Products > Security

People should drop passwords altogether

<< < (25/26) > >>


--- Quote from: Peabody on June 13, 2022, 04:37:48 am ---
--- Quote from: Someone on June 13, 2022, 12:05:16 am ---they [platforms] want you to have a single client (for their misguided reasons) which we already see with RFC 6238 authentication implementations.
--- End quote ---
As I understand it, if you have multiple key pairs set up on a site, you have multiple identities there.
--- End quote ---
But that is purely a platform choice. Some places happily let you (once confirming your identity with client A) register/enrol device/client B to the same identity on the platform. But there is this push from other platforms that you may only have one secret key to use and you may never transfer/back it up (because SecURIty HoLEs !!$$@). Its that bit which is so infuriating, given that losing access to a key is something that will happen.

I lost a captive/hidden RFC 6238 key and had to abandon the identity associated with it, starting from scratch to build up a new trust and new identity (basic government services access) so its a real problem that just gets shrugged off as part of necessary "security".

Well it will be interesting to see what they end up doing.  But somehow I am not optimistic that they will pass up the opportunity to build silos.

For what it’s worth, it appears Apple’s upcoming implementation will sync the saved keys using iCloud Keychain, just as they do now for saved passwords. (FYI, the key syncing happens peer-to-peer between a user’s devices. More recently, they added a keychain recovery function, which obviously necessitates it being stored on a server. I haven’t had a chance to look into exactly how it works.) Since Apple already offers iCloud for Windows, and it supports the password manager functionality via a browser plug-in, I don’t think there’s any evidence that Apple would actively try and silo users now.

The FIDO Alliance announced in May their plans, supported by Apple, Google and MS, to allow users to use credentials on multiple devices without having to re-enrol.  Not entirely certain this fixes the issue if your "primary" device (phone, key etc.) is lost\stolen.

* Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
* Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.



[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod