as an iWallet, security will be the killer feature that consumers will demand. Two weeks ago Apple introduced us to one of their future security systems that will handle auto login using advanced facial recognition technology. That'll be great for iDevices not handling important documents and/or financial instruments such as debit and/or credit. For that, Apple has invented a heavy duty second tier of security that is quite ingenious. The key rests in splitting a user's password recovery secret amongst two devices that are never carried together at one time. And you know it's a serious security project at Apple when Bud Tribble, Apple's VP of Software Technology, is the man behind this endeavor.
The Problems Associated with Today's Security Login Measures
Computing devices, such as desktop computers, laptop computers, smartphones, PDAs, and so forth, include security measures requiring a user to enter credentials, such as a username and password, to obtain access to the computing device. However, it is inevitable that at least one user will forget their username and/or password. One approach to recovering this information is to log in as an administrator to reset the password, but this approach often fails because the user typically forgets the administrator credentials or forgets that the administrator account even exists.
Another approach is to prompt the user to enter a password recovery phrase, such as "what is your mother's maiden name?" However, users typically enter this information once during account creation and often forget what they entered as the password recovery phrase. Yet another approach relies on biometrics, but this approach is not useful when the user is not nearby the computer or when the user dies, for example.
Many users view the above approaches as too inconvenient, especially if they involve a system administrator. The result is that the user chooses not to use a password or uses a trivial password, such as a short password or an easily guessable password.
Especially in the case of portable computing devices, this presents a security risk if an opportunistic thief steals the device. Although it could be difficult to provide both convenient password recovery and security in all use scenarios, one increasingly important scenario involves protecting a portable computing device when a user carries the device separately from a commonly associated peripheral device. If this particular use scenario could be protected and password recovery could be provided in a convenient way, then the user is more likely to use a password, and protection will be increased.
Accordingly, what is needed in the art is an improved way to recover lost or forgotten electronic credentials, while still protecting the computing device in the common case when it is not with its associated peripheral device.
Apple's Secret Solution
Apple's invention describes an approach which stores a credential recovery secret associated with a computing device on a peripheral or companion device.
Threat Models
One of the threat models which this approach addresses is that in which an opportunistic thief steals a portable device while the user is "out and about"-- that is, the device is being carried by the user and is physically separate from its associated peripheral or companion device. One example is a student that takes her laptop computer to a university class, but leaves the docking station in her dorm room, or an executive takes his smartphone to a client meeting, but leaves the charging cable in his office. Another example is an employee that takes his portable media player to work, but leaves the power cord in a locker.
Although there are other threat models that are not directly addressed by this method, this is an important one for portable consumer devices. If the password is not easily and conveniently recoverable, the consumer is likely to choose either not to use a password at all or to use a trivial password. Both of these choices can increase the threat of data loss.
Peripheral or Companion Devices
In one aspect, the peripheral or companion device should be something that users are already familiar with and use on a regular basis, such as a power adapter, printer, portable hard drive, wired or wireless network router, backup device, flash drive, a smartphone, a mobile device, a remote control, and an external monitor.
The peripheral or companion device could be a power adapter that stores a password or credential recovery secret and could include a first interface configured to connect to an electrical source, a second interface configured to connect to an electronic device, an intermediate module to adapt electricity from the electrical source for the electronic device, a memory, and a third interface connected to the memory through which a password recovery secret associated with the electronic device is received for storage in the memory.
The Key: Splitting the Recovery Secret
In one implementation, the recovery secret is data which is meaningless without the use of some companion data on the associated computer to understand and/or complement the recovery secret. The credential recovery secret could consist, for example, of the password encrypted with a large randomly generated universal unique identifier (UUID) associated with and stored on the computing device. Part of the credential recovery secret could be stored on the peripheral or companion device and part could be stored on a network accessible server. In one aspect, the credentials could be recovered via a combination of parts from the peripheral and the network accessible server. In the case of storing the credential recovery secret on a power adapter, the power adapter could provide power and a data connection to store and retrieve the credential recovery secret via a same physical connector.
In one variation, the system generates the recovery secret by encrypting the password using the UUID as the key. The system then stores the encrypted password, which is the credential recovery secret, on the peripheral device, and stores the UUID on the computing device. In this way, when the peripheral device is attached, the system could retrieve the encrypted password, and decrypt the password on the computing device using the UUID as the key. Because the computing device only has the UUID, the computing device cannot recover the password by itself, and because the peripheral device only has the encrypted password, the peripheral device can't recover the password by itself.
Further, the UUID could be a sufficiently large number of bits, such as 128 or 1024 bits, so that a brute force attack is not able to easily discover the UUID. However, when the peripheral device is connected to the computing device, the computing device has access to both the UUID and the encrypted password, and could recover the password by decrypting with the UUID as key.
The password recovery approaches described in Apple's invention could be used in conjunction with other password recovery approaches, so that a user has a choice or option of more than one way to recover a lost password.
Apple' Best Scenario
At the heart of Apple's invention they provide us with a full scenario which helps us understand the invention plainly. Apple describes a student bringing her laptop to study in the public library for an hour between classes. Because the expected study time is only an hour, she doesn't bring the laptop power adapter with her. The student opens her laptop and sets-up her study materials in what she assumes is a safe corner of the library. She leaves the laptop unattended for a few moments to ask the librarian a question. When she returns the laptop is gone. A thief has stolen her laptop - but without the associated power adapter. The thief charges the stolen laptop with a different power adapter, but when the thief tries to retrieve the password from the laptop while connected to the different power adapter, the password recovery process disclosed herein is futile and does not yield the password.
In Patent FIG. 2, a laptop computer is one example computing device 202, but it could be any computing device that allows access to one or more resource based on credentials, such as a desktop computer, an all-in-one computing device, a smartphone, a tablet computer, a smartphone, a portable media player, a netbook, a thin client, and so forth.
Virtually every such computing device requires a link to a power source 206, and some include internal and/or external batteries which, when charged, provide for mobile use of the computer. One such link is a power adapter 204. Apple states that one reason for storing a password recovery secret in a power adapter is that users are already accustomed to using power adapters. Including this extended functionality has effectively zero resistance to consumer adoption because it does not change established consumer behavior.
In Apple's patent FIG. 3 shown below we see a first example user interface dialog 300 for when a user forgets a computer system password which has been stored on a peripheral. If the power adapter is not attached, the system displays a dialog 400 as shown in FIG. 4. After the user clicks the "OK" button 402 or if the system detects that the power adapter is already connected, the system displays the dialog 500 as shown in FIG. 5.
Each Peripheral in a Group Could Carry a Different Password
The peripheral could store more than one password, for more than one user, and for more than one computer. The peripheral could store system passwords, website logins, other individual keys (such as PGP keys), and/or all or part of a keychain.
In one aspect, each peripheral in a group of peripherals stores a different aspect of the system. For example, a power adapter could store the system login credentials, a docking station could store file system encryption data, a home network router could store a keychain, and so forth. When the user attempts to recover the password, the system could prompt the user to connect the appropriate peripheral if it is not already.
A thief who steals the system while the user is "out and about" would not have at their disposal these peripherals to assist in recovering the stored passwords and credentials, and would thus be unable to use this approach to recover data from the system.
The Ability to Add Extra Layers of Security
In addition to splitting your secret recovery amongst peripherals, Apple is adding in the ability to add yet extra layers of security to your various computers. Apple states that in one aspect, the password recovery secrets stored in a peripheral could be tied to a biometric or other authentication. For example, when the user desires to restore the password using the password recovery secret, the power supply could require a fingerprint scan on the power supply itself or on the computer. And, in theory, Apple could also allow users to implement a facial recognition system component to the mix here.
In another example, when the user desires to restore the password, the computer retrieves a first part of the password recovery secret from the power supply and a second part of the password recovery secret from a secure server over a network, as noted earlier (perhaps using a work server and/or a future iCloud connection component. See Below).
A Basic Overview of a Next Generation Power Adapter that's Smart
Apple's patent FIG. 6 shown below illustrates an example power adapter 204, power transformer 204c and exemplary internal components.
Apple states that the computer could read and write credential recovery secret data to the memory (see patent point # 612) via the data connection. The memory could store recovery secrets in plain text format, in an obfuscated format, or an encrypted format. In one aspect, the recovery secret is data which is meaningless without the use of some companion data on the associated computer to understand or complement the recovery secret.
The intermediate module 204c could optionally include a processor 614 to facilitate access to the memory, but could function without a processor. For example, the power adapter could simply serve as secure mass storage which does not provide its own processing power and must be accessed using processing power of the attached computer.
The input/output interfaces noted as patent points 616 and 618 could be any suitable wired or wireless connector, such as serial, parallel, universal serial bus (USB), IEEE 1394 (Firewire), external serial ATA (eSATA), Ethernet, and "other yet-to-be developed or proprietary connectors," which of course could be an upcoming version of Thunderbolt connector compatible with iOS devices.
At the End of the Day
It's clear that Apple's latest patent application goes a long way in demonstrating Apple's focus on taking device security to the next level. Losing data is a major headache to be sure – but imagine the day when your iPhone will double as your iWallet. Imagine the grief and panic you'll experience when that scenario kicks in. For damn sure you'll want the very best security from Apple working for you until you're able to notify your bank of the situation before real damage is done to your finances.
Consumers will either end up shying away from using their iDevices as an iWallet out of shear fear of losing it or having it stolen, or will have to be convinced that Apple has an iron clad security solution in place. In this latest patent, Apple believes that they've made the solution easy enough for consumers to want to use it and difficult enough to thwart disaster.
By providing consumers with the ability to add extra layers of security, such as biometrics of one kind or another and/or tying their devices to a work or Apple cloud solution, it would appear that Apple will be able to appeal to all levels of security minded consumers from novice to expert. And for die hard Macites, knowing that Bud Tribble is behind this invention will be enough of a seal of approval for them.
Guy L. "Bud" Tribble, MD, PhD is Vice President of Software Technology at Apple Inc. Tribble served as the manager of the original Macintosh software development team where he helped to design the Mac OS and user interface. He was also among the founders of NeXT, Inc., serving as NeXT's vice president of software development. Avie Tevanian, Apple's former senior vice president of Software Engineering, stated that Tribble was "one of the industry's top experts in software design and object-oriented programming."
Apple's patent application was originally filed in Q3 2010 by inventor Guy Tribble.
Notice: Patently Apple presents a detailed summary of patent applications with associated graphics for journalistic news purposes as each such patent application is revealed by the U.S. Patent & Trade Office. Readers are cautioned that the full text of any patent application should be read in its entirety for full and accurate details. Revelations found in patent applications shouldn't be interpreted as rumor or fast-tracked according to rumor timetables. Apple's patent applications have provided the Mac community with a clear heads-up on some of Apple's greatest product trends including the iPod, iPhone, iPad, iOS cameras, LED displays, iCloud services for iTunes and more. About Comments: Patently Apple reserves the right to post, dismiss or edit comments.
Here are a Few Sites covering our Original Report: MacSurfer, Google News, Reddit Apple, Online Barron's, WebPartner/Security Stuff, MajorGeeks.com, University of Tennessee MacVolPlace, Evotis IT Solutions, Real Clear Technology, Twitter, Facebook, Apple Investor News, Google Reader, Shack News, Macnews, iPhone World Canada, MarketWatch, MacDailyNews, Melamorsicata Italy, Computerworld, Bruce Schneier (Security Guru), and more.
@Macguber I am sure you read the report that stated clearly that from a users perspective, the hardware would not change.
The end-user dialog looks pretty simple...
If you're MacBook was stolen, and the dopey thief doesn't take the power supply... the MacBook is useless...
Posted by: Rob | January 10, 2012 at 04:31 PM
@ Macguber. The concept couldn't be easier. There's nothing "complicating the plumbing" here at all. I'm sure it's optional to begin with and secondly, the iPhone and iPad come with a charger that could integrate this security option. I for one thinks it's a great security option. To each his own.
Posted by: MonkeyMo | January 10, 2012 at 09:04 AM
What a dumb idea. The more you complicate the plumbing, the easier it is to stop up the drain.
Posted by: macgruber | January 10, 2012 at 06:06 AM