SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1337
FIDO2: The Dream Of Password-Free Authentication On The WWW
Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.
While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.
The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.
(Score: 3, Interesting) by bradley13 on Thursday September 26 2019, @11:08AM (9 children)
For anyone who's not familiar, FIDO2 would be authorization with a hardware token, instead of a password. For those who think passwords are the best solution, let me just ask: how do you get into your house? You could install a pin-pad next to the door, and use a password. However, most people carry a physical key. That's exactly the difference.
This solves the problem of weak passwords, of passwords on post-it notes, etc.. Of course, it does introduce the new risk of someone stealing your key. In that sense, for important sites like banking, TFA will remain important. And for those of us who are paranoid, well, maybe we stick with passwords. But for Joe Sixpack, the FIDO2 solution is almost certainly the better alternative.
Everyone is somebody else's weirdo.
(Score: 3, Insightful) by Anonymous Coward on Thursday September 26 2019, @12:26PM
Let's have a car analogy to continue your house one: do you use one single key for everything in your life, from your car through your post box to your home and your suitcase? Do you have one single lock on your house, and one single key for it without any reserve ones?
Creating one single point of total life failure for yourself, is quite an "alternative".
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @12:27PM (1 child)
Except that the likelihood of having my door key stolen is very low (people who know where I live won't rob me, people who will break into my house don't need my key), and if my key breaks or I lose it, it's fairly easy and quick to change the locks before anything happens.
Quite the opposite of a hardware token for remote services...
(Score: 2) by HiThere on Thursday September 26 2019, @07:47PM
My sister lost here house key 3 times in the last couple of years. Well, she had backups, and could make new ones, but once she had to call me and check that I still had a copy.
Now if your on-line key can be duplicated, and you drop it and someone else picks it up, you'd just better hope that they've no way to find out whose life it goes to. And if it can't be duplicated, you're in a bunch of trouble. (I recently spent a couple of months convincing my bank that I'd moved, and I *HAD* the "keys". I think they were hoping I'd lose track of the account.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1) by Afty on Thursday September 26 2019, @12:38PM
> For those who think passwords are the best solution, let me just ask: how do you get into your house? You could install a pin-pad next to the door, and use a password.
Nice analogy. Tangentially related...
I lived in a house with one of these for a year and it was amazing. Really really useful, no need to remember a physical key (or avoid losing it on a bad day), can't lock yourself out, can setup temporary and one-use codes for friends, family or deliveries to use so people can use the house without you having to wait around for hours, or in an emergency.
(Score: 2, Interesting) by Anonymous Coward on Thursday September 26 2019, @12:49PM (2 children)
so what's to stop anyone from copying the data on the key and then duplicating it?
if they can get in to take naked pictures of you using your own webcam, they will be able to read the stupid key as well.
(Score: 3, Insightful) by Mer on Thursday September 26 2019, @02:53PM (1 child)
+1
You can call it a hardware token all you want, it's still data and it's still a password.
The key to your house isn't secure because it's a physical key and hard to replace with lock picking, it's secure because the lock is at your home and one need to be there to rob your house, also because to use your key you're always at the lock instead of mailing it somewhere else.
Shut up!, he explained.
(Score: 0) by Anonymous Coward on Friday September 27 2019, @06:02AM
The lock and key to my house aren't secure at all.
I've done locksport for years, as well as having trained as a professional locksmith. And what I've learned is that physical locks are inherently shit because of the needed mechanical tolerances to operate.
Those that don't provide feedback, such as the ratcheting lever lock on the Bell fortress phone, are statistically secure, but also deliberately fail locked if anyone tries to pick one imperfectly.
Back to where this started: I carry around lockpicks every single day. Have for over a decade, and I've used them many many times to open or close various locks when keys were broken or unavailable. It doesn't slow someone down nearly as much as you might believe. It's not Hollywood, but it isn't exactly slow either. 30 seconds to a minute tops usually.
(Score: 4, Insightful) by Freeman on Thursday September 26 2019, @02:43PM
Yeah, but how much more difficult would it be to regain access to your account when a hardware token is removed from your possession? Or heaven forbid, you misplace your hardware key? There are locksmiths for a reason. What's more, you can just crawl in the window to regain access to your own house. Comparing hardware tokens for virtual things vs real things, is a bit of a stretch.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by JoeMerchant on Thursday September 26 2019, @06:25PM
I'd like to strongly disagree with:
Anyone ever try to use a fingerprint scanner with wet, or dirty fingers? Maybe some paint or glue on the prints?
Although most Hollywood depictions of fingerprint, retina print, and other copying of biometrics are fantastically exaggerated as to their ease of execution, the simple scenario where your hand is severed at the wrist with a machete should work well enough for most fingerprint scanners.
As for: cannot ever be stolen - tokens, those are physical items which absolutely can be stolen, copied, etc. - without even using the $5 wrench attack.
The reason I don't use a pin pad on the house is, mostly, that requires doors that fit well in their frames, something the electronic locks don't deal with very well, but the old mechanical ones handle fine.
🌻🌻 [google.com]