Poll

Should they

Drop all passwords?
3 (7.9%)
Use it in multi factor authentication?
11 (28.9%)
Require everybody to use biometric authentication?
2 (5.3%)
Signed challenge (certificate based)
4 (10.5%)
Refuse to answer
4 (10.5%)
Regulate Biometric authentication from being used to restrict access to services and jobs
2 (5.3%)
Keep passwords for those who want it but enforce/make them more stricter
2 (5.3%)
Keep it the same and make no changes
10 (26.3%)

Total Members Voted: 38

Author Topic: People should drop passwords altogether  (Read 6367 times)

0 Members and 1 Guest are viewing this topic.

Offline Marco

  • Super Contributor
  • ***
  • Posts: 5919
  • Country: nl
Re: People should drop passwords altogether
« Reply #125 on: June 18, 2022, 06:23:28 am »
There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.

I wonder if it would be possible to fake a FIDO2 device, but generate the keys with SQRL. Obviously wouldn't work when attestation is required, but I don't think most websites require that.
« Last Edit: June 18, 2022, 06:25:16 am by Marco »
 
The following users thanked this post: Someone

Online Someone

  • Super Contributor
  • ***
  • Posts: 3608
  • Country: au
    • send complaints here
Re: People should drop passwords altogether
« Reply #126 on: June 18, 2022, 07:24:35 am »
There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.
I wonder if it would be possible to fake a FIDO2 device, but generate the keys with SQRL. Obviously wouldn't work when attestation is required, but I don't think most websites require that.
That's part of the problem, FIDO has information from the device/client/authenticator to verify that it has a valid (model specific) certificate, a certificate that can be revoked if the FIDO organisation doesn't feel that it is meeting their requirements. If they say you can't have the user transferring certain types of keys, then anything letting the user transfer those keys could be revoked.

This discussion ends up rather convoluted and difficult as there are different type/functional "keys" within the proposed systems. So while there are cute projects to help users take control of keys:
https://dicekeys.com/
other keys are not for users to see/backup/transfer.
 

Offline Peabody

  • Super Contributor
  • ***
  • Posts: 1457
  • Country: us
Re: People should drop passwords altogether
« Reply #127 on: June 18, 2022, 03:22:00 pm »
My understanding is that FIDO2 generates a random private key for each site.  But if it's the client that generates the keys, then in theory you could just as easily use the key generated by SQRL.  The server would have no way of knowing the difference.  In fact, I believe FIDO2 uses, or optionally can use, the same elliptic curve that SQRL uses.  But as Someone says, FIDO2 may have ways to prevent that.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf