Apple, Google, and Microsoft Want To Kill the Password With 'Passkey' Standard (arstechnica.com) 195
Apple, Google, and Microsoft are launching a "joint effort" to kill the password. The major OS vendors want to "expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." From a report: The standard is being called either a "multi-device FIDO credential" or just a "passkey." Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, "Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user's phone during authentication." Bluetooth has a terrible reputation for compatibility, and I'm not sure "security" has ever been a real concern, but the FIDO alliance notes that Bluetooth is just "to verify physical proximity" and that the actual sign-in process "does not depend on Bluetooth security properties." Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, "Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user's phone during authentication." Bluetooth has a terrible reputation for compatibility, and I'm not sure "security" has ever been a real concern, but the FIDO alliance notes that Bluetooth is just "to verify physical proximity" and that the actual sign-in process "does not depend on Bluetooth security properties." Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.
No phone? (Score:5, Interesting)
Re:No phone? (Score:5, Funny)
Enter passwords the old fashioned way on a rotary phone?
Re:No phone? (Score:5, Funny)
Then you can't use Apple, Google, or Microsoft services. All in all, a winning situation.
Re: (Score:3)
What do you do if you don't have a phone?
Suffer endless "okay boomer" comments.
Comment removed (Score:5, Interesting)
Re:No phone? (Score:5, Interesting)
The reason that more people use passwords than physical keys/2FA is convenience, in that the different approaches were incompatible, so you'd have to use different devices (or apps) depending on whether you were talking to Google, Apple, Microsoft, RSA, etc., or some random site that only implemented password login. If all the operating systems and browsers implement a single, interoperable system for authentication, it becomes more convenient for logging into Google, Apple, and Microsoft (sites and devices), and there's one standard, pre-integrated into all the devices most people use, which means that it'll be much easier to implement for other sites, etc. Basically, since everyone who's serious about security has already implemented 2FA, this rolls all of that into a single interoperable solution for a huge range of devices and browsers, pre-installed, seriously reducing the level of effort required for users to be secure. I count that a win.
Re: (Score:2)
It's not the technology that was lacking, but the pervasive use case with substantial enough demand to lead towards standardization.
Banking came up with standards and consortiums to handle this because enough people needed it. We've gotten to that critical mass for online presence.
Re:No phone? (Score:5, Insightful)
Passwords are flawed. But also many of the proposals to replace passwords are also flawed.
Right now there are secure computer systems that do not use passwords they're relying on PKI with certs. But there's an infrastructure in place to manage certs, expire certs, grant very short lived certs (good for one day or 10 uses or whatever), etc.
So the same style can be used. And it doesn't need to be tied to a particular vendor and their competing protocols and apps. Get a dongle with your private key, in secure storage (key can't be read back even with physical access, JTAG, microscope, etc). But what fails here is using a phone as the secure device - it gets lost, stolen, replace (replaced often for fashion purposes), the battery runs out at the wrong time, they're massively expensive, etc.
wow what a great solution (Score:4, Insightful)
Re:No phone? (Score:4, Insightful)
Authenticate by having everyone carry around things with them
My bank issues a portable card reader, tied to my debit card. The idea is to make online payments as secure as using the physical card. I have needed this recently to pay some cleaners and decorators, who don't take card payments, but like direct transfer online. When you want to make a payment, the bank website displays a number. You plug your card into the reader, enter your PIN, then enter the displayed number. The reader then displays a response code, which you enter on the bank website. This seems pretty secure to me.
I had trouble with this system when the card reader went wrong. It refused to recognise my card. It was probably just a faulty contact. While I was waiting for my bank to send me a new card reader, I paid the contractors by cheque. It is years since I paid anybody like that. What I did not realise is that the bank will tend to seek independent authentication of an unusual payment, by sending a text to your designated mobile. This is where using a mobile as a means of authentication gets dodgy. The signal in my flat is pretty flaky, so I did not get the text for a couple of days, by which time, the bank bounced the cheque, because I had failed to respond in time.
What this story illustrates is the danger of having a single method of authentication. If this goes wrong, you are totally screwed, whereas with different authentication for different purposes, you might at least have the means to put things right. For example, if my bank authentication via the card reader gadget were universal, and required for logging in to my email, then I would not have been able to sort out the problem with paying the contractors.
Perhaps the point with online security is that you should not assume that it is automatic and transparent. You should make sure that your money is going to the right recipient, and that you are giving your personal information to an organisation you trust. This is rather inconvenient, but basically no more inconvenient than having locks on your doors, so you have to carry keys around. It would be nice to live in a society where it is not necessary to secure your home against potential burglars, but that is not the society I live in.
Re: (Score:3, Insightful)
The whole point of this is to allow every service to establish your phone number. Goodbye, anonymity....
Re: (Score:2, Insightful)
Re:No phone? (Score:4, Insightful)
Yes, and there are also people who are born without hands and feet.
We still assume that humans are ones with a pair of each and build our world accordingly. Just like in this proposal, assumption is that everyone has a phone and will use it for his accordingly.
Re: No phone? (Score:2)
That's not very ADA compliant and neither is FIDO.
Re: No phone? (Score:3)
Fidonet written in ADA might do it?
Re:No phone? (Score:5, Insightful)
The one and only device that I own that I can't obfuscate my identity on, is my phone. Even though I bought it, the phone doesn't belong to me and there is very little I can do to stop it from tracking my movements and my communications when I don't have access to a landline. There is no way I can stop it from communicating this information to the company that built it. Even if I replace the OS, the underlying code that boots the OS is inaccessible. In today's world, life without a mobile phone leads to poverty. The only reason it's like this is because the consumer is the product. Change the laws to protect the consumer and all this changes. That is why the article list phones as a solution to manage your password.
With that being said the article is misleading because it does not make a case of eliminating a password. It makes a case of limiting what is an acceptable password. The solution requires a third party device that comes with it's own problems. The main purpose of this is to transfer the cost from the corporation to the user. It now becomes the users responsibility. The easiest solution for a user is to have their phone manage it. While there are other options they are all more cumbersome. The added benefit for this is it makes the smartphone more indispensable. Ties the product(the consumer) to an identity that can be verified (phone number). This phone number exists on multiple devices outside your control with accurate identifying information.
While the comment you were responding to is not necessarily true it is closer to the point than carrying around multiple devices for different tasks. Many have eliminated their wallets and their keys and replaced them with their phone. I don't see the point of carrying a dongle that requires a password to access my password. The only logical option then is to use a phone since they won't accept the password that is in my head.
Re: (Score:3)
The proposed standard has nothing to do with phone numbers, and doesn't even need a phone too work.. You can use a security key like Yubikey.
Re: (Score:2)
What do you do if you don't have a phone?
USB dongle with a chip and a password . . . ANYTHING but farking password rotation. Offline synced authenticator about the size of the two smallest joints on your pinky.
Or signature. ANYTHING bug password rotation OR signature.
Re: (Score:2)
The devices hopefully rotate their keys often, even if they're not passwords. Keep the original private key secret, but from there you generate a new key for each site you visit, and they key lasts only a limited time and must be regenerated as needed.
Even in a password system, which is inherently bad, they're done using really broken models. Ie, the password itself should NEVER be stored, not in flash, not in a file, not even in RAM beyond the few seconds after you've typed it. The password needs to be
Re:No phone? (Score:5, Insightful)
Even wiht a phone, 2FA is a pain in the royal ass. A lot of stuff times out before I can get to the phone, unlock it, open the app, dismiss all the Apple requests to add it's own 2FA, then swipe the fingerprint, then because the Microsoft app is broken, close the app and reopen it so that it can see the request for 2FA, then swipe finger again, then get back to the PC and click "ok" on the Cisco app...
Had a coworker lose the phone, could not get into the PC, had to come to the office during covid lockdown for IT to manually reset everything.
Re: (Score:2, Interesting)
Sounds like you're using shitty MFA apps.
Google Authenticator has never done that in the 5+ years I've been using it across multiple devices. And, because TOTP is a standard, I don't even use that anymore in favor of having the TOTP key saved in a password manager with the rest of the account info, so it can just automatically inject the TOTP code for me.
SMS MFA can eat a dick though.
Re: (Score:2)
You can use a security key instead.
Re: (Score:3)
Right, it's not always in my hand though, or even in my pocket. Sometimes I'm charging it. Sometimes it's on a different table. It is not, surprisingly, permanently attached to me.
Re: (Score:3)
I guess the real world scenario you're getting at is what you do if either a) you lose you phone; b) your phone has run out of battery, or c) your phone is broken somehow. There needs to be a decent backup for such situations, but there the spectre of social engineering sneaks back in.
Re:No phone? (Score:5, Insightful)
a) you lose you phone;
Which is what I have said many times in the past when companies or people talk about using their phone for everything. Not only losing your phone, but having it stolen or broken. Now your entire life grinds to a halt as you have to get a new phone then notify each and every service of your new device, hoping all the while everything works as planned.
A local radio station has a realtor on over the weekend talking about this or that and one thing he mentioned was this "app" you can use to see if the card reader at your gas station has been compromised. The entire time they were talking about how technology can be used to protect you all I was thinking was, "Use cash." Cash is 100% guaranteed not to be compromised (short of you having fake money). You pay the person, pump your gas, then leave. No need to add extra layers of nonsense.
Yet here we are trying to shove more of our lives onto a single point of failure and we think it's the bees knees. Nothing like over complicating just because you can.
Re: (Score:2)
If you lose your phone you have to do that anyway. It's logged in to your accounts, it's got your long random passwords stored on it.
Re: (Score:2)
a) lose your phone
You're getting a new phone, right? Since you lost your current phone? Or are you just going to go phoneless for the rest of your life? Your FIDO keys are backed up to the cloud service of your mobile OS provider, restored as soon as you log in.
b) your phone has run out of battery
Well, you're logging into a laptop or desktop computer, right? And it has USB ports on it that can transfer 5VDC or more into a phone via cables that everyone has laying around everywhere?
c) your phone is broke
SIM Duplicating (Score:2)
There is the criminal element to consider: ...
...
d) Someone duplicates your SIM # to hack your life
e) Someone duplicates your SIM # to hack your bank account and steal your money
For some networks, I don't think they even need physical access to your phone to duplicate a SIM # and generally ruin your life.
Re: (Score:2)
Apparently you don't count as a person. If you do not have the affluence to own a phone, you're not a very good potential customer, so none of the big tech companies care about you. If you''re not a profit center, you're not a person.
Re: (Score:3)
Welcome, time traveler from the 20th century. An Android phone in our times is about $20 (free with Lifeline in the USA), or you can skip the phone and get a free online number to use for 2FA, or you can use a dedicated authentication device as a passkey for the purpose of this article.
The problem is, it's just much more more time-consuming and annoying than using a password (particularly one that your browser auto-fil
Re: (Score:3)
What do you do if you don't have a phone?
Whenever I use that line, people look at me like I'm some kind of five-headed dinosaur. A more appropriate argument is "Single Point of Failure".
I'm not comfortable with all the information on my life flowing through a single device, let alone a game machine specifically designed to collect and market the hell out of all my personal information.
One device to rule them (Score:5, Insightful)
Just what I wanted even less anonymity, and maybe they could tattoo a QR code on people's foreheads?
There's no way anyone in their right minds should want this, even disregarding the privacy issue, it introduces a single point of failure to your online presence.
Re: (Score:2)
It's only for services that you need to log into - it just makes login much more secure by tying it to a physical device (like 2FA).
Re:One device to rule them (Score:5, Insightful)
It's only for services that you need to log into - it just makes login much more secure by tying it to a physical device (like 2FA).
I suspect that if logging in becomes that frictionless we will "need to log into" virtually every site we visit, nominally in the name of security but realistically so we can be more fully tracked and have the rest of our privacy stolen.
Anonymity and privacy are now substantially a thing of the past - these new measures will drive a stake through their hearts and toss them on a bonfire.
These, along with the demise of cash money, are the start of yet another "papers, please" chapter in our history. It may also be the last such chapter.
Re: (Score:2)
We don't already have to log into every site we visit? The amount of web sites that demand my email address for an account that I don't want to create is staggering, and only increasing.
Re: One device to rule them (Score:2)
A lot more services will "need to be logged into" even if they didn't before.
Re: (Score:2)
"it introduces a single point of failure"
for all practical purposes, passwords are a single point of failure for most people because most people reuse passwords. the people selling and buying password databases know this. that it's not the case for us (b/c we know enough not to share passwords) is not an invalidation of that reality.
Re: One device to rule them (Score:2, Interesting)
Keep in mind that the human brain literally didn't evolve between when valiant knights slayed hordes of bad men with their mighty sword, and human shit ran down the middle of the street in open canals to and frou the toun square, and men who blasphemed the Lord's name spent time chained by the neck to the wall of the kirk, or the tol boothe, or the mercat crosse.
As the human brain wasn't wired to remember multiple dark magic spells of words such as #$..uA561, spells that only the most wise and power
Re: (Score:2)
Slightly positive for anonymiity (Score:5, Interesting)
It's essentially a standardized protocol for your password manager and browser to communicate. It has precisely zero negative effect on anonymity.
Actually it very slightly improves anonymity vs traditional passwords.
I have several hundred million passwords from various leaks.
Suppose I search through these leaks and find someone has the password "Carashmarik2022". I can reasonably suspect that's you. When I find that in the Grindr leak, I have evidence that you are on Grindr with a particular account.
On the other hand, with WebAuthn passkeys, the password is a completely random number. Meaning I can't tie it back to you.
People routinely use the same usernames and passwords for many accounts. That's bad for anonymiity because it can be used to tie those accounts together. With passkeys, you don't have the same passkey on multiple accounts, so I can't do that correlation.
Re: (Score:2)
From now on, I'm using "Carashmarik2022" as my password so people can't identify you any more.
Re: (Score:2)
Another reason to use "password" as your password? Your technique only works on unique, or near-unique passwords.
Re: (Score:2)
Just a blue tooth enabled chip implanted somewhere in the body. Some place where even a precocious ten year old who could build pod-racers and protocol droids could not scan and locate it. That's all!
Mailinator (Score:2)
Mailinator did this 20 years ago.
Re: (Score:2)
And yes, I use it for my professional email. It's quite convenient. Passwords are for wussies.
Re: (Score:3)
Sure, and LastPass and 1Password effectively do it as well. The difference here is that there's one interoperable solution built into the OS/browser, instead of a bunch of point solutions to install.
Just what I want (Score:2)
Who is paying for this? I am not. Is my job going to need to start buying everyone a second phone so we can authenticate?
What about getting banned from the tech companies service. What would you do for employment then?
Is the best device for security is the device used for music, memes, and porn?
Nice workaround to *me* (Score:5, Interesting)
This just a nice workaround to actually have *me* authenticate something. As soon as this is implemented law enforcement will come-a-[no]knocking and demand the right to force successful authentication requests to unlock shit for investigations.
So on that principle, I do not support this and will not use it. I will continue to develop the software I write to use password auth.
Re:Nice workaround to *me* (Score:5, Informative)
On top of that, there is also the risk of criminals getting to your phone. Worst case, they can hack it all the way down to root level and do whatever the OS can.
Second step, extract the passkey (or its hash value or whatever) from the phone.
Third step, copy it to a device of their own and log in with that.
Also, from TFA:
From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way.
If you don't use biometric authentification on your phone, then you are stuck with the PIN. Which is... drumroll ...the equivalent of a password. Zero gain in convenience. All you "gained" is the necessity to carry your login device around.
Re: (Score:3)
All you "gained" is the necessity to carry your login device around.
Yip. I already have to do this to authenticate card payments online and its a pain in the arse. I buy something on a whim and then I have to get up, find my phone, open my banking app and click an 'authorize' button. In fact I can't even log into my online banking website on my computer without authorising the login with the phone app - which is a major inconvenience if the only reason I want to use the actual website is because my phone has died.
I realise that going and getting your phone isn't the end of
Re: (Score:3)
I have a U2F USB key next to my desktop and one on my keychain that does NFC. The number of sites that support something so simple to implement and that has full integration with the browser is very low. Worse, most will only let you have one 2FA device instead of multiple. Two 2FA devices is way better than keeping track of backup OTP codes.
Re:Nice workaround to *me* (Score:5, Informative)
If you don't use biometric authentification on your phone, then you are stuck with the PIN. Which is... drumroll ...the equivalent of a password. Zero gain in convenience. All you "gained" is the necessity to carry your login device around.
Not only that, the PIN grants access to *all* the passkeys on the phone, so it's a shared/common/re-used password. Not better.
Also, all TFAs I've read go on about how easy it will be to transfer things to a new phone if the current one is lost/stolen, but so far I haven't read anything about how to invalidate / dissociate that old device so no one else can use the passkeys on it.
Re: (Score:2)
Not exactly the same as the password. For all but the most advanced techniques, the TPM can limit attempts to crack that PIN. Ideally the information is not stored anywhere that the root OS can directly access.
A web site password can be cracked from anywhere. A PIN is at least limited to physical access to the phone.
Re: (Score:2)
TPM can limit attempts to crack that PIN.
A web site password can be cracked from anywhere.
You can limit the attempts to crack the password on a website.
Ideally the information is not stored anywhere that the root OS can directly access.
A PIN is at least limited to physical access to the phone.
So you say you are limited to one device? No backups? How do you backup something that the OS can't access? The pin on my phone is shorter than any password that I ever had due to the fact I need to enter it constantly. With all the cameras all over the place it's hard to keep a PIN secret.
Re: (Score:2)
There are already too many sites that only let you register one 2FA method. I sure hope they learn from those mistakes. Rather than backing up a device, each device should be registered as wholly unique. That means you should also be able to invalidate a device without losing access. Cannot say if they are doing this or not. But these are lessons learned from similar 2FA and if it's going to be 1FA it has to be better.
Re: (Score:2)
If you stick with a PIN, law enforcement would also be stuck under the proposed system. iPhones with PIN codes are actually hard to hack by guessing randomly.
Sucks if your phone was stolen or has a dead batte (Score:3)
Re: Sucks if your phone was stolen or has a dead b (Score:2)
this can not possibly go wrong (Score:2, Insightful)
replace an alphanumeric phrase you can remember with a complicated walkthrough using new technology tied to a phone?
Excellent *mr burns hands*
If only . . . (Score:2)
Once again we see the phrase "Lose your phone and use your life".
- - -
Did anyone notice that on a computer this would require that the device to have some sort of account with Microsoft/Apple/etc that ties the user to the device? "We need to do surveillance marketing on your devices to keep them safe!!!"
Terrible (Score:5, Insightful)
2FA can be achieved with equal security using TOTP or a Yubikey, which is anonymous. And that's why Microsoft, Apple and Google are pushing this thing... because they don't like anonymity.
Re: (Score:3)
Err... actually. Maybe I was hasty. Don't know the details, but this could be implemented in a privacy-preserving way if done right. And the big advantage is that if the authentication is two-way (ie, device has to authenticate itself to the web site, but web site also has to authenticate itself to the device) then it could pretty much eliminate phishing attacks.
Re: (Score:2)
device has to authenticate itself to the web site, but web site also has to authenticate itself to the device
Man in the middle would still be possible. Unless the authentication of the web site is tied to the SSL cert and domain of the web site.
Re: (Score:2)
First: My phone is anonymous. Bought in a blister pack for cash with a prepaid SIM. I always reload the SIM with cash. But my phone is just one phone. So if I use that for 2FA on multiple sites, eventually a smart person can link all those accounts together as belonging to one individual. So, no phone 2FA for me.
I'm not certain how Yubikey works. Even if anonymous, is there some identifying serial number that can link multiple accounts to one dongle? I suppose I could carry a key ring around with one Yubik
Re:Terrible (Score:4, Insightful)
Yubikey is essentially TOTP or HOTP. There's no device-specific information involved in the protocol.
Re: (Score:2)
Do you use your phone to call people? Do they call you back? How can you be sure they don't have your name with your phone number in their contacts? You would need to call a number that allows you to call another number for all your outgoing calls. That number would need to forward the calls to you but even that leaves a trail. The only way a phone can be anonymous is to only call another that is anonymous and both parties are aware of the rules never to call another or throw it away if they do.
Issues.. (Score:5, Insightful)
1. If no phone?
2. If phone but not employers, I don't want to be tied to discovery if they are sued taking my phone.
3. If banned from M$/G, will they still support auth requests for other services pre-existing?
4. Can law-enforcement force their way past this now?
5. Can I be compelled to make this request/unlock for someone at a border?
6. Can I in advance, disable this in case I need to cross a border and may be compelled?
7. If I already use this for personal use, will it complain my phone is already registered or whatever when I use the corporate side?
8. If I work for a bunch of corporations in a short time, is there a limit to how many accounts/unlocks I can use?
9. Rate limiting if enforced is how often? When does it reset? Does it geoblock?
10. If my country fires missiles and gets sanctioned will all my access and accounts still work?
Really seems like passwords have a lot of nice features still :)
Re: (Score:2)
Re: (Score:3)
I get what your saying, but point 1) is not an edge case. It is a major barrier and has happened to me. My bank requires authentication through the mobile app to login to the banking website. The only reason I have ever tried to use their website (as opposed to the app) is when my phone was dead.
And the major flaw in the plan is, I do not want to have to weld my phone onto my leg. I like to leave it at the back door when I come in. But now if I'm on the computer and make an impulse purchase, I have to get u
Re: (Score:2)
either you're a small enough edge case that you'll have to suck it up, or you're not and they'll make "non phone" implementations
Re:Issues.. (Score:5, Informative)
One of my banks only requires 2FA when sending money to someone. Usually, only for a new payee.
The 2FA uses a cheap card reader that the bank provided and requires me to insert my card (debit or credit), unlock it with the card's PIN, then enter a number into the card reader and finally, take the number that the card reader just gave me and enter that back into the bank's website.
Fixed title (Score:2)
No, you will not make my phone number my ID (Score:2, Insightful)
Please stop already (Score:2)
I'm tired of software vendors removing functionality and configurability for the sake of protecting uninformed and/or lazy end users.
If they want to add safer functionality, fine. If they want to set the defaults so that the lusers are protected from themselves, fine.
Do not, Do NOT, DO NOT take away the choice to use functionality that might not be good for uninformed end users, from the informed end user. Want to make it take some effort "like are you sure, are you REALLY SURE?", fine, but don't lock infor
Re: (Score:2)
100% agreed. I will avoid this by whatever means necessary.
Truncated attention (Score:2)
It's typically a good idea to stop reading after "Apple, Google and Microsoft want" and this is no exception.
No I'm not going to link my cell phone to your garbage.
No I'm not going to put anything I don't want public on a cell phone.
Re: (Score:2)
good news, it doesn't have to be a cell phone
No they don't want to create a standard password (Score:2)
They want to monitor every time a user accesses a site, more data for them. Honestly, this is ridiculous
Multi-device (Score:3)
So if I use my phone to access a website, will it use my computer for authentication? Or will the "multi-device" authentication become single-device?
and to have an sheared service account / admin acc (Score:2)
and to have an sheared service account / admin account?
If even to just get the web page to auth in that account? (need to login as admin to setup token)
Setting up an service account for an pipeline??
My phone has a separate account (Score:2)
Why on Earth would I put my everyday Gmail account on my phone? It's a massive privacy risk, and a security risk if your phone gets lost. I've got a separate account for that, with no private information on it. In fact, I've got 3 accounts - one for every day use, one for my phone, and for spam - any places which extort the email address from you even though they could perfectly do without it. If Google moves on with these plans, I will fully migrate to Protonmail.
Re: My phone has a separate account (Score:2)
honestly, why not move on to protonmail for the dozen other things google has already done to you?
Re: (Score:2)
Because I have absolutely no need or desire to have my main email account on my phone with me all day. A Google account is required in order to access their marketplace and a number of the commercial apps I use, but that's it - that's the only thing I need it for. Call me old school, but I only interact with my email accounts on my workstation and have absolutely no desire to be connected anytime and anywhere. I usually check my email once or twice a day, process any new emails and forget about it until the
This will probably lock out rooted devices. (Score:2)
Any form of authentication, including biometrics or simple OTP, is inherently insecure on rooted devices. For this reasons, many apps and services, especially in the financial sector, implemented root checks and refuse to work if they detect a rooted environment. Enforcing the proposed authentication scheme could mean that people on rooted phones would either be at serious risk of identity thefts if their phones got stolen, or they would be locked out of any of the cartel's services on modified phones.
Re: (Score:2)
It's not 'secure'. They just trust mobile phone manufacturers not to break their security.
I have different trust relationships.
Re: (Score:2)
Any form of authentication, including biometrics or simple OTP, is inherently insecure on rooted devices.
Interesting theory that the mere existence of a root user account should render a computer "inherently insecure". Is there a factual basis for this conclusion?
Isn't Google (Score:2)
Password entropy reduction to 10^6 (Score:3)
If you'd like to guess someone's password right now, you'd have to beat the entropy and random passwords stored in a password manager have a pretty good entropy, requiring inconcievable numbers of attempts to guess a password successfully. With this new standard, all you have to do is steal someone's phone and guess a usually-4-to-6-digits pin, reducing the entropy to almost nothing.
New Ticket #118234 My phone is going haywire! (Score:5, Insightful)
Sev. 1 - High Priority - All Production Down
Subject: My phone is going haywire!
Description: The authenticator app keeps popping up a message every once in awhile that I need to authenticate even though I'm not doing anything. I keep hitting OK but the message just comes back a few minutes or a few hours later! Can I just uninstall this piece of junk app? This has been going on for months! Also, can you tell me why I keep seeing all of these weird email messages in my Sent Items folder?
Hell no (Score:2)
Phone number harvesting (Score:2)
No, this is just more phone number harvesting. They want that so they have a "business relationship" with you, so that it will be possible for Do Not Call registries to be ignored.
Musk wants to do it too, with Twitter. The moment it locks me out without a phone number is the moment I'm off it for good.
Grass is always greener (Score:3)
phone's biometrics (Score:2)
It's using the built in biometrics in a phone for a fingerprint for a computer which hasn't got the hardware, big deal, but it works for me. It's what Australian MyGov does for your tax, Medicare, pension, etc, etc...
Marketing designed feature? (Score:3)
For example, detecting proximity to what? I'm going to assume they mean proximity to the terminal which runs the web browser. So now every time you log into a website, the site pushes something out to your phone? They say they are not concerned about security of that, so if I just sniff BT I can tell every website you're logging into? What if I browse on a remote terminal in another state or country? Will remote desktop tools now require passing the BT proximity message every time a browser running on virtual PC in MSFT cloud wants to send one?
Without proximity detection, push to mobile device to authenticate has a known social engineering exploit, if you want to log in somewhere, start pushing auth request to people's phones over and over in the middle of the night, a bunch of people will eventually press "Allow" to make their phones stop beeping. Then there is the fact that with every website using this, people will not look at which website the auth request is for, assume instead it's the website they happen to have on the screen at the moment (but it could be a different website a hacker is trying to log into). They won't even bat an eye if they get two auth requests for a single login, as they will assume it's probably a glitch - badly coded website which asked to auth twice (and a lot of times it will be).
Then again, Microsoft is already doing stupid things like this - whenever my Windows PC connectivity is interrupted, a bunch of Microsoft components are asking to re-authenticate, but the windows just pop up and there doesn't seem to be a way to tell what part of the Microsoft software is trying to authenticate for what reason - it's just a windows dialog. Is it Teams, is it drive share mounts, is it Outlook, is it some other component syncing up with the domain controller? All the auth request windows look the same and don't have any apparent association with the applications which caused them to pop up. So Microsoft is already training people to punch in credentials, including TFA, to whatever anonymous window pops up and asks for it.
Gonna call it now. Not gonna fly... (Score:2)
From a technical perspective? I like the concept that Bluetooth ensures physical proximity while the rest of the login process acts like a secure 2FA scenario.
But practically-speaking? People are prompted to sign in to various devices so many times, in so many different places? They want to use a method that doesn't rely on anything more than what exists on the parent device getting signed into.
A password only requires the keyboard (or a virtual one on a touchscreen) that the device has already.
If I need to
Where is he? (Score:2)
Where's the "I can't sign on to anything on the Internet" loon? He'd be halfway on topic here.
Bluetooth. (Score:2)
The system that can be scanned from a mile away by the Bluetooth Rifle. True, this is greater proximity than "anywhere on planet Earth", but if you can scan a phone for all the passkeys it has and then upload them onto a Tor website, then they can still be used anywhere on planet Earth.
Keep It Simple, Stupid is an engineering principle that the Big 3 have forgotten in their desire for the illusion of security.
I keep Bluetooth off on my phone's because it isn't a safe system and is fundamentally flawed.
If Mi
TRUSTED COMUPTING (Score:2)
Quoting the technical specifications: ...FDO software client is installed on the device.
A Root of Trust key (RoT) is also created inside the device to uniquely identify it. This RoT can take the form of cryptographic keys built into the silicon processor (or associated TPM)...
"TPM" is Trusted Platform Module. The "Root of Trust" is is the master security key locking the cryptography on the device - a key which are are explicitly forbidden to know or control. And of course this is the keys locked in the devi
Re: (Score:2)
Re: (Score:2)
Yeah, that's why I don't like any of these password alternatives. They all rely on some form of device that is assumed stays with you.
But phones can be broken, stolen, sold, wiped, etc. At least the RSA keys of old were unlikely to be sold or wiped, and it's possible to have an emergency backup mechanism if the credential is lost.
It's extremely important because when people upgrade their phones, they may wipe them and forget to unlink the phone from their account (this is probably extremely common) and thus