A consortium of companies, including the big hitters Google, Apple and Microsoft, are making another attempt to kill off the password. This time it's through a system known as Passkeys.
Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.
Ars Review Editor Ron Amadeo summed things up well last week when he wrote: "Passkeys just trade WebAuthn cryptographic keys with the website directly. There's no need for a human to tell a password manager to generate, store, and recall a secret—that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."
Given the nature of having the OS manage your credentials with other sites (without ever actually sending your biometric data, PIN or similar data), it becomes possible to share the same credentials across all logged in devices (think, iPhone, iPad, Mac all serviced by iCloud). Phishing sites would no longer be able to steal and re-use credentials.
It certainly sounds promising, though obviously a great deal of trust is given to the OS. What are other Soylentils' thoughts?
(Score: 4, Insightful) by MIRV888 on Thursday October 27 2022, @01:52PM (24 children)
There's a bunch of distopian fiction centered around citizens being constantly monitored by some entity.
We are pretty much there. This will just package it more neatly.
I'm going to listen to some Rockwell.
(Score: 3, Touché) by EvilSS on Thursday October 27 2022, @02:11PM (21 children)
(Score: 5, Interesting) by PiMuNu on Thursday October 27 2022, @02:30PM (16 children)
As far as I understand the difference is that they can now map username to a physical hardware token + user pin. So they can now map your username to physical hardware which they could not do in the past (well not through login anyway).
Not saying that is inherently evil, but it does give them greater potential for evil.
Now, if one could generate a mock-up of a hardware token (for example using a VM), then we get back to the current situation, where we can anonymise by use of a "burner" VM...
(Score: 0) by Anonymous Coward on Thursday October 27 2022, @02:47PM
Is it better or worst than the spyware disguised as a web based IRC chat program Microsoft has deployed across the world?
(Score: 4, Informative) by EvilSS on Thursday October 27 2022, @03:39PM (13 children)
(Score: 3, Insightful) by c0lo on Thursday October 27 2022, @04:10PM (8 children)
If all they are trusting is something I have, once I lost it and was stolen, I'm no longer me in their eyes, right?
Reminder on ways to auth:
- something that I know - password
- something that I am - biometrics
- something that I have - hardware gizmo
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Touché) by canopic jug on Thursday October 27 2022, @04:24PM (3 children)
Or more practically:
- something you knew
- something you were
- something you used to have
Money is not free speech. Elections should not be auctions.
(Score: 2) by DannyB on Thursday October 27 2022, @07:02PM (2 children)
How about a device affixed to your right hand or your forehead?
Every time you swipe it, it could get a wireless battery charge boost.
It could display animated ads -- especially on your forehead.
Kids will compete, even fight, to determine who gets to have the most favored brands advertised on their foreheads.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 5, Funny) by Gaaark on Thursday October 27 2022, @08:32PM (1 child)
I can see it now:
TROJAN CONDOMS: SOMETHING YOUR DAD SHOULD HAVE USED!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by DannyB on Monday November 14 2022, @03:01PM
That advertisement would be better suited to appearing on a gigantic matrix of LEDs which are a low earth orbit advertising billboard. The astronomers won't complain. I don't think they will. Or not much.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by EvilSS on Thursday October 27 2022, @04:52PM (3 children)
(Score: 3, Interesting) by RS3 on Thursday October 27 2022, @05:48PM (2 children)
Thanks for your explanations. Idiocy (human error) aside, how about: 1) hardware breaks (things do break) or gets damaged? 2) I need to authenticate from several different locations and hardwares?
(Score: 3, Informative) by EvilSS on Friday October 28 2022, @02:30AM (1 child)
(Score: 3, Informative) by EvilSS on Friday October 28 2022, @02:35AM
(Score: 2) by PiMuNu on Thursday October 27 2022, @05:31PM
My mistake. I misunderstood the article. Thanks for the correction.
(Score: 2) by MIRV888 on Friday October 28 2022, @12:42AM (2 children)
'(if you didn't re-use other info like username/email)'
Which no one does ever.
A separate email / user name for every site wanting to authenticate would be impractical,
(Score: 0) by Anonymous Coward on Friday October 28 2022, @01:22AM
Usernames are not that hard. I don't have one email per site but I use several and keep identities in clusters that would not cause problems if they were found to be the same person. If you need to log in periodically to keep the email accounts from being deleted, that can be a problem for dealing with mandatory account recovery following the site having a hack or error. If you don't care about account recovery, there's no problem. Proton recently announced a policy of deleting inactive free email accounts but I was able to get into one of them without any trouble.
(Score: 2) by EvilSS on Friday October 28 2022, @02:37AM
(Score: 2) by Gaaark on Thursday October 27 2022, @08:30PM
Which we all know WILL happen if it CAN happen.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Opportunist on Thursday October 27 2022, @03:45PM (3 children)
...for now.
How long 'til you can't anymore because everyone has a fingerprint scanner?
And before you say "that won't ever happen, why would people buy one?", the same has been said 25 years ago about systems requiring online registration because you can't sensibly expect people to have an internet connection just because they want to have a computer or a cellphone, let alone require them to be connected to the internet 24/7.
(Score: 2) by EvilSS on Thursday October 27 2022, @04:04PM
(Score: 2) by DannyB on Thursday October 27 2022, @06:56PM (1 child)
There are probably some people who do not have fingers. Or maybe just not usable fingerprints.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Opportunist on Friday October 28 2022, @06:09AM
Who gives a fuck about a market share of 0.000001% if I can make big bucks on the rest?
Same as we had with the always-online bullshit. Yeah, we leave a bunch of people behind, but who gives a fuck about the data of someone who can't even afford a 10 bucks a month internet link? Cut the slack and move on.
(Score: 4, Interesting) by Sjolfr on Thursday October 27 2022, @02:59PM (1 child)
That entirely depends on who controls your tokens. Those of us in the UNIX world have been doing this for years. SSH authentication and managing ssh keys.
If I control my passkeys (or multiples of them) then I have control over my identities and where they exist.
If M$ or anyone else manages them for me then I have no control and my digital fingerprint can exist everywhere. The controlling entity can even distribute my identity to places that I have not been .
Passwords have been antiquated for at least a decade but these tokens/keys/passkeys/credentials are tracked just like passwords so there's nothing that would be changing in the world of "track everyone all the time".
If you have a password on a system then you have a login and have a tracking footprint.
If you have a passkey on a system then you have a login and have a tracking footprint.
(Score: 3, Insightful) by Runaway1956 on Thursday October 27 2022, @03:06PM
There's no difference between a gate keeper, and a key keeper. MS, Google, and Apple want to be the gatekeepers.
Like you, I'll hold my own keys, thanks.
(Score: 2) by Sjolfr on Thursday October 27 2022, @03:01PM (14 children)
This is OpenSSL type stuff. M$ needs to stop trying to reinvent the wheel. Besides, M$ usually fucks up the tech as they reinvent.
As long as I control my identity, how it's used, how it's defined, where it is, and where it can be then I'm all for getting rid of passwords. SSH keys have been around for decades.
(Score: 5, Insightful) by canopic jug on Thursday October 27 2022, @03:15PM (8 children)
This is OpenSSL type stuff. M$ needs to stop trying to reinvent the wheel. Besides, M$
usuallyalways fucks up the tech as they reinvent.There, fixed that for you.
M$ has renamed technologies for decades. That prevents its victims, the poseurs pretending to be technology specialists, from finding out what the standard name is, that there even is a standard, and that there are better alternative products out there. It's part of the m$ isolation tactic [howstuffworks.com] which it does just like in any other cult by preventing microsofters from communicating with actual IT staff (should there be any remaining). Obscuring the proper names becomes a crucial step in m$ gaining near total control over the information the victim can access. Without knowing the real terms the victims are cut off from the real world and get a distorted sense of reality or even wander off into a partially or wholly false set of fantasies. One of the myths then peddled to the isolated victim is that m$ was first out with that technology or even that class of technology. Then with their base in reality pulled from under them, they turn to m$ to seek answers and technologies. Read some of the debriefings people have written about interviewing there to get an idea of the total devotion m$ demands of it hires. That extends to the victims out there posing as technology specialists.
Money is not free speech. Elections should not be auctions.
(Score: 4, Funny) by Sjolfr on Thursday October 27 2022, @03:34PM (7 children)
OK ... now you've done it. Challenge excepted. What tech, that M$ has copied/stolen/renamed, was not screwed up by M$?
hmmm ... this may take a while. Well, maybe the mouse; M$ copied the mouse from Xerox back in the day. Apple screwed that one up, but not for everyone.
(Score: 2) by kazzie on Thursday October 27 2022, @05:28PM (5 children)
Microsoft managed to screw up their "MS Ergonomic Mouse": by moulding it to the shape of the right hand, they made it throughly unusable for left-hand users.
(Score: 0) by Anonymous Coward on Thursday October 27 2022, @05:56PM (2 children)
Lefties, AKA "Devil's Paw", are inherently evil. M$ was just trying to breed them out of the gene pool. ;-}
(Score: 4, Funny) by kazzie on Thursday October 27 2022, @07:25PM
There's nothing sinister about us lefties, honest!
(Score: 3, Touché) by Mykl on Thursday October 27 2022, @10:25PM
It's cute that you think that making it easier/more comfortable to spend more time on your computer will improve your chances of having sex ;-)
(Score: 2) by Freeman on Thursday October 27 2022, @07:12PM (1 child)
They consistently got it right for greater than 50% of the population, though. Better than a stopped clock that's only right once a day.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Funny) by kazzie on Thursday October 27 2022, @07:23PM
[Well] over 50% of the population runs Windows on their PCs too. Not sure if they're all in the right, though. >:)
(Score: 4, Interesting) by jb on Friday October 28 2022, @01:56AM
No, even that was screwed up by Microsoft.
Proper mice had 3 buttons (select, menu and adjust). Microsoft reduced that to two, pretending that users could somehow do without an adjust button.
Yes it's true that Apple made the mouse even worse by dropping the menu button as well, but that does not absolve Microsoft of its role in the race to the bottom.
(Score: 2) by Rosco P. Coltrane on Thursday October 27 2022, @03:41PM (4 children)
That's not fair: Microsoft singlehandedly created the entire antivirus industry!
(Score: 3, Interesting) by canopic jug on Thursday October 27 2022, @04:04PM
It's not just the anti-virus industry. M$ also effectively launched the whole ransomware market and made sure that it had the conditions set to grow from a faltering cottage industry to the behemoth money machine it is today. Due to m$ colossal efforts, the ransomware industry has been benefiting from year-on-year triple digit grown for a quite while. Supposedly each incident costs an average of just under $2 million to recover from, while the ransomware teams brought in around $20 billion last year alone.
So no, no consortium with M$ involved will benefit us and certainly won't be able to contribute in a positive way towards computer security. The idea of "killing off the password" is just another means to effect vendor lock-in and end general purpose computing. On the technical side, it probably means Apple and Google signing a giant deal with either Yubico or Duo. Likely the latter, because then it means that chumps have to buy an extra smartphone per role and both Apple and Google are in the business of selling smartphones. OnlyKey, NitroKey, and the others have no chance here, sadly, except through compatibility with the Yubikey. Personally, if forced to choose between Yubico or Duo, it'd be the former hands down. At least you can wash a Yubikey and it will still work. Same for if you drop it on cement or something, The same can't be said for smartphones. Furthermore, they are a lot less expensive to acquire and if we're going to have to walk around like janitors of yore with a large ring of tokens then that'd be an important factor.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Thursday October 27 2022, @05:59PM
So you're saying job creation is a bad thing? ;-}
(Score: 2) by jasassin on Thursday October 27 2022, @08:44PM (1 child)
Unless this person was working for Microsoft at the time... I don't believe you.
1. Mydoom – $38 billion
The worst computer virus outbreak in history, Mydoom caused estimated damage of $38 billion in 2004, but its inflation-adjusted cost is actually $52.2 billion. Also known as Novarg, this malware is technically a “worm,” spread by mass emailing. At one point, the Mydoom virus was responsible for 25% of all emails sent.
Mydoom scraped addresses from infected machines, then sent copies of itself to those addresses. It also roped those infected machines into a web of computers called a botnet that performed distributed denial of service (DDoS) attacks. These attacks were intended to shut down a target website or server.
Mydoom is still around today, generating 1% of all phishing emails. That’s no small feat considering the 3.4 billion phishing emails sent each day. By that figure, Mydoom has taken on a life of its own, infecting enough poorly-protected machines to send 1.2 billion copies of itself per year, 16 years after its creation.
Though a $250,000 reward was offered, the developer of this dangerous computer worm was never caught.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 3, Informative) by Thexalon on Friday October 28 2022, @12:33PM
I mean, before that, there was the incident of the Great Worm all the way back in 1988, which was written on and exploited Unix tools like sendmail and rsh.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by mcgrew on Thursday October 27 2022, @03:22PM (8 children)
The original IBM PC had a keyhole and a matching key to lock the computer. Of course, the closest thing to the internet then was ARPA and Compuserve.
I don't mind a password to pay a bill or log into S/N; the latter the browser remembers, and the former I have in text files I can copy and paste. But I have no use whatever for a password to get to the computer's desktop. I have none on the Linux computer (except for the root password) and curse Microsoft every time I have to type in a PIN to start Windows. My security comes from the physical locks on my house's doors; I live alone and have no need for a Windows password or PIN.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 3, Informative) by drussell on Thursday October 27 2022, @04:02PM (3 children)
What are you talking about?!
The original PC and the PC/XT didn't have key locks, that was introduced with the 6 MHz 20286-based PC/AT model in 1984.
The key lock disabled the keyboard (which would also stop the machine from booting due to a keyboard error if it wasn't already powered on, but could be locked and unlocked at will to lock out use of the keyboard while you're away from a running machine, for example,) and physically locked the top part of the chassis from sliding forward to be able to remove the cover as a physical hardware tamper-resistance measure.
(Score: 2) by Rich on Thursday October 27 2022, @05:54PM (1 child)
In this context, the "Keyboard Error. Press F1 to continue." message almost makes sense. :)
(Score: 2) by Dr Spin on Friday October 28 2022, @08:53PM
But "User error - strike user to continue" is definitely a better solution to the problem!
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by mcgrew on Friday October 28 2022, @01:14PM
You're correct, my memory was faulty. The key did indeed come later.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 3, Informative) by vux984 on Thursday October 27 2022, @04:31PM
" I live alone and have no need for a Windows password or PIN."
That's a bit of an unusual use case, and I don't object to microsoft pushing security. That's a good thing. But what you want is simple to do. Instead of cursing microsoft everytime you boot up, why not just set it up the way you want?
The HTPC in my living room for steam/gog has no password when I boot up, running the latest version of Windows 11 pro, has a local account called "family", and no password or pin. If you are using a local account, you can literally just change it to "blank". It's not particularly hard to setup at all.
If you are using a microsoft account, it's slightly more convoluted but still not hard. (Although I'd suggest just adding a local account and using that instead for your day to day use.)
You probably should have a separate admin user account with credentials and/or keep a microsoft account around, because microsoft does disable some remote access/file sharing etc stuff on user accounts without passwords (so if you want to do WinRM, remote registry, RDP, access file shares on it, etc, etc its simpler to just have an account on the system with credentials for that stuff) - but that's all pretty sane and sensible too IMO.
(Score: 2) by NotSanguine on Thursday October 27 2022, @06:02PM (2 children)
Tying in to your recent journal entry, rather than using a text file for such passwords, try using the 'pass' [linuxhint.com] utility instead (more info here [passwordstore.org]).
It's quite simple to use and stores your passwords as encrypted blobs, so prying eyes can't steal them, but can still be copy/pasted.
Just a suggestion, not telling you what to do.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by mcgrew on Friday October 28 2022, @01:29PM (1 child)
Thanks, but I prefer to keep passwords on a thumb drive; the air gap is still the best security.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by NotSanguine on Friday October 28 2022, @06:56PM
Absolutely reasonable. Then again, if someone else gets hold of your USB key, it might not be a bad idea to at least have the text files encrypted.
Pass won't help with that, but there are lots of tools that could.
Again, not telling you what to do. Glad your solution works for you.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Rosco P. Coltrane on Thursday October 27 2022, @03:34PM (8 children)
Being a reasonable indivual who chooses non-obvious passwords and doesn't reuse the same one over and over everywhere, I feel less safe with any form of authentication that lives outside my brain. If it's outside my brain, it's a second authentication factor, but certainly not the main one - and certainly not the only one.
The other problem is... Any solution proposed by Microsoft, Google or Apple is like a campaign promise from a politician: if you believe they propose something that genuinely benefits you and not themselves, you're criminally naive. I don't much trust anything any of those companies push when they go it alone, and I certainly don't trust anything they gang up together to push.
(Score: 2) by vux984 on Thursday October 27 2022, @04:15PM (3 children)
I used to do that. I use bitwarden now. I had a 'system', but between breaches and arbitrary forced password resets, the 'exceptions and modifications' to the system itself became too onerous to remember.
There a few sites that require password changes every few months, and I only use them every few months -- so i don't even bother with a password, i just go through the password reset everytime i need the site, change it to something random to get in and don't even bother saving it to bitwarden. And THIS is why i don't put much stock in most "solutions" -- the backdoor is wide open by comparison, in some cases ultimately falling back to security questions with answers people can find on social media.
I also agree that anything pushed by big tech is something to question. I don't think they necessarily are doing evil here, but allowing yourself to outsource your identity to a company is stupid. Especially under terms of use that you have zero control over, where customer support is "useless community forums", and where if you're account is killed/disabled/banned/corrupted for any reason then you lose access to everything, everywhere, all at once.
(Score: 2) by RS3 on Thursday October 27 2022, @06:15PM (2 children)
Excellent points, but you bring up something I consider to be a huge problem: password resets. AFAIK, and all of my experiences with password resets: they email you a code that you use to change the password, right? What if my email is hacked into?
(Score: 2) by Mykl on Thursday October 27 2022, @10:32PM (1 child)
Then they sent an SMS with a code to your phone, which was stolen in order to hack into your email.
(Score: 2) by RS3 on Thursday October 27 2022, @11:06PM
Oh whew, I feel so much safer now! :)
But seriously, I don't use a phone for email or anything else that requires a login. Exception: job gave me a gmail address and required me to use it on phone, which pissed me off as I was never going to use gmail. But that's just work stuff, so if it gets hacked, oh well, nothing critical there.
(Score: 0) by Anonymous Coward on Thursday October 27 2022, @04:17PM (1 child)
Would you secure these silver bullets for me, please?
They are pretty valuable, a solution for everything, authentication included.
(Score: 2) by kazzie on Thursday October 27 2022, @05:31PM
Including authentication as a werewolf?
(Score: 3, Insightful) by Thexalon on Thursday October 27 2022, @05:43PM
It's not completely secure, of course, due to the $5 wrench problem [xkcd.com]. But it's definitely secure enough for most purposes, and a heck of a lot more secure than trusting any major corporation (a.k.a. "massive hacker target") with it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Informative) by jasassin on Thursday October 27 2022, @08:33PM
[Insert garden hose reference.]
The only secure password is one you don't know.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 4, Informative) by bradley13 on Thursday October 27 2022, @07:26PM
I've read through some of the articles, and as near as I can make out, they basically want to take something very like a 2FA code generator, and use only the codes exclusively, instead of using the codes as a second factor. They consider this secure, because you still have to authenticate yourself to the device running the code-generator. Have I understood things correctly?
For Joe Sixpack, this may not be horrible. I mean, he was writing his passwords on sticky notes anyway, and probably never enabled 2FA to begin with. Of course, when Joe runs over his phone with his pickup, he's going to be mystified how to get access to all his favorite porn sites. Running over sticky notes is easier to recover from. Also, Joe probably doesn't lock his phone anyway, so anyone can get his passkeys.
For anyone else, this is a reduction from 2FA back to 1FA, only we're keeping the authentication code instead of the password. Worse, the intended authentication method for your devices is biometric, with all the problems that brings. For anyone who takes security seriously, this seems seriously bad, and one can only hope that opting out will remain an option.
Everyone is somebody else's weirdo.
(Score: 3, Informative) by jasassin on Thursday October 27 2022, @08:57PM
I read this article on ARS a few days ago. So I spent the last two days messing with these Passkeys.
Bleck. They don't work for me. I don't use Chrome, I use Edge. No logging into gmail with Edge and Passkeys. Safari doesn't work, you have to use Chrome on iOS... not happening.
Tried to setup 2FA on Gmail, and the second thing it says in the list while setting it up: Do not use a google voice phone number. Well, considering I'm using Google Voice over WiFi because I'm not paying $50 a month to the bullshit cell providers, there goes that 2FA option. Yeah sure I could use a Google Voice number, but it would be like making an extra house key and leaving it in your house after you lock the door. DUH!
Don't get me started on trying to use an iPhone Passkey on a Bluetooth enabled Windows machine. It doesn't fucking work!
Tried it on eBay. Sure works great on iPhone, but what if you want to login without your phone? You're fucked! To me, it's just a huge PITA and a great way to get locked out of an account if you lose your phone.
TL;DR I'll stick with passwords.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A