People should drop passwords altogether

[DiTBho]

rfid glass capsules with crypto channel implanted under your skin
Basically this kind of capsules provides a password of 196 byte.

is it good? let's check it out

It can uniquely identify a human around the world.
It's time stable, doesn't react with the immune system, and doesn't cause cancer.
It is chemically inert for humans, plants and animals
Doesn't need any battery, it's a true rfid low power system.
It is not based on the physical characteristics of a human being.
It can be easily applied with a pressure gun without anesthesia.
Cannot be spoofed and cannot be cloned (not easily).
You cannot forget it at home, it's always with you.
It is more secure than fingerprint, facial recognition.
It cannot be exploited to track your position.
It's a contact-less device but antennas need to be at mm of distance rather than meters.


But, where to implant? 
And ...
... can it be damaged by XRAY or by computed axial tomography?
mumble 

Implanting sounds easy, but for sure replacing such a device requires mini-surgery.
Nothing more serious than what a dentist does, anyway.

(
Ummmm, no, implanting such a rfid-capsule inside one in a dental capsule is probably not a good idea, even for how you would later authenticate, unless you like swallowing your smartphone and push it to the last molar tooth 
)

[hans]

... and I can steal your digital identity/passwords on the next handshake we give.

Also, I think we should investigate how reliable do we want our locks to be. Some people put a photograph online of their physical keychain with housekeys etc. not realizing that those tooths are measurable, and someone skilled can replicate that key. What would you do if think someone then has access to one of your keys, but you can't reasonably ask them to hand them over? Obviously, you change out all the locks.

Good luck changing out bio-metric scans or RFID tags under skin. Or sometimes even phone numbers for 2FA verification (if you first need that number to login).
Even though you physically need to "scan" you finger.. in the end that scan is all a bunch of 1s and 0s. You must then presume the platform is properly secured for some hacker not to just make a raw dump of your scan data, which he could use as a dummy to repeatedly keep using your biometrics. Good luck changing it.

I honestly think virtually all the downsides to authentication nowadays are down to the users. Imagine if we lived in a world where everyone had a keypad doorlock with a 5 digit code to get in. What if half of the users had chosen "12345" or "00000" as their entry code? Or perhaps even "15951". Though luck you got hacked, but   also don't choose a simple to guess code. I think no insurance company would pay out to any of those codes.

[magic]

Passwords must go. But the main reason is not their inherent weakness. It’s because of the users.

The users must go.

Everybody who thinks otherwise is setting oneself up for a neverending game of whack-a-mole.
Some of them are paid money for playing it, hence articles like the one found in the OP.

[DiTBho]

... and I can steal your digital identity/passwords on the next handshake we give.

the human wrist is not the best place to implant rfid capsule, not only because you could try to steal the digital identity on the next handshake, but also because the wrist itself is anatomically the worst place, especially in the metacamus area.

I think the best place where to implant is the skull, under the ear, there is a dimple of adequate size, and the gesture you would make is of adequate size, and the gesture you make to identify yourself is the same as you do to answer the phone.

Science fiction for now, but it makes sense for me.

[Gyro]

I have regular MRIs. I can't see them being happy about an RFID capsule being implanted in my head - I can't think of a an area of the body that somebody isn't going to need an MRI on at some point.

[Brumby]

• what happens when you cut your fingertip and it is covered with a plaster, or permanently scarred?

Some years ago I procured a HP laptop for someone - and it had a fingerprint reader.  If I remember correctly, the user could record 3 different fingerprints.  So I said they should do two fingers on one hand and one on the other, to cover this exact scenario.

The concern I have is not so much the fingerprinting - but how reliably sensors can differentiate between the genuine input and fakes.

[tooki]

I wish people would actually investigate what’s being done before descending into outrage and hyperbole like so many posts in this thread.


That password authentication (as a system) offers poor security is a fact. Why is both complex and irrelevant. But if it were possible to make passwords into a reliably secure authentication method, you’d think we’d have figured that out over the last few decades. It’s reasonable to conclude that it can’t be done.


So the alternative is to look to other ways of authenticating. But this doesn’t mean it has to be biometrics. (Not that biometrics have proven to be particularly vulnerable. They seem to be proving themselves as superior to passwords. Not perfect, merely superior.) Those are but one option. Mobile phone codes, authenticator apps, and hardware devices are all widespread now. Don’t want to rely on a phone? Get a hardware key.


Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

[PKTKS]

You can't get the password out of a dead man.
As to fingerprints or other parts of tge dead body ....

Agreed on that..

You can use fingers eyes and even DNAs of someone else..

Not with good old passwords..

These changes are just excuses to implement a PATENTED BASED API nad security gizmos and chips.

They will come of course..    and very very VERY overpriced we will be forced to have them

Paul

[PKTKS]

My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul

[tooki]

My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul

They are more secure, and as I said, they are not all biometric. Perfect example of the uninformed hysteria I’m talking about.

[ConKbot]

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when the sweet hack goes off, they get the keys to the kingdom.

[tooki]

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when they sweet hack goes off, they get the keys to the kingdom.

And even more uninformed hysteria.

Proving my point more: reacting without looking at what it is and isn’t. FIDO isn’t one company, and it’s not one standard.

[ConKbot]

Yes, huge companies that sell advertisements also offering a SSO service, definitely won't track users, I'm totally being totally hysterical and unreasonable here. And it definitely doesn't provide a much nicer target for hacking.

[PKTKS]

That boils down...

These are just enforcement methods to SIGN IN  everyone..

Privatized API of  services..  and the so called browser..
is now just 80%  a JS engine to track users and sell ADVERTS...

expecting to have 95% of browsing  just to advert buz..

Users forced to render their privacy to these APIs.

Paul

[tooki]

 
Omg, the stupid, it hurts…

[madires]

Passwords have their place. It's hard to change biometrics when compromised. Relying on hardware tokens or apps (worse security than hardware tokens) isn't a good idea either, because they can be lost, be taken by someone (with force?), have a dead battery or simply break. So you need backup tokens/apps and a way to quickly disable lost/stolen tokens/apps (similar to debit/credit cards). MFA is good for critical stuff like home banking, still a bit cumbersome.

[BravoV]

What they're going after is for you to give up what in the 2FA ... particularly at "what you know/memorize (inside your brain)" as the 2nd part of 2FA on what you have physically (e. phone for OTP ... including your body parts like finger/retina (eye balls) etc) are "easily retrieval-able". 

This idea only makes sense or valid, once "they" have discovered how to retrieve your password from your brain that probably they managed to yank out of your head. 

[ConKbot]

Omg, the stupid, it hurts…

I'm not the one suggesting a free service from an advertising company (which makes you the product) makes for a better login method than a good password or other 2FA method.

[SiliconWizard]

That boils down...

These are just enforcement methods to SIGN IN  everyone..

Indeed. =)

[TimFox]

Of course, this was all foretold by St John the Theologian, as revealed to him on the island of Patmos.
Revelation, chapter 13: verses 16 and 17.
[16] And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
[17] And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.

[David Hess]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

[SiliconWizard]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

Is it really for security reasons anyway? Or, at least, individual security?

Makes me think of the expression: "se jeter à l'eau de peur d'être mouillé". (Roughly meaning: to jump right into the water for fear of getting wet."

[james_s]

I like passwords, they're just fine if you put some effort into coming up with one that is easy to remember but difficult to guess. Unfortunately many sites have stupid (and often conflicting between sites) requirements that are not conducive to this, and a lot of people are idiots and use the same password for everything.

[tszaboo]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

[Marco]

This problem can be used to verify your identity.

PKI works fine for that. There's some tangential problems where zero knowledge proofs are useful, Cloudflare uses it for attestation that a token is certified for instance, but that's a separate matter (attestation is not essential, webauthn allows self attestation for instance).