Prediction: "voice passwords" (for countering deepfakes) will become the SMS MFA of interpersonal authentication:

Easy to add ... but too easy to intercept.

Perhaps "Please read back the OTP code sent to you via email, one digit at a time" would provide simultaneous voice authentication and intercept/reuse resistance.

@tychotithonus

@tychotithonus I don't understand your statement here. Maybe it's the overlapping ideas I associate with each individual word in the sentence, or the ambiguous phrase "voice password"

@tychotithonus I was contemplating the same recently too:

https://infosec.place/notice/Amjet90pSdLoQzLcdE

As @stf pointed out Shibboleths had about the same function throughout the centuries:

https://en.wikipedia.org/wiki/Shibboleth

@buherator https://en.wikipedia.org/wiki/Countersign_(military)

A well-known sign/countersign used by the Allied forces on D-Day during World War II: the challenge/sign was "flash", the password "thunder"... Some countersigns include words that are difficult for an enemy to pronounce.

@stf @tychotithonus

@BradRubenstein I hope you're being humorous, as we've been trying to train people out of doing that, almost since the birth of OTP ...

@screaminggoat It's what some people are calling the "private phrase you share in advance with your friends / family / co-workers, so that you can detect deep fakes, because the AI won't know your magical shared phrase". But maybe there's a better label?

@buherator
I see the analogy, but technically shibboleths (XKCD aside) work not just because they're known, but because they're difficult for imposters to replicate even when they know them.

@stf

@tychotithonus

It seemed like such a good idea at the time...

@tychotithonus As long as we can make the original text-based password obsolete and make the two factors something like this plus a yubikey then that’s a win. #KillThePassword

This is a slightly different use case, but we don't have a clear / ambiguous name for it yet (post updated a bit to clarify, suggestions welcome)

@tychotithonus FBI just says "secret word or phrase" https://www.ic3.gov/PSA/2024/PSA241203

Create a secret word or phrase with your family to verify their identity.

I'd most likely resort to an inside joke which allows for more flexibility.

@tychotithonus Hollywood thinks the CIA uses "ID Challenge": https://www.youtube.com/watch?v=fx77j1vl4d8

@screaminggoat Ah, indeed. Post updated. I suspect we're going to need to come up with a more precise label for this ...

@screaminggoat Interesting! I hadn't seen that yet, that seems suitably precise.

@tychotithonus I linked the other one in @buherator 's response but I'll emphasize it again: Countersign

@tychotithonus Regardless, I will stand by my original reply... 😉

This IS an interesting idea though - I'm already trying to implement something along these lines at work for sensitive situations such as a person with higher privileges or higher access to sensitive data. It reminds me of the perfect cryptography of the One Time Pad but key management is obviously a complete pita - this has its own unique challenges. You get any farther along or have a breakthrough on the overall concept, pass it on!

@simplenomad Ah, indeed. Seems we like we need a Way for humans to perform a Diffie Hellman check (that works, even if intercepted, and detects mismatches). Maybe assisted by an app, sort of like how Signal lets you verify, but with two different codes involved. This seems to automatically eliminate verbal, because it's not dense enough. But scanning each other's QR codes on the screen might work. Hmm ...

@tychotithonus @stf Inverse example :)

@simplenomad @tychotithonus
I have been looking into this same capability for my high-value employees. While I’m depending on them to remember two words (confirm vs. duress), I also want to build a confirmation service to let others in the company only confirm without seeing the chosen words.

This expanded access will mean that this same service will need to include an easy way for individuals to choose a new word once they’ve shared the current one to maintain effectiveness.

Have either of you identified systems that would support the above use case?

@jordanmd

I'm not aware of an existing framework -- neither COTS nor even conceptual. Seems like a gap that needs filling.

@simplenomad