Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by janrinok on Monday October 07, @08:20PM   Printer-friendly
from the iatrogenic-cybersecurity dept.

A lot of security myths have acquired lives of their own and taken as facts. Dr. Andy Farnell over at the Cyber Show's blog has posted an item about where passwords can still fit in as a part of general authentication despite what fleets of salesmen selling authentication gimmicks tell us.

Security models: password or tracker?

Indeed people do not discriminate two vastly different security models that should really be obvious with a moments thought. The question is, "who is the security for?"

Security schemes that ask that you carry around a device which is connected permanently to a network and uses a mechanism that is entirely opaque to you is a different kind of security. It is more than a mere access control. It is not security for you.

It may pass for "something you have" but also has a function to act as a location or close proximity biometric remote sensor for an observer elsewhere. It's a tracking device.

[...] Partly it's because we've been using passwords wrong for about the past 40 years. The new NIST document partially puts that right. It's also because there's a massive "security industry" that sells things - and you can't sell people the ability to think up a new password in their own head. Where's the profit in that?

Instead they'll tell you that you need a fangled security system of gadgets and retina scans, and that you're too stupid to be trusted with your own security. They are wrong. In most cases passwords are just fine if not better than alternatives, and in this post we're going to explain why.

Thus another theme of this essay is personal responsibility and the crux of the argument is that all security solutions which are not passwords solve problems that are not yours.

Like self-service checkouts at the supermarket that make customers into employees, they are a way of passing blame, liability, and work onto you in order to solve someone elses security problem. As Prof. Ross Anderson bluntly puts it;

"If Alice guards a system but Bob pays the cost of failure, you can expect trouble."

Cybersecurity has become more harmful than helpful in many cases and biometrics are more of a user name than a password despite the constant misuse as the latter.

Previously:
(2024) NIST Proposes Barring Some of the Most Nonsensical Password Rules
(2024) VISA and Biometric Authentication
(2023) A Fifth of Passwords Used by Federal Agency Cracked in Security Audit
(2020) Here's Yet Another Reason Why You Really Should Start Using Better Passwords


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by shrewdsheep on Tuesday October 08, @07:13AM (5 children)

    by shrewdsheep (5215) on Tuesday October 08, @07:13AM (#1376188)

    I personally hate 2FA and believe it's useless for people like me. If OTOH I would be a sys-admin of a large organization, I would still consider 2FA as there is a sizable population falling for phishing attacks. 2FA implementation matters indeed. I believe SMS verification is a reasonable approach, separating location access between parties.
     

  • (Score: 5, Interesting) by Rosco P. Coltrane on Tuesday October 08, @10:53AM (3 children)

    by Rosco P. Coltrane (4757) on Tuesday October 08, @10:53AM (#1376203)

    2FA is very useful, and while inconvenient, you should use it. It truly is the best thing you can do against account takeover.

    SMS 2FA is completely terrible though. If you need convincing, watch this [youtu.be].

    And if you wonder why big names like Google or Facebook still push SMS 2FA if it's that terrible, it's because it has one great advantage for them: it allows them to collect people's phone numbers under the guise of "security". In other words, they don't give the tiniest shit about your security: what they want is more of your data. TOTP or FIDO do nothing to help them collect data on you, which is why they aren't actively and aggressively pushing them like they should if they truly cared about security.

    • (Score: 3, Insightful) by SomeGuy on Tuesday October 08, @12:00PM (1 child)

      by SomeGuy (5632) on Tuesday October 08, @12:00PM (#1376208)

      Come up with a widely accepted 2FA method that does not require a smartphone and I'll finally consider 2FA as something other than a nazi-ific way to sell cell phones and collect personal data.

      Some of us don't own and don't want a smart phone or cell phone. Yet, from what I have seen the only "2FA" that has come to be fully accepted by big mindless companies is the use of some "app" on a stupid smart phone.

      • (Score: 2, Informative) by Anonymous Coward on Tuesday October 08, @03:48PM

        by Anonymous Coward on Tuesday October 08, @03:48PM (#1376223)

        TOTP doesn't require a phone. It will often be labeled "Google Authenicator" but you can use any app including many desktop password managers. Nor does "passkeys" (aka WebAuthn) which also can be handled by many password managers (including likely the one built into your browser). But you'll generally see those options on sites that really care about security like video games, not sites where security is actually important like your bank.

    • (Score: 1, Informative) by Anonymous Coward on Tuesday October 08, @11:10PM

      by Anonymous Coward on Tuesday October 08, @11:10PM (#1376275)

      > why big names like Google or Facebook still push SMS 2FA ... it allows them to collect people's phone numbers

      Joke's on Google -- I set the phone number for text messages to my Google Voice phone number--which Google/Gmail offered to me many years ago for free.

      FB I could care less, don't have an account and don't want one.

      Like another poster in this thread, I don't have a smart phone (land line only) and don't want a cell phone either.

  • (Score: 3, Interesting) by aafcac on Wednesday October 09, @05:04AM

    by aafcac (17646) on Wednesday October 09, @05:04AM (#1376311)

    I personally like it, but I absolutely hate how many sites require that I use email or SMS. The email isn't as bad as I use proper 2FA on all my email accounts and the likelihood of anybody intercepting the details in time to actually use them is pretty slim.

    The phones though are completely inexcusable as there's often a voicemail option that goes to a voicemail box that may not be used and may not have any security at all.

    Personally, I prefer OTP or FIDO, although I do make a point of keeping a spare FIDO stashed away in case I misplace the primary one.