Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday September 26 2019, @08:59AM   Printer-friendly
from the woof-woof dept.

Submitted via IRC for SoyCow1337

FIDO2: The Dream Of Password-Free Authentication On The WWW

Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.

While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.

The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by meustrus on Thursday September 26 2019, @06:55PM

    by meustrus (4961) on Thursday September 26 2019, @06:55PM (#899260)

    I never mentioned "security companies". But since you did...

    The big problem with Security as a Service is verification. If you know so little about security that you want to outsource it to someone else that does, how are you supposed to verify the service you receive?

    For that matter, how does one verify that security software ever works? No one can personally audit the entire Linux security ecosystem.

    Which is why companies tend to think of security in terms of liability. They would love to pay someone for the privilege of forwarding to them all legal liability in the event of a breach.

    Which means that most large-scale security is probabilistic. Again: question your basic assumptions.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2