People should drop passwords altogether

[MrMobodies]

I found this news article which I found disturbing.

https://www.gazettelive.co.uk/news/uk-world-news/people-should-drop-passwords-altogether-23867710

ByMartyn Landi, PA Technology Correspondent Will Maule
02:20, 5 MAY 2022

The public and businesses need to “drop passwords altogether” and move to other technology to protect personal information from hackers, a cybersecurity expert has said.

Marking World Password Day on Thursday, Grahame Williams, identity and access management director at defence firm Thales, said passwords were “becoming increasingly insecure” and “easily hacked”. He called on the industry to move to other forms of log-in, such as multi-factor authentication (MFA) – where users must provide an additional layer of identification to log in – or biometrics, such as face or fingerprint scans, to improve the general safety of personal data.

Mr Williams said a key issue was the widespread use of simple and easy-to-guess passwords. Data shows that common and obvious phrases such as “password” and “qwerty” – in reference to the common computer keyboard layout – are often among the most used passwords globally.

Now I can understand if they say there is a need to increase security and some services may require thumb or eyescan and a memoriable password but not ONE solution alone.

Experts advise people who are creating a password to use a collection of three unique, random words and not to reuse them across multiple accounts. But Mr Williams said where possible, platforms should introduce other ways for people to log in and users should strive to use them.

“Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take,” he said. “We would recommend that everyone – whether consumer or private – to start utilising these technologies.

“Our standpoint on this is there’s no reason why you should have to still use passwords and we should all be looking to really push forward.”

It sounds like an excuse, just because some may not be using reliable passwords they all need to drop it completely. I thought there were strict requirements with many sites when creating accounts and this 123456 or qwerty nonsense was stopped years ago. Isn't that the websites fault though for not enforcing restrictions to prevent easy to guess passwords?

I am not happy using parts of my body as the only form of a password and verifcation that I can't change that everybody can see and trace and get hold off in plain sight.

I think there should be passwords as well as biometrical stuff for some security stuff because a criminal is going to have to take longer to persuade a victim further for a memorial phrase than just presenting bits of their skin to a scanner.

Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take  ,”

I can see the need for security but I don't know, it sounds to me like they up to something and some bullsh*t might be going on in saying all passwords are insecure. Maybe offloading the responsibility on the identity of the user effectively using them as a password.


What do you think?

[nctnico]

I think websites should drop passwords indeed and just send you a link to a website over email or other messaging service. Much more convenient.

[TimFox]

Of course, to access my e-mail account I need a password.
Am I the only one here who doesn't keep my phone next to my computer?

[jpanhalt]

Agreed.  There was a research article between 2006 and 2011 that concluded simply that passwords are designed to be hard to remember but easy for computers to break.  I've complained many times about the ridiculous requirement for "special characters" as the presence of which is a flag to "this may be a password."  In the real word, most data breaches that I have read about were due to human stupidity, such as inserting a thumb drive to see what was on it.   A simple PIN should suffice.

In my own field, Prof. Ray Bartlett (U Conn) long ago studied sources of errors in clinical laboratory testing.  Such labs are required to run controls and test sample lots of new reagents.  The most common cause of a control failure by far was the test, not the lot of reagent.  Overall,  bad reagents were something like 1/100,000 or less as frequent as human errors.  I suspect the ratio of cracking "passwords" to obtaining such information by stupidity is similar.

[Gyro]

I definitely feel more comfortable when an important site sends an sms verification code to my phone. One of the reasons that I don't have a banking app on my phone - I prefer it when there are two devices involved.

Am I the only one here who doesn't keep my phone next to my computer?

Possibly. My phone stays with me.

[Benta]

Mr. Grahame Williams has a major flaw in his argument. That he's a spokesman for Thales frightens me.

User name, fingerprint, face scan are all useful to identify you.

Fine.

But a password is in your brain, and hopefully only there. It's at a much higher and personal security level. That some people use idiotic passwords is their problem.

Mr. Williams' suggestion is equivalent to removing the lock from your apartment door. I hope he's only in marketing.

[langwadt]

Mr. Grahame Williams has a major flaw in his argument. That he's a spokesman for Thales frightens me.

User name, fingerprint, face scan are all useful to identify you.

Fine.

But a password is in your brain, and hopefully only there. It's at a much higher and personal security level. That some people use idiotic passwords is their problem.

yeh no wrench needed https://xkcd.com/538/


and if some biometric "password" is somehow compromised you can't just get a new and revoke the old one

[SiliconWizard]

It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.

[DiTBho]

We should never eat snails ...

... and as soon as we are born we should be implanted an RFID under the skin, which encodes the personal DNA, the type of blood, the encoded proteins, etc. Because it is also useful for media robots, useful for accessing the Internet.

Old Cyberpunk novels. Philip Dick would also suggest to encode a sequence on the cornea of the eyes, like in BladeRunner 2049.

Real world: passwords like "P@is%n1vy" are good to remember, hard to crack, good and nice.

[Bud]

You can't get the password out of a dead man.
As to fingerprints or other parts of tge dead body ....

[TimFox]

Dead person's or severed fingers have been used in thriller novels--I don't know of any real-world use, but it is always possible.
The Nazis tortured rich victims to learn their secret Swiss bank account numbers long before computer passwords.

[tggzzz]

Infosec truism: ATM card PINs protect the bank, not the individual. "We received the correct PIN which only you know, therefore you authorised it. Case closed"

Biometrics: just say no, due to the certificate revocation problem. When, not if, an ATM card is compromised, the bank revokes the card. Simple. What happens when, not if, my iris becomes compromised?

[MrMobodies]

It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.

I don't depend on it, I'll close the account to move somewhere else.
My concern wasn't about the multi factor authentication.

I refuse under the grounds of privacy I should not need to submit private medical stuff relating my biology and identity just to use services.
Sounds ridiculous to me.

When I was paying for Youtube Premium, somewhere down for a lot of videos needed authentication that I was over a certain age.
I think they wanted my driving license or passport. I thought forget it I don't want hand Google anymore of my personal information.


I found this 11 year article just now:

Can I refuse to have my child fingerprinted at school?
This article is more than 11 years old Emma Norton
Thinkingcrumpet wants to know if refusing to allow their son to be fingerprinted by a new school will endanger his place
Fri 16 Jul 2010 11.38 BST

My child will be starting a school in September where the preferred registration method is fingerprint recognition. Is it lawfully possible to refuse to comply and keep his place at the school?
More and more parents are asking us for advice about this issue. No one knows how many schools are now using biometric technology like this because it seems that the government is not keeping a record. Some estimates suggest that as many as 30% of all schools in the UK have fingerprinting technology. This means that millions of children are having their fingerprints taken and retained. This massive expansion of the collection of highly personal data has been allowed to take place without parliamentary scrutiny or public debate.

The short answer to thinkingcrumpet's question is: we cannot see how it would be fair or lawful for a school to use a parent's refusal to consent to fingerprinting her child as a reason for rescinding an offer of a place at a school. The reaction would be wholly disproportionate (engaging the child's right to privacy and education).

The new coalition government has already stated that it intends to ban the taking of prints from children without parental consent so it would be very poor practice if schools did not take this proposed legislation into account (although they are, of course, not legally bound by it). Furthermore, the Information Commissioner's Office (the office that oversees compliance with the Data Protection Act 1998 (DPA), has published guidance on this issue and advises that even though there is no lawful requirement on a school to obtain parental consent for fingerprinting children, the school "must" involve the parents to ensure that information is obtained fairly, unless the school can be certain that the child understands the implications of giving up his/her prints.

The ICO states that "it would be a heavy-handed approach for schools not to respect the wishes of those pupils and parents who object". It specifically states that other systems can work just as well and that those who wish to opt out should be offered another means of accessing the same services.

The main reasons given by schools for introducing biometric technologies are to assist in registration, library and canteen systems. Upon entry, the pupil is required to place his or her finger on a scanner whereupon the software will identify them as someone entitled to access the service. It is argued that access to the service is made faster and more efficient, but also that the system can keep tabs on the pupil (so that it is easier, for example, to spot if a student is skipping school). Using a cashless system like this is also credited with reducing bullying and stigmatisation, especially for those on free school meals. It has been suggested that parents can keep better track of what their kids are eating, with some sort of block being put on the canteen system if the child tries to buy unsuitable food.

Although fingerprinting technology is still the main biometric systems employed by schools, other trials to date have included retinal scanning and palm-vein scanning.

So what is wrong with this? Certainly when I asked my 14-year-old and some of his friends about it, they didn't immediately see anything wrong with fingerprints and scanners in schools – in fact, they quite liked the futuristic style of the technology as opposed to their battered old library cards, or boring registration procedures. Liberty does not share their enthusiasm. Indeed one of our principal concerns is that it plays on these ideas and gets children accustomed to giving up their highly personal biometric data as a matter of routine.

If children at primary school age are taught that it is normal to hand fingerprints or other personal data to their school or local authority, how alarmed are they going to be if and when, as adults, a future government tries to reintroduce the idea of ID cards, for example, or to argue that there should be universal DNA retention?

It also touches on the important issue of consent. The law (see below) requires that the person must give their consent to the fingerprints being taken. How schools are ensuring that children are giving informed consent is very hard to determine and practice seems to vary widely. The ability of a seven-year-old to give consent is going to be very different from that of a 17-year-old. Surprisingly, the law does not require that consent be obtained from the parents of a child, although good practice and guidance has recommended that it be obtained in advance. We are aware of many cases where this has not happened, though, and parents are only informed after the event.

The massive expansion in the use of this technology has been pushed almost entirely by the private sector companies that make a lot of money out of it. Some have made claims about the benefits of the technology that are entirely untested. We have heard about one school that spent thousands of pounds installing retinal scanning software, only to have to remove it because the process of scanning each pupil took far longer than expected and all the pupils could not be fed inside the lunch hour. Concerns about preventing bullying and stigmatisation could also be met through the wider introduction of swipe cards and PIN numbers.

The law
The Data Protection Act 1998 contains a number of principles governing what a "data controller" (in this case, a school) can do with the personal information it holds. A detailed discussion of the data-protection principles is beyond the scope of this article, but in summary: the information must be processed fairly and lawfully; can only be taken for a lawful purpose; must be adequate and not excessive in relation to the purpose for which it was taken; must be kept for no longer than is necessary; and must be safely and securely maintained.

Liberty believes the problems touched on above with regards to consent raises immediate questions about whether information taken in such circumstances can be said to have been processed "fairly and lawfully". We are also very concerned about the possibility of other agencies outside the school being able to access the information. The ICO has confirmed, for example, that the police could ask the school to hand over biometric information about children. It has stated that biometric data should be destroyed once a pupil leaves the school but there is no system for checking and ensuring this is done. Compliance with the DPA is likely to be poor because it is effectively unchecked.

Article 8 of the Human Rights Act protects the right to respect for a person's privacy. The taking of DNA and fingerprints has already been held by the court of human rights to engage this right. The need for protection is even higher for children.

The right to privacy is not an absolute right and under the second part of the article the state may justify an interference with the right that is "in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".

You can see the sort of arguments that would be raised to try to show that the interference was justified. Assuming the DPA had been complied with, the school could argue that retention was necessary in a democratic society to ensure attendance of pupils at school or prevent bullying and stigmatisation (protection of the rights and freedoms of others). We think this is questionable. It is hard to see how installing a new system for taking books out of a library justifies the interference with privacy involved. And there are less invasive alternatives available to deal with concerns about attendance and bullying, which do not have such implications for personal privacy.

The expansion of biometric systems like this have been allowed without a proper public debate. If we get too hung up on issues about efficiency and modernisation, we will overlook these vital questions. This highly personal information belongs to the individual and it should not be for him or her to tell the state why they should not have it – it is for the state to justify why it should. So far, it has failed to do so.

[SiliconWizard]

It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.

I don't depend on it, I'll close the account to move somewhere else.

Sure. Until they all do the same. Do you think they won't?

https://www.firstpost.com/tech/news-analysis/explained-why-apple-microsoft-google-want-to-get-rid-of-passwords-10640151.html

[MrMobodies]

I don't want my "password" to be in the form of a fingerprint left for anybody to look at or touch whether it be in a shop or the bar.

Sure. Until they all do the same. Do you think they won't?

https://www.firstpost.com/tech/news-analysis/explained-why-apple-microsoft-google-want-to-get-rid-of-passwords-10640151.html

Which is why I am actually quite worried and said I found it quite disturbing.

They all seem in unity about it, Microsoft, Apple, Google so I think they are up to something else.

The big three tech companies want to introduce a system where users will have to log in to online services using a passkey on their phones.[/quote
Well I already do that when paying for things over a certain value but it makes me wonder about sims swap. Oh yes they might fix the problems with that by requiring a biometric reading.

I don't know what I am going to do but I don't want to give anybody apart from doctor or healthcare my personal medical information thank you very much.

So they are effectively going to shut people out if they don't give them their biometrical details.

[SiliconWizard]

Yep. I think we know what this inevitably leads to. Whether this is intentional or not doesn't matter (much).

[golden_labels]

Not participating in the survey, as it misses the option I would choose and is designed wrong.

As an entertaining intro, today’s story. My mother received documents from an insurance copany, over my mailbox, in an encrypted PDF. The password — as explained in the email itself — is the last four digits of her PESEL number.⁽¹⁾ I hope I don’t need to explain, how strong a 4-digit password is and how long it stands a bruteforce attack; in particular if the penultimate digit is determined by gender and the last one is a checksum value. If that wasn’t enough, the number is semi-public. The company itself somehow doesn’t understand, that their own worker received something used as a password by simply asking for that. While certainly using even such a weak solution is better than plaintext⁽²⁾, it shows something very important: a failure to understand security at even the most basic level by laypersons.

Passwords must go. But the main reason is not their inherent weakness. It’s because of the users. For years now it is well known that:

• Users are horrible at inventing passwords. Not understanding fundamental things about security, people substitute their guesses for knowledge. Based on poorly founded heuristics, often on perception of threats derived from entertainment industry, using schemes not addressing the actual attack methods, falling into “it’s ok because I can’t break it” theme and so on. Common examples: using simple words they think no one will know or substituting letters for look-alikes.
• Policies designed by ignorants or people not updating their knowledge are pushing users to invent even worse passwords. Password rotation, in particular over short periods, have been beaten to death already. Yet you will encounter that type of requirements introduced even now, when I write this post. Worse, there are people who will try to defend it. Both ignoring that no matter what their predictions are, the reality has shown it leads to worsening security, and not realizing that the primary reason for the policy in the first place was blind importing it from eras predating computers, where threat models were very different. Requiring particular characters in the password, which only introduces very predictable changes to whatever the user already had. Almost universally “1!” or one of a very few similar suffixes.
• Limited access to tools leads to users engaging into insecure practices, even if otherwise they would not. Using a properly designed password manager raises the bar for the adversary so high that password-based attacks are doomed to fail in nearly all circumstances.⁽³⁾ Yet most people will not use them. They do not even know they should. The tools are cumbersome to use; or are proprietary service-based solutions that effectively make you give away your passwords. Users fail to address database loss situations and opt for not having protection at all. Hardware HID keys are so rare that I can’t even recall any specific name. An average member of society has no option to securely generate a strong password. There is no infrastructure to share passwords: the reason the insurance company used the PESEL number is because there is no sane way to given them any password in the first place. All this worsens the situation even more.

Secondary to the above, passwords have problems too. Even the strongest, most perfectly chosen password has them. They are inherently vulnerable to replay attacks. While not a limitation of the technology, the practical use of passwords often involves remembering them, which limits their quality. A password may easily be 256-bit strong (attacks not feasible), but in practice people employing diceware class of generators will obtain 48 to 64 bits, while the general population somewhere between 8 and 32 bits. Passwords are quite easy to acquire, because at least partially they must be transferred over insecure channels.

But there is another issue. For two at least decades we have technologies that are sufficient to deliver much better solutions. Better in many aspects: security, convenience, privacy and freedom. They are widely deployed, so it’s not sci-fi. The problem is both the level of adoption and that they are often partial. Where something more convenient is offered, it’s a privacy nightmare and often involves passing a bit of control to some third party. Where solutions respect your privacy and freedom, using them in practice is a horror story.

⁽¹⁾ An identifier in PESEL, a national database of all Polish residents. It’s a structured value, directly linked to the birth date and gender, with the last digit being almost universally valid checksum dependent on the other ten.
⁽²⁾ The adversary is required to put some minimum effort in the attack.
⁽³⁾ “Nearly all” because phishing attacks are still possible.

[MrMobodies]

I don't mind if it is changed in other ways but my concern is just based on forcing everyone to use biometric revealing information about themselves.

Not participating in the survey, as it misses the option I would choose and is designed wrong.

What would you like me to list as an option in the survey?

I thought it was for the website to enforce password restrictions.
Joke: Session hijacking... no problem just stick your finger here most of the time to make sure it is you.

In the real word, most data breaches that I have read about were due to human stupidity, such as inserting a thumb drive to see what was on it.   A simple PIN should suffice.

I suspect the ratio of cracking "passwords" to obtaining such information by stupidity is similar.

It will be interesting to see what the next level of scams are going to look like when this non password approach starts.

[free_electron]

two pathway approach. Challenge gets sent over one path, answer thru another path. For example challenge goes over cellphone , cellphone applies key number one , shows result to user, user bridges that result to computer , computer applies key number two ( stored in secure module ) , sends back to server.

that way if you intercept one of the hardware machines ,or compromise one you still can't find relation as the human is the bridge. original request and final response do not exist on same machine at any given point in time. they only exist in the human inbetween.( you read it and type it on another device.)

[themadhippy]

Dear apple google and microsoft.and wot about us renegades who have decided the best place for there mobile phone was in the bin?

[SiliconWizard]

Dear apple google and microsoft.and wot about us renegades who have decided the best place for there mobile phone was in the bin?

Well,  I guess they have unfortunately decided that the best place for people not willing to use mobile phones is in the bin.
The question remains as to who is gonna win, or if everyone's gonna end up in the bin eventually.

[golden_labels]

I don't mind if it is changed in other ways but my concern is just based on forcing everyone to use biometric revealing information about themselves.

That would be serious concern to me too. Of course in therms of both privacy and freedom, but — perhaps unexpectedly — also because it’s a security issue. Biometric authentication is alluring, because it’s extremely convenient, but under the hood it’s a key generator. Better than user-invented passwords, but in many ways worse. It’s one-factor authentication, with a factor that can never be changed and, while possibly hard to copy,⁽¹⁾ it is still publicly available information.

What would you like me to list as an option in the survey?

Unless there is a well proven reason to do otherwise, any survey should have a “Refuse to answer” and “Other (specify)” options. In my case I would respond with either MFA or some alternative methods (signed challange for example).

⁽¹⁾ I know that reports of successful copying are common. But so far no evidence of it being an inherent restriction of the technology itself. Rather failures in particular approaches. Of course that may change in the future, as contrary has not been proven either.

[MrMobodies]

"Refuse to answer" and "signed challenge" added to survey.

An "other specify" option would be nice maybe an idea for Gnif if that is something he willing to do in future.

I just found something interesting when forcing it upon employees:
https://www.abc.net.au/news/2019-05-21/fingerprints-biometric-data-worker-wins-unfair-dismissal-case/11129338

Jeremy was fired for refusing fingerprinting at work. His case led to an 'extraordinary' unfair dismissal ruling
ABC RN / By Anna Kelsey-Sugg and Damien Carrick for The Law Report
Posted Mon 20 May 2019 at 10:30pmMonday 20 May 2019 at 10:30pm, updated Tue 21 May 2019 at 6:25am

When Queensland sawmill worker Jeremy Lee refused to give his fingerprints to his employer as part of a new work sign-in, he wasn't just thinking about his privacy. It was a matter of ownership. "It's my biometric data. It's not appropriate for them to have it," he tells RN's The Law Report. For not agreeing to the new system, Mr Lee was sacked. What followed was a legal battle that delivered the first unfair dismissal decision of its kind in Australia. Mr Lee represented himself before the full bench of the Fair Work Commission — and won. "It's extraordinary," says Josh Bornstein, national head of employment law with Maurice Blackburn lawyers. "It's off the charts for a self-represented litigant dealing with very sophisticated legal issues to have such an outstanding result. That is a very unusual achievement. "There's not too many Jeremy Lees, in my experience." He says Mr Lee's case reflects the complicated intersection of privacy and technology — an area in which the law is struggling to keep up pace.

'My biometric data is mine' — or is it?

Mr Lee says his employers at Superior Wood "tried to coerce" him to agree to the new fingerprint scanning system for about three months. But he remained resolute. Mr Lee says he has no criminal record and has never been in trouble with police. Nor does he object to a drug or alcohol test at work. But he draws a firm line at handing over his biometric data — data relating to someone's physical or physiological make-up — for fear it could be shared and potentially misused. "If someone else has control of my biometric data they can use it for their own purposes — purposes that benefit them, not me. That is a misuse," he says. His employer argued the new scanning system meant they could better track who was or wasn't on the premises, but Mr Lee says there are other means of doing that. Swipe cards, he argues, could be just as effective as an electronic identity check. His employers disagreed.

Have you faced issues around biometrics or privacy with your employer? Email lawreport_rn@abc.net.au

In February 2018 Mr Lee was fired for refusing the new sign-in system. Represented by pro bono lawyers, he began an unfair dismissal case. That case, heard by a single commissioner at the Fair Work Commission, was unsuccessful. The commissioner found the fingerprint scanning system was a reasonable policy; therefore, the sawmill company had a right to require employees to comply with it — and to dismiss those who didn't. Mr Lee appealed against the decision, proceeding to argue his case before a full bench of the Fair Work Commission — this time without any legal representation or support. The legal framework he was operating within was highly complicated, but his reasoning was anything but. "I was insisting that my biometric data is mine," he says. "My objection was that I own it. You cannot take it. If someone wants to get it or take it they have to get my consent. "Surely if my employer tries to get it and sacks me for refusing to give it, that is illegal. That was my argument." But it was a different argument that convinced the commission's full bench.

'A fantastic and unusual outcome'

The commission's full bench found there was no valid reason to fire Mr Lee for refusing to provide consent to the company to use his fingerprints and biometric data. On May 1, 2019, more than a year after Mr Lee was sacked, it was found he had been unfairly dismissed.
"I think it was a fantastic and unusual outcome," Mr Bornstein says.

He says all employees have an obligation to "comply with all lawful and reasonable directions" from an employer. But the Privacy Act states that when an employer wants to collect sensitive information — and biometric data like fingerprints are classified as such — they must give sufficient notification and allow for a process of informed consent. Mr Lee's workplace failed on both accounts. The commission found the sawmill's scanning policy had violated the Privacy Act. Mr Bornstein says the law "has been shifting very much in favour of employers being able to give employees direction successfully about medical information [and] other information, making greater and greater incursions into their employees' lives".

But Mr Lee's victory presents a major roadblock. "[Mr Lee's] is a rare case, which actually says 'no, what you did was not right' ... and the employee actually had a win," Mr Bornstein says. He says the win highlights the increasingly fraught intersection of privacy, technology and regulation. "There's a huge issue more broadly in our society as to whether people's privacy protections are being maintained with the rapid pace of technological change," Mr Bornstein says. "We're seeing employees more closely regulated than ever before — on a 24/7 basis.  "There's no doubt regulation is lagging well behind the development of technology."

Who really owns our biometric data?

Mr Lee is proud of his win, but his case has left him disappointed too. While the law declared him unfairly dismissed, his case didn't set a legal precedent — as he'd hoped it would — about the ownership of biometric data. But Mr Bornstein says the law has never recognised biometric information as property and — precedent or not — Mr Lee's win is remarkable. "What he's achieved is quite spectacular and very, very unusual," he says. "He may not have achieved a finding that he couldn't be forced to hand over his property, but he did achieve a finding that he could not be forced to hand over, without his consent, sensitive information under the Privacy Act." Mr Borstein says the issue of whether biometric information is property is "a philosophical debate". "Ultimately, is our personal information, is our fingerprint data, is the image of our face, property? In some ways it's a legal debate [but] I think it is an even broader argument that's more philosophical in nature," he says. "So it was, I think, a fantastic and unusual outcome to do this on your own, from first tier up to a full bench, and be successful. "It's an amazing achievement."

Sounds to me very intrusive and not very nice.

[Marco]

Biometric authentication is alluring, because it’s extremely convenient, but under the hood it’s a key generator. Better than user-invented passwords, but in many ways worse. It’s one-factor authentication, with a factor that can never be changed and, while possibly hard to copy,⁽¹⁾ it is still publicly available information.

On a phone it's effectively treated as half a factor, the pass code is still required after reboot and when the phone has been unused too long. So let's call biometric + pin a full factor. Then if you use a phone to authenticate on a laptop you have three factors, ownership of the phone, laptop and biometric + pin.

[tggzzz]

Two points about fingerprints:

• not everybody has fingerprints, e.g. those working collecting pineapples! Yes, this causes them some problems
• what happens when you cut your fingertip and it is covered with a plaster, or permanently scarred?

Often the "exceptional case" recovery process can be much weaker than a decent password. Classic example is a forgotten password leading to manual intervention involving questions with "well known" answers. In one case a company even sent my (stored!) password in cleartext email. Yes, I had words with them.

[DiTBho]

rfid glass capsules with crypto channel implanted under your skin
Basically this kind of capsules provides a password of 196 byte.

is it good? let's check it out

It can uniquely identify a human around the world.
It's time stable, doesn't react with the immune system, and doesn't cause cancer.
It is chemically inert for humans, plants and animals
Doesn't need any battery, it's a true rfid low power system.
It is not based on the physical characteristics of a human being.
It can be easily applied with a pressure gun without anesthesia.
Cannot be spoofed and cannot be cloned (not easily).
You cannot forget it at home, it's always with you.
It is more secure than fingerprint, facial recognition.
It cannot be exploited to track your position.
It's a contact-less device but antennas need to be at mm of distance rather than meters.


But, where to implant? 
And ...
... can it be damaged by XRAY or by computed axial tomography?
mumble 

Implanting sounds easy, but for sure replacing such a device requires mini-surgery.
Nothing more serious than what a dentist does, anyway.

(
Ummmm, no, implanting such a rfid-capsule inside one in a dental capsule is probably not a good idea, even for how you would later authenticate, unless you like swallowing your smartphone and push it to the last molar tooth 
)

[hans]

... and I can steal your digital identity/passwords on the next handshake we give.

Also, I think we should investigate how reliable do we want our locks to be. Some people put a photograph online of their physical keychain with housekeys etc. not realizing that those tooths are measurable, and someone skilled can replicate that key. What would you do if think someone then has access to one of your keys, but you can't reasonably ask them to hand them over? Obviously, you change out all the locks.

Good luck changing out bio-metric scans or RFID tags under skin. Or sometimes even phone numbers for 2FA verification (if you first need that number to login).
Even though you physically need to "scan" you finger.. in the end that scan is all a bunch of 1s and 0s. You must then presume the platform is properly secured for some hacker not to just make a raw dump of your scan data, which he could use as a dummy to repeatedly keep using your biometrics. Good luck changing it.

I honestly think virtually all the downsides to authentication nowadays are down to the users. Imagine if we lived in a world where everyone had a keypad doorlock with a 5 digit code to get in. What if half of the users had chosen "12345" or "00000" as their entry code? Or perhaps even "15951". Though luck you got hacked, but   also don't choose a simple to guess code. I think no insurance company would pay out to any of those codes.

[magic]

Passwords must go. But the main reason is not their inherent weakness. It’s because of the users.

The users must go.

Everybody who thinks otherwise is setting oneself up for a neverending game of whack-a-mole.
Some of them are paid money for playing it, hence articles like the one found in the OP.

[DiTBho]

... and I can steal your digital identity/passwords on the next handshake we give.

the human wrist is not the best place to implant rfid capsule, not only because you could try to steal the digital identity on the next handshake, but also because the wrist itself is anatomically the worst place, especially in the metacamus area.

I think the best place where to implant is the skull, under the ear, there is a dimple of adequate size, and the gesture you would make is of adequate size, and the gesture you make to identify yourself is the same as you do to answer the phone.

Science fiction for now, but it makes sense for me.

[Gyro]

I have regular MRIs. I can't see them being happy about an RFID capsule being implanted in my head - I can't think of a an area of the body that somebody isn't going to need an MRI on at some point.

[Brumby]

• what happens when you cut your fingertip and it is covered with a plaster, or permanently scarred?

Some years ago I procured a HP laptop for someone - and it had a fingerprint reader.  If I remember correctly, the user could record 3 different fingerprints.  So I said they should do two fingers on one hand and one on the other, to cover this exact scenario.

The concern I have is not so much the fingerprinting - but how reliably sensors can differentiate between the genuine input and fakes.

[tooki]

I wish people would actually investigate what’s being done before descending into outrage and hyperbole like so many posts in this thread.


That password authentication (as a system) offers poor security is a fact. Why is both complex and irrelevant. But if it were possible to make passwords into a reliably secure authentication method, you’d think we’d have figured that out over the last few decades. It’s reasonable to conclude that it can’t be done.


So the alternative is to look to other ways of authenticating. But this doesn’t mean it has to be biometrics. (Not that biometrics have proven to be particularly vulnerable. They seem to be proving themselves as superior to passwords. Not perfect, merely superior.) Those are but one option. Mobile phone codes, authenticator apps, and hardware devices are all widespread now. Don’t want to rely on a phone? Get a hardware key.


Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

[PKTKS]

You can't get the password out of a dead man.
As to fingerprints or other parts of tge dead body ....

Agreed on that..

You can use fingers eyes and even DNAs of someone else..

Not with good old passwords..

These changes are just excuses to implement a PATENTED BASED API nad security gizmos and chips.

They will come of course..    and very very VERY overpriced we will be forced to have them

Paul

[PKTKS]

My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul

[tooki]

My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul

They are more secure, and as I said, they are not all biometric. Perfect example of the uninformed hysteria I’m talking about.

[ConKbot]

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when the sweet hack goes off, they get the keys to the kingdom.

[tooki]

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.

Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when they sweet hack goes off, they get the keys to the kingdom.

And even more uninformed hysteria.

Proving my point more: reacting without looking at what it is and isn’t. FIDO isn’t one company, and it’s not one standard.

[ConKbot]

Yes, huge companies that sell advertisements also offering a SSO service, definitely won't track users, I'm totally being totally hysterical and unreasonable here. And it definitely doesn't provide a much nicer target for hacking.

[PKTKS]

That boils down...

These are just enforcement methods to SIGN IN  everyone..

Privatized API of  services..  and the so called browser..
is now just 80%  a JS engine to track users and sell ADVERTS...

expecting to have 95% of browsing  just to advert buz..

Users forced to render their privacy to these APIs.

Paul

[tooki]

 
Omg, the stupid, it hurts…

[madires]

Passwords have their place. It's hard to change biometrics when compromised. Relying on hardware tokens or apps (worse security than hardware tokens) isn't a good idea either, because they can be lost, be taken by someone (with force?), have a dead battery or simply break. So you need backup tokens/apps and a way to quickly disable lost/stolen tokens/apps (similar to debit/credit cards). MFA is good for critical stuff like home banking, still a bit cumbersome.

[BravoV]

What they're going after is for you to give up what in the 2FA ... particularly at "what you know/memorize (inside your brain)" as the 2nd part of 2FA on what you have physically (e. phone for OTP ... including your body parts like finger/retina (eye balls) etc) are "easily retrieval-able". 

This idea only makes sense or valid, once "they" have discovered how to retrieve your password from your brain that probably they managed to yank out of your head. 

[ConKbot]

Omg, the stupid, it hurts…

I'm not the one suggesting a free service from an advertising company (which makes you the product) makes for a better login method than a good password or other 2FA method.

[SiliconWizard]

That boils down...

These are just enforcement methods to SIGN IN  everyone..

Indeed. =)

[TimFox]

Of course, this was all foretold by St John the Theologian, as revealed to him on the island of Patmos.
Revelation, chapter 13: verses 16 and 17.
[16] And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
[17] And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.

[David Hess]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

[SiliconWizard]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

Is it really for security reasons anyway? Or, at least, individual security?

Makes me think of the expression: "se jeter à l'eau de peur d'être mouillé". (Roughly meaning: to jump right into the water for fear of getting wet."

[james_s]

I like passwords, they're just fine if you put some effort into coming up with one that is easy to remember but difficult to guess. Unfortunately many sites have stupid (and often conflicting between sites) requirements that are not conducive to this, and a lot of people are idiots and use the same password for everything.

[tszaboo]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

[Marco]

This problem can be used to verify your identity.

PKI works fine for that. There's some tangential problems where zero knowledge proofs are useful, Cloudflare uses it for attestation that a token is certified for instance, but that's a separate matter (attestation is not essential, webauthn allows self attestation for instance).

[David Hess]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

[rsjsouza]

From what I understood from the press release, FIDO seems to be a "login once" system that creates one or more tokens for the various websites that require authentication - something functionally similar to what browsers do with cookies and "password wallets", but perhaps across several apps.

Given the severe overreach of the last years and eagerness to track anyone's movements on the digital highway, I can't say that exchanging the insecurity of passwords with this digital footprint is a fair exchange.

[Simon]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site. If your stupid enough to use insecure ones then more fool you. I believe there are 64 characters available but lets say it's 32, 32^16 = 1.2 E24..... I rest my case.

[MrMobodies]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

[tooki]

Omg, the stupid, it hurts…

I'm not the one suggesting a free service from an advertising company (which makes you the product) makes for a better login method than a good password or other 2FA method.

Nor am I, which you’d understand if you actually looked at the information I posted.

[tooki]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

An individual password may or may not be secure. A secure password, used in an insecure system, still means an insecure system. But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

The whole point of non-password logins is to take a weak security system and replace it with a less weak one.

Biometrics spam a wide range of technologies and security levels, but for the umpteenth time, they’re not the only option!

[tooki]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

You still are lacking a “keep the status quo” option, as you’ve only added the option to use stricter passwords.

But paradoxically, requiring stricter passwords results in overall worse security, because as soon as passwords become too difficult to memorize (including too-frequent changes), people start writing them down or storing them in a Word file. (Most people won’t use password wallets, even if told to do so.)

This is why things are moving towards biometrics (which are imperfect but better than passwords on the whole), or 2FA, often using a simple PIN instead of a complex password.

[magic]

But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

Could you elaborate what do you even mean by "being able to crack a password" and why should it be so trivial and what would make a password not susceptible to that?

Not hoping for much, but...

[Simon]

But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

Could you elaborate what do you even mean by "being able to crack a password" and why should it be so trivial and what would make a password not susceptible to that?

Not hoping for much, but...

A memorable password means words, there are only so many words around so the first thing a hacker tries is a "dictionary" attack. That has less combinations than the 1200000000000000000000000 combinations available in a 16 character random string. Also humans have habits when they use words so that reduces the pool further.

Yes I have my passwords written down, but they are on encrypted media. There are no unsecure copies, you have to have access to my computers to get them.

[tooki]

Precisely that. Anything even remotely human-memorable is what the dictionary attacks go for first. (And yes, they’re smart enough to substitute “!” for 1 and all the other common substitutions. They know we append sequential numbers or years to words. They know all the tricks we use to meet “strong” password criteria while still remaining even vaguely memorable.)

If you care, you can Google for explanations by security researchers as to why password security is so much lower than people think it is. Even most supposedly tech-savvy people who think they’re using “strong” passwords don’t realize they’re weak passwords in reality. (The password strength indicators on some websites are absolutely dumb, and think adding some punctuation and numbers makes it “strong”. It doesn’t.) I’m not a mathematician, security expert, or computer scientist, but I have read up enough to understand that passwords are like standard 5-tumbler domestic door locks: enough to stop a typical passerby, and to tell your insurance “I wasn’t negligent, I locked my doors”, but completely useless against even a moderately skilled attack.

[madires]

There are some very useful tools called password managers. They even generate complex and long passwords.

[Marco]

In principle I like the concept of a dongle, but the actual implementation of FIDO not so much. Not exposing private keys even to the user rubs me the wrong way, I want to make a paper backup. I know it compromises their idea of security, but their idea is not mine.

Generate all the keypairs (or passwords for non webauthn sites) from a combination of rootkey/domain (and login for non webauthn sites) and on a special keypress combo on the dongle let me read out the private key so I can make a paper backup. Then I'll consider using it.

[magic]

Dictionary attacks are not viable against a remotely competently designed system which rate limits login attempts.
Even offline attacks against leaked hashes can be effectively rate limited by making the hash hard to verify.
Search space grows exponentially with the number of words, like it does with the number of letters.

So yeah, do elaborate how you envision "cracking" someone's bank account password or stuff like that.

Competent hackers use phishing.

[magic]

In principle I like the concept of a dongle, but the actual implementation of FIDO not so much. Not exposing private keys even to the user rubs me the wrong way, I want to make a paper backup. I know it compromises their idea of security, but their idea is not mine.

Generate all the keypairs (or passwords for non webauthn sites) from a combination of rootkey/domain (and login for non webauthn sites) and on a special keypress combo on the dongle let me read out the private key so I can make a paper backup. Then I'll consider using it.

These aren't systems to protect you. They are systems to reduce your service provider's customer support and insurance costs.
Your service provider will not consider a dongle which lets you take the keys out of it because they consider you an idiot (and, statistically, in 90% of cases they aren't even wrong).

[golden_labels]

Breaking most human-generated passwords is feasible. But not every human-memorizable. A 5-word password chosen randomly from a 8k word list is over 64 bits. Currently there aren’t many actors capable of even iterating over that, much less calculating a KDF for even local attacks. Remote attacks have even higher price tag attached.

64-bit keys become an issue when a threat can be considered at a mass scale. That is: when the question turns from “can one attack a pre-selected target” to “can we be successful at attacking at least one of targets”. That is a valid concern then. But it is not just for any attack scenario.

And now, the continuation of the story I delivered earlier! Mother failed to enter the password (reasons unknown) and asked me for help. But I was lazy, so instead of searching for her PESEL number in documents I just pdfcracked it. Seriously: if entering a valid password by a person that has legal access to it takes more effort than actually breaking it, someone has failed hard at security.

[Simon]

If you are paranoid just use a "password" as a username where it does not have to be publicly visible or your email address or use an email address that has a random string as the username. Most systems will stop you attempting more than a certain amount of logins at a time, this make guessing a proper password not even worth the effort which as mentioned above is why phishing and other email related attacks are common, instead of trying to attack the system, they go for the weakest link - you - the human.

[tszaboo]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

You need a crypto wallet, write down the 12 word mnemonic, and when logging in on a website, the website verifies the wallet.
This is like 100% solved when it comes to cryptocurrency. There is only one person who can sign transactions to it.

[madires]

A news article with some hints about potential issues:
Your Phone May Soon Replace Many of Your Passwords: https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/#more-59727

Your life will depend on a smartphone!

[cdev]

Statement on three nuclear accidents

All three of those accidents were caused by loss of the ultimate heatsink.. which in those cases was provided by water in those fission reactors.. So they need continuous cold water to be provided, and then power for cooling. Or they "melt down" Thats what caused the big problems. It hasnt been fixed in any other technology. Fusion, not fission, may be cleaner when its developed. But right now I don't trust them. I'd rather pay less for gas generated electricity. And get rid of nuclear fission plants. Until they have better ways to store waste.I don't want them to lie to us any more. Stop the corporate bait and switch.

[cdev]

A news article with some hints about potential issues:
Your Phone May Soon Replace Many of Your Passwords: https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/#more-59727

Your life will depend on a smartphone!

They can only do that if they make the phone free or where is democracy, its gone.. But then they will track your every move.

Considering how Uruguay Round effectively ended democracy one can see why they are accusing everybody else of malfeasance.. Its actually them who are taking over the world.
  -- This should be a crime.
"Trust us we're experts!"  Ha!  Experts at ripping humanity off!

Read Shoshanna Zuboffs new book on "surveillance capitalism"
 Eliminate cash for total surveillance over everybody for their coup. (Their test demonetization/test project in India stripped poor people of billions..).

[cdev]

The chance of somebody randomly guessing an assword should be trillions to one. Simon had he right idea. Make your password very long and utterly random. Learn about and use real cryptography all the time. A lot. Not just on importnt messages.

This is why I am perpetually interested in random number generation. All passwords should come from random sources for example, RF noise. You can use it to generate your keys. Make them insanely long. They will be virtually impossible to guess.

You're not a criminal for wanting privacy. They are for trying to end it.

Not hoping for much, but...

Come on tooki, you are smarter than that.

You should download and learn to use GnuPG on whatever platform you use. I do and in fact Ive used it since literally when it first came out. I think that everybody should. Could you imagine only sending post cards for everything?  Thats what most email is today.

[TimFox]

Normal software random number generators start from a "seed".
In order to test the overall software, it is common to freeze this seed to allow verification of the computation, and then use something sort-of-random, such as time of day, to generate a seed for the pseuco-random process.
Many years ago, I saw someone use a Lava Lamp^TM as a physical random process to generate the seed, but I don't remember how it was encoded.

[cdev]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

You need a crypto wallet, write down the 12 word mnemonic, and when logging in on a website, the website verifies the wallet.
This is like 100% solved when it comes to cryptocurrency. There is only one person who can sign transactions to it.

You can make a wallet card , and use a simple cipher to encode the keys you write on that card. Put the key somewhere safe, elsewhere, so if you lose the card, some finder wont be able to use them. Or you can use gnuk. And an STlink 2 clone dongle
https://nx3d.org/gnuk-st-link-v2/
People should drop some Internet companies altogether.

The company you mentioned was the late and great SGI company, of Mountain View, CA.
 Indeed they did use lava lamps. Because they are random. Lets see you try to predict the motion of them? The photo is not of SGI, its years later at a cloudflare vendor. What a great publicity stunt.

What would be a better VID and similar when you build the gnuk software!?

[tooki]

You should not eliminate passwords, nor should you use a browser to manage passwords. Search engines and Internet companies make their money from selling information on you. Its called surveillance capitalism. Keep that in mind. Its not a good deal for humanity. Be aware corporations are only in it for themselves, (who else would they be in it for?) so now they often give bad advice.

To anyone else reading this, please note that the bold text above is absolutely TERRIBLE advice. A password manager is arguably the best thing you can do to get the most out of password security. (And if you’re paranoid/delusional like cdev, you can still get a password manager from a third party that’s not your browser developer. I’m pretty sure there are open source ones, too.)

cdev, you need to take off the tinfoil hat, seriously.
1. If browsers sent our passwords to the browser developers, security researchers would have noticed long ago.
2. What would they even want with your passwords? They’re not useful for tracking and advertising. Furthermore, only one of the major browser developers (Google) has a significant interest in advertising. For the others (Microsoft, Apple, and Mozilla), advertising is either an insignificant business area, or not one at all, while privacy absolutely is. So there’s no incentive for any of them to gather your passwords.

[tooki]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

You still are lacking a “keep the status quo” option, as you’ve only added the option to use stricter passwords.

But paradoxically, requiring stricter passwords results in overall worse security, because as soon as passwords become too difficult to memorize (including too-frequent changes), people start writing them down or storing them in a Word file. (Most people won’t use password wallets, even if told to do so.)

This is why things are moving towards biometrics (which are imperfect but better than passwords on the whole), or 2FA, often using a simple PIN instead of a complex password.

Companies want to data mine everything, to separate the rich from the poor.
thats what it is. They cant be trusted.

Please, get professional help. Paranoia is not healthy.

[Simon]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.

[madires]

Do you mean classic DH (https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)?

[David Hess]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.

There is nothing inherently wrong with it for authentication, but relying on using a phone for it which has its own security vulnerabilities can compromise it.  At least it would be better than using a phone as a side channel which is so easily compromised.  I would have no complaints about a USB security key fob but for instance Google's recent requirements exclude them.  I wonder why Google would exclude something more secure, but I know the answer; Google is not interested in security for others.

A security key fob has all of the disadvantages of a physical key.  It can be lost, stolen, or broken.  At least it should be much more difficult to copy.

[Simon]

Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.

[SiliconWizard]

Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.

Yes.
And "experts" is a vague term. If said "experts" are paid by those companies only interested in themselves, their biased expertise has little value.
Independent experts are few and far between.

[tooki]

I think the point most people here are missing is this: nobody is claiming these alternatives provide flawless security. The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable. That’s the bar we’re seeking to exceed.

[Simon]

Yes, things like 2FA are just to solve poor password and human error problems. Often it is forced on users unnecessarily. My university forced 2FA, I mean reaslly, what does a hacker want to do? upload my assignments for me?

[David Hess]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.

[madires]

2FA can be easily messed up with stupid things like sending codes via SMS to a cell phone. SIM swapping has become a mass sport in the US.

[PKTKS]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.

2x Me too.

To say the least ... I could not authorize email clients like Claws and Mutt..

The interface (CLOUD)  is obviously meant as enforcement to sign in every user and force the use of own API and applets..

Never saw such a waste of time and effort to just set a email polling..

"THE" worst   piece of shit I ve seen  last 30y  to access POP/IMAP services...

They have brain damaged people on this..

Paul

[tooki]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

[gmb42]

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it. 

[tggzzz]

The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

... thus creating a single point of failure for all malefactors to attack

It is all shades of grey; choose your poison

[magic]

Trust experts to choose your poison - that's the 21st century version

[tggzzz]

Trust experts to choose your poison - that's the 21st century version

Not quite

Trust self-proclaimed experts to choose your poison - that's the 21st century version.

Alternatively, trust Dunning-Kruger sufferers to choose your poision, while they decry experts.

[madires]

…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it. 

Good standards are great! But who wants to establish a specific standard? And for which purpose (the 2FA could be just the shiny wrapping paper)?

[xrunner]

From The Register

Yahoo Japan strives for universal passwordless authentication

Wed 11 May 2022 // 08:19 UTC

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

“From a security perspective, eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords prevents situations where a user is unable to login because they forgot their password,” the case study states.

Yahoo Japan's replacement is either authentication by one-time codes sent by SMS, or the Fast Identity Online (FIDO) standard.

When using SMS, the company is fond of using techniques that allow Apple’s iOS and Google’s Chrome browser to read and enter incoming one-time passwords so that users have nothing to do to arrange authentication.

Users are encouraged to use authenticator apps that work with FIDO and WebAuthn, with one-time codes generated on the device used to access Yahoo Japan.

“The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators,” the case study states. User experience is therefore paramount.

Yahoo Japan has therefore used tricky moments to promote adoption – when users sign up for services like e-commerce that have high fraud potential, or reset forgotten passwords, they receive suggestions to adopt authentication methods that are more secure and easier to use.

Users are encouraged to use the same authentication method on all their devices, but Yahoo ! Japan recognizes that’s not easy or possible for all, and so will tolerate mixed methods. The company also envisages operating multiple methods for the foreseeable future.

The company’s efforts have worked, in two dimensions.

“The percentage of inquiries involving forgotten login IDs or passwords has decreased by 25 percent compared to the period when the number of such inquiries was at its highest,” the case study explains. Yahoo Japan has also seen a decline in unauthorized access as its number of passwordless accounts rises.

https://www.theregister.com/2022/05/11/yahoo_japan_goes_passwordless/

[madires]

When you go for hardware tokens or apps (or have to) make sure that you have spares and that they are registered with all the websites. If you have just one and something goes wrong, you'll have a nasty surprise. It's like losing the only key for your front door.

[Bassman59]

Password managers, anyone?

Let the password manager create and store the different random passwords used for each website and be done with it.

Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.

[BradC]

Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.

Yes, they do. The notes field in the password manager is a great place to store the questions and respective random keyboard mashing that you put in for an answer to each question.
It's also a great place to note down your "date of birth" and other fictional information you use to complete the mandatory sign-up questions.

[madires]

Password managers, anyone?

Of course! How could you manage all the passwords without one?

[tooki]

Password managers, anyone?

Of course! How could you manage all the passwords without one?

Most people’s solution is a combination of reusing the same 2 or 3 passwords all over the place, often combined with a sheet of paper, notebook, or Word document listing them all. They adamantly refuse to use password managers even if told to do so. Which of course is precisely why the industry is trying to get away from passwords: humanity has proven that truly strong security using passwords is impossible at population scale. Secure, non-reused passwords are impossible to remember, and most people simply won’t use a password manager, which is the only good way to store secure passwords.

[madires]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

[tggzzz]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

It is worth noting that the retailers and card settlement industries don't attempt to authorise based on identity and entitlement, because it it so damn difficult to get right. They do authorise individual transactions.

[golden_labels]

It should also be noted that card payment authorization is a bit different than authentication, as it serves somewhat opposite purpose. Authentication protect a person against other parties. Payment authorization protects other parties (merchants, acquirers, issuers) against the person authorizating the transaction. Of course the security mechanism employed may stay similar, but finer details differ.

[tooki]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

[tooki]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

Nothing is ever going to be perfect. But moving from something that has proven itself to be bad in practice, to something that has proven itself to be better in practice makes sense.

[Someone]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Which standard specifically? This topic rapidly gets into political level doublespeak.

FIDO UAF does have mechanisms for requiring biometric methods, given that option some services/platforms will use it to mandate biometric authentication.

[gmb42]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Which standard specifically? This topic rapidly gets into political level doublespeak.

FIDO UAF does have mechanisms for requiring biometric methods, given that option some services/platforms will use it to mandate biometric authentication.

I quite happily use FIDO2 keys for MFA without any requirement for biometrics whatsoever, so any claim that they are required is just FUD mongering.

Authentication implementers can, if they wish, choose methods that do require biometrics, which then leaves users a choice on whether to use such a service or not.

[Someone]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Which standard specifically? This topic rapidly gets into political level doublespeak.

FIDO UAF does have mechanisms for requiring biometric methods, given that option some services/platforms will use it to mandate biometric authentication.

I quite happily use FIDO2 keys for MFA without any requirement for biometrics whatsoever, so any claim that they are required is just FUD mongering.

Authentication implementers can, if they wish, choose methods that do require biometrics, which then leaves users a choice on whether to use such a service or not.

Yes, that's the point, the service/platform gets to decide what is/inst acceptable for their users. FIDO is a method by which they can start requiring biometrics. The standard its self does not mandate biometrics on any/all systems, but has mechanisms for biometrics to be mandated in implementations.

using FIDO* as a login method does not mandate biometric authentication
using FIDO* as a login method does not prevent mandate of biometric authentication

The user may not have a choice to go somewhere else when that platform/service is a government service.

[tooki]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Which standard specifically? This topic rapidly gets into political level doublespeak.

FIDO UAF does have mechanisms for requiring biometric methods, given that option some services/platforms will use it to mandate biometric authentication.

I quite happily use FIDO2 keys for MFA without any requirement for biometrics whatsoever, so any claim that they are required is just FUD mongering.

Authentication implementers can, if they wish, choose methods that do require biometrics, which then leaves users a choice on whether to use such a service or not.

This.

FIDO makes it possible to rely on biometrics, but does not mandate it. There are alternatives, and countless people in this thread actively ignore this fact and instead devolve into hysteria about biometrics.

[Peabody]

It makes no difference to the user whether the FIDO standard requires biometric authentication, or the server using FIDO elects to require it.  In either case his biometric data is now part of the login process, even if only on his phone, and potentially subject to compromise.

But on a different subject, Steve Gibson (Spinrite) spent several years developing a password alternative called SQRL (Secure Quick Reliable Login) which uses a method similar to FIDO2, but is simpler, and offers the user the option of printing out as text or QR code his master key.  Each user has only one master key, not one for each site.  The elliptic curve private key for a site is a hash of the master key and the site's name, modified slightly to make the hash a valid private key.  Since it can be calculated on each visit to the site, there is no need to save each one.  Then the public key is calculated from the private key, and given to the website.  At login, the usual cryptographic exchange takes place, which verifies that the person logging in has the private key, but without revealing the private key.

There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.

My understanding of FIDO2 is that a separate random key pair is generated for each site, which means that a user may have hundreds of them.  And FIDO2 does not allow the user know them or to make a copy of them.  That means that Apple, if it chooses, can limit transfer of the keys only to other Apple devices, which would make it impossible to switch to an Android phone.  Do we know yet what the major players' intentions are in this regard?  Are we going to have FIDO2 silos?

[madires]

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Unfortunately multiple companies are going that direction. One payment card vendor just started something like "pay with your smile". So POS terminals get a webcam too.

[madires]

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

Nothing is ever going to be perfect. But moving from something that has proven itself to be bad in practice, to something that has proven itself to be better in practice makes sense.

I fully agree. However, so far any other solution comes with new/other problems. A lot of tradeoffs, but nothing really better.

[tooki]

It makes no difference to the user whether the FIDO standard requires biometric authentication, or the server using FIDO elects to require it.  In either case his biometric data is now part of the login process, even if only on his phone, and potentially subject to compromise.

Well, it does offer the possibility of choosing an alternative product/service, at least.

But on a different subject, Steve Gibson (Spinrite) spent several years developing a password alternative called SQRL (Secure Quick Reliable Login) which uses a method similar to FIDO2, but is simpler, and offers the user the option of printing out as text or QR code his master key.  Each user has only one master key, not one for each site.  The elliptic curve private key for a site is a hash of the master key and the site's name, modified slightly to make the hash a valid private key.  Since it can be calculated on each visit to the site, there is no need to save each one.  Then the public key is calculated from the private key, and given to the website.  At login, the usual cryptographic exchange takes place, which verifies that the person logging in has the private key, but without revealing the private key.

There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.

Amusingly, I was just reading about Spinrite, and how it seems pretty much settled that there is no way Spinrite can work on modern storage devices. The fact Gibson still sells it and still makes the same grandiose claims about it makes me extremely skeptical of his integrity.

My understanding of FIDO2 is that a separate random key pair is generated for each site, which means that a user may have hundreds of them.  And FIDO2 does not allow the user know them or to make a copy of them.  That means that Apple, if it chooses, can limit transfer of the keys only to other Apple devices, which would make it impossible to switch to an Android phone.  Do we know yet what the major players' intentions are in this regard?  Are we going to have FIDO2 silos?

Good question.

[tooki]

Just a reminder, for the hundredth time, that the standard in question does NOT mandate biometric authentication.

Unfortunately multiple companies are are going that direction. One payment card vendor just started something like "pay with your smile". So POS terminals get a webcam too.

But… why?

And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

Nothing is ever going to be perfect. But moving from something that has proven itself to be bad in practice, to something that has proven itself to be better in practice makes sense.

I fully agree. However, so far any other solution comes with new/other problems. A lot of tradeoffs, but nothing really better.

Well that remains to be seen. I think most of the people dismissing the new systems (and fawning over passwords) don’t actually know what they’re talking about. I’m not a cryptography or security researcher, so I defer to those who are. My feelings aren’t equivalent to their experience and expertise — a sentiment I wish more people would embrace.

[madires]

Unfortunately multiple companies are are going that direction. One payment card vendor just started something like "pay with your smile". So POS terminals get a webcam too.

But… why?

Because someone at that company thinks it's a good idea?

[BradC]

Amusingly, I was just reading about Spinrite, and how it seems pretty much settled that there is no way Spinrite can work on modern storage devices. The fact Gibson still sells it and still makes the same grandiose claims about it makes me extremely skeptical of his integrity.

It does do one thing that nothing else does, which is the thing he calls "Dynastat". Repeated reads to the device where it returns the read data whether its correct or not. It does this thousands of times and builds a statistical picture of each bit in the sector (ie, is that bit likely to be a 1 or 0 based on what it returned over the last 1000 reads).

This is becoming increasingly less useful as drives technology improves, and if you look at it with a critical eye you'll see it's guessing the contents of the sector and then writing it back, calling it recovered.

In practice on smaller drives it does a reasonable job, particularly when you have a 4k sector size of which one 512 byte chunk is flaky. It can make the difference between "The word document is complete garbage vs only slightly corrupted".

I bought it many, many years ago. Would I buy it now? Probably not.

[madires]

Amusingly, I was just reading about Spinrite, and how it seems pretty much settled that there is no way Spinrite can work on modern storage devices. The fact Gibson still sells it and still makes the same grandiose claims about it makes me extremely skeptical of his integrity.

It does do one thing that nothing else does, which is the thing he calls "Dynastat". Repeated reads to the device where it returns the read data whether its correct or not. It does this thousands of times and builds a statistical picture of each bit in the sector (ie, is that bit likely to be a 1 or 0 based on what it returned over the last 1000 reads).

I don't think that feature is unique to Spinrite. It's a logical thing to do for old HDD technology, and I wouldn't be surprised if data recovery companies had that feature in their homegrown tools for a lomg time too.

[Peabody]

I don't think it guesses at anything.  It keeps trying until it gets a result where all the error correction works, so the read is valid.  If it can't ever get that, it reports the sector as unrecoverable.

In any case, it's currently under a complete rewrite to deal with today's huge drives in a more reasonable time.  The new version will be free to current owners of version 6.

Anway, back on topic, I still wonder how someone's FIDO2 key pairs will be transferred between devices made by different manufacturers.   Is there anything in the FIDO2 documents addressing that?

[gmb42]

Authentication implementers can, if they wish, choose methods that do require biometrics, which then leaves users a choice on whether to use such a service or not.

Yes, that's the point, the service/platform gets to decide what is/inst acceptable for their users. FIDO is a method by which they can start requiring biometrics. The standard its self does not mandate biometrics on any/all systems, but has mechanisms for biometrics to be mandated in implementations.

using FIDO* as a login method does not mandate biometric authentication
using FIDO* as a login method does not prevent mandate of biometric authentication

The user may not have a choice to go somewhere else when that platform/service is a government service.

What factors an authentication provider requires to use the service has very little bearing on the technology used in the authentication service.  Comingling biometrics where they aren't required is just more FUD.

[tooki]

Amusingly, I was just reading about Spinrite, and how it seems pretty much settled that there is no way Spinrite can work on modern storage devices. The fact Gibson still sells it and still makes the same grandiose claims about it makes me extremely skeptical of his integrity.

It does do one thing that nothing else does, which is the thing he calls "Dynastat". Repeated reads to the device where it returns the read data whether its correct or not. It does this thousands of times and builds a statistical picture of each bit in the sector (ie, is that bit likely to be a 1 or 0 based on what it returned over the last 1000 reads).

This is becoming increasingly less useful as drives technology improves, and if you look at it with a critical eye you'll see it's guessing the contents of the sector and then writing it back, calling it recovered.

In practice on smaller drives it does a reasonable job, particularly when you have a 4k sector size of which one 512 byte chunk is flaky. It can make the difference between "The word document is complete garbage vs only slightly corrupted".

I bought it many, many years ago. Would I buy it now? Probably not.

Yes, that’s the “feature” that chews up hard drives that are already failing. Much better to attempt to copy everything to another drive first, THEN go back and try and re-read. (That’s what real recovery software does.)

Bear in mind that people more knowledgeable than me concluded ages ago that this function can’t do what it says because drives don’t even have an ATA command to output the raw data. The drives already (automatically) perform heroic measures to recover data, more than SpinRite could ever do.

So if others don’t actually do this, it’s because it’s a) not possible, and b) pretending to do it endangers data by thrashing an already-failing drive.

[Someone]

Anway, back on topic, I still wonder how someone's FIDO2 key pairs will be transferred between devices made by different manufacturers.   Is there anything in the FIDO2 documents addressing that?

The approach I would be taking is to always register multiple clients against any service/provider. Lose/destroy/revoke a specific device? you've got another ready to go, immediately setting up the new primary client to always retain at least 2 sets of keys for any service.

Platforms/services really hate this with a passion, they want you to have a single client (for their misguided reasons) which we already see with RFC 6238 authentication implementations.

[Someone]

Authentication implementers can, if they wish, choose methods that do require biometrics, which then leaves users a choice on whether to use such a service or not.

Yes, that's the point, the service/platform gets to decide what is/inst acceptable for their users. FIDO is a method by which they can start requiring biometrics. The standard its self does not mandate biometrics on any/all systems, but has mechanisms for biometrics to be mandated in implementations.

using FIDO* as a login method does not mandate biometric authentication
using FIDO* as a login method does not prevent mandate of biometric authentication

The user may not have a choice to go somewhere else when that platform/service is a government service.

What factors an authentication provider requires to use the service has very little bearing on the technology used in the authentication service.  Comingling biometrics where they aren't required is just more FUD.

It isn't FUD, when the new incoming standard requires biometrics (to meet certain "levels"). And those biometric enabled devices will be widely deployed its pretty certain all sorts of providers will jump on the bandwagon and require unnecessarily "secure" authentication just because its zero/no cost to them. We have already seen this with mandated 2FA for students, oh you want to go to school? you must have a XXX or XXX brand mobile device with OS XX.X or newer and XXX biometric features, coming soon!

[Peabody]

Anway, back on topic, I still wonder how someone's FIDO2 key pairs will be transferred between devices made by different manufacturers.   Is there anything in the FIDO2 documents addressing that?

The approach I would be taking is to always register multiple clients against any service/provider. Lose/destroy/revoke a specific device? you've got another ready to go, immediately setting up the new primary client to always retain at least 2 sets of keys for any service.

Platforms/services really hate this with a passion, they want you to have a single client (for their misguided reasons) which we already see with RFC 6238 authentication implementations.

I don't think multiple personalities is a good option.  In the first place, it might work for lose/destroy/revoke, but what about adding a device?  Also, if the site is a forum like this one, I  want to have only one identity.  As I understand it, if you have multiple key pairs set up on a site, you have multiple identities there.

Well, there needs to be a uniform protocol to export and import your FIDO2 stuff to/from a different device.  I just haven't seen that yet, and will be reluctant to use FIDO2 without it.

[Someone]

they [platforms] want you to have a single client (for their misguided reasons) which we already see with RFC 6238 authentication implementations.

As I understand it, if you have multiple key pairs set up on a site, you have multiple identities there.

But that is purely a platform choice. Some places happily let you (once confirming your identity with client A) register/enrol device/client B to the same identity on the platform. But there is this push from other platforms that you may only have one secret key to use and you may never transfer/back it up (because SecURIty HoLEs !!$$@). Its that bit which is so infuriating, given that losing access to a key is something that will happen.

I lost a captive/hidden RFC 6238 key and had to abandon the identity associated with it, starting from scratch to build up a new trust and new identity (basic government services access) so its a real problem that just gets shrugged off as part of necessary "security".

[Peabody]

Well it will be interesting to see what they end up doing.  But somehow I am not optimistic that they will pass up the opportunity to build silos.

[tooki]

For what it’s worth, it appears Apple’s upcoming implementation will sync the saved keys using iCloud Keychain, just as they do now for saved passwords. (FYI, the key syncing happens peer-to-peer between a user’s devices. More recently, they added a keychain recovery function, which obviously necessitates it being stored on a server. I haven’t had a chance to look into exactly how it works.) Since Apple already offers iCloud for Windows, and it supports the password manager functionality via a browser plug-in, I don’t think there’s any evidence that Apple would actively try and silo users now.

[gmb42]

The FIDO Alliance announced in May their plans, supported by Apple, Google and MS, to allow users to use credentials on multiple devices without having to re-enrol.  Not entirely certain this fixes the issue if your "primary" device (phone, key etc.) is lost\stolen.

• Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
• Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

[Ed.Kloonk]

 

[Marco]

There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.

I wonder if it would be possible to fake a FIDO2 device, but generate the keys with SQRL. Obviously wouldn't work when attestation is required, but I don't think most websites require that.

[Someone]

There is no third party backup of the master key, and no third party involvement in the login.  Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward.  Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.

I wonder if it would be possible to fake a FIDO2 device, but generate the keys with SQRL. Obviously wouldn't work when attestation is required, but I don't think most websites require that.

That's part of the problem, FIDO has information from the device/client/authenticator to verify that it has a valid (model specific) certificate, a certificate that can be revoked if the FIDO organisation doesn't feel that it is meeting their requirements. If they say you can't have the user transferring certain types of keys, then anything letting the user transfer those keys could be revoked.

This discussion ends up rather convoluted and difficult as there are different type/functional "keys" within the proposed systems. So while there are cute projects to help users take control of keys:
https://dicekeys.com/
other keys are not for users to see/backup/transfer.

[Peabody]

My understanding is that FIDO2 generates a random private key for each site.  But if it's the client that generates the keys, then in theory you could just as easily use the key generated by SQRL.  The server would have no way of knowing the difference.  In fact, I believe FIDO2 uses, or optionally can use, the same elliptic curve that SQRL uses.  But as Someone says, FIDO2 may have ways to prevent that.