People should drop passwords altogether

[Simon]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.

[madires]

Do you mean classic DH (https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)?

[David Hess]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.

There is nothing inherently wrong with it for authentication, but relying on using a phone for it which has its own security vulnerabilities can compromise it.  At least it would be better than using a phone as a side channel which is so easily compromised.  I would have no complaints about a USB security key fob but for instance Google's recent requirements exclude them.  I wonder why Google would exclude something more secure, but I know the answer; Google is not interested in security for others.

A security key fob has all of the disadvantages of a physical key.  It can be lost, stolen, or broken.  At least it should be much more difficult to copy.

[Simon]

Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.

[SiliconWizard]

Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.

Yes.
And "experts" is a vague term. If said "experts" are paid by those companies only interested in themselves, their biased expertise has little value.
Independent experts are few and far between.

[tooki]

I think the point most people here are missing is this: nobody is claiming these alternatives provide flawless security. The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable. That’s the bar we’re seeking to exceed.

[Simon]

Yes, things like 2FA are just to solve poor password and human error problems. Often it is forced on users unnecessarily. My university forced 2FA, I mean reaslly, what does a hacker want to do? upload my assignments for me?

[David Hess]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.

[madires]

2FA can be easily messed up with stupid things like sending codes via SMS to a cell phone. SIM swapping has become a mass sport in the US.

[PKTKS]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.

2x Me too.

To say the least ... I could not authorize email clients like Claws and Mutt..

The interface (CLOUD)  is obviously meant as enforcement to sign in every user and force the use of own API and applets..

Never saw such a waste of time and effort to just set a email polling..

"THE" worst   piece of shit I ve seen  last 30y  to access POP/IMAP services...

They have brain damaged people on this..

Paul

[tooki]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

[gmb42]

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it. 

[tggzzz]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

... thus creating a single point of failure for all malefactors to attack

It is all shades of grey; choose your poison

[magic]

Trust experts to choose your poison - that's the 21st century version

[tggzzz]

Trust experts to choose your poison - that's the 21st century version

Not quite

Trust self-proclaimed experts to choose your poison - that's the 21st century version.

Alternatively, trust Dunning-Kruger sufferers to choose your poision, while they decry experts.

[madires]

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it. 

Good standards are great! But who wants to establish a specific standard? And for which purpose (the 2FA could be just the shiny wrapping paper)?

[xrunner]

From The Register

Yahoo Japan strives for universal passwordless authentication

Wed 11 May 2022 // 08:19 UTC

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

“From a security perspective, eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords prevents situations where a user is unable to login because they forgot their password,” the case study states.

Yahoo Japan's replacement is either authentication by one-time codes sent by SMS, or the Fast Identity Online (FIDO) standard.

When using SMS, the company is fond of using techniques that allow Apple’s iOS and Google’s Chrome browser to read and enter incoming one-time passwords so that users have nothing to do to arrange authentication.

Users are encouraged to use authenticator apps that work with FIDO and WebAuthn, with one-time codes generated on the device used to access Yahoo Japan.

“The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators,” the case study states. User experience is therefore paramount.

Yahoo Japan has therefore used tricky moments to promote adoption – when users sign up for services like e-commerce that have high fraud potential, or reset forgotten passwords, they receive suggestions to adopt authentication methods that are more secure and easier to use.

Users are encouraged to use the same authentication method on all their devices, but Yahoo ! Japan recognizes that’s not easy or possible for all, and so will tolerate mixed methods. The company also envisages operating multiple methods for the foreseeable future.

The company’s efforts have worked, in two dimensions.

“The percentage of inquiries involving forgotten login IDs or passwords has decreased by 25 percent compared to the period when the number of such inquiries was at its highest,” the case study explains. Yahoo Japan has also seen a decline in unauthorized access as its number of passwordless accounts rises.

https://www.theregister.com/2022/05/11/yahoo_japan_goes_passwordless/

[madires]

When you go for hardware tokens or apps (or have to) make sure that you have spares and that they are registered with all the websites. If you have just one and something goes wrong, you'll have a nasty surprise. It's like losing the only key for your front door.

[Bassman59]

Password managers, anyone?

Let the password manager create and store the different random passwords used for each website and be done with it.

Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.

[BradC]

Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.

Yes, they do. The notes field in the password manager is a great place to store the questions and respective random keyboard mashing that you put in for an answer to each question.
It's also a great place to note down your "date of birth" and other fictional information you use to complete the mandatory sign-up questions.

[madires]

Password managers, anyone?

Of course! How could you manage all the passwords without one?

[tooki]

Password managers, anyone?

Of course! How could you manage all the passwords without one?

Most people’s solution is a combination of reusing the same 2 or 3 passwords all over the place, often combined with a sheet of paper, notebook, or Word document listing them all. They adamantly refuse to use password managers even if told to do so. Which of course is precisely why the industry is trying to get away from passwords: humanity has proven that truly strong security using passwords is impossible at population scale. Secure, non-reused passwords are impossible to remember, and most people simply won’t use a password manager, which is the only good way to store secure passwords.

[madires]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

[tggzzz]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

It is worth noting that the retailers and card settlement industries don't attempt to authorise based on identity and entitlement, because it it so damn difficult to get right. They do authorise individual transactions.

[golden_labels]

It should also be noted that card payment authorization is a bit different than authentication, as it serves somewhat opposite purpose. Authentication protect a person against other parties. Payment authorization protects other parties (merchants, acquirers, issuers) against the person authorizating the transaction. Of course the security mechanism employed may stay similar, but finer details differ.