back to article PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec

The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches. FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Down

One fundamental flaw...

When I use username+pw (ideally with 2 factor) then this says that the authorised user of the account (whoever DodgyDavidCameron27 is) is requesting access. It says nothing about who the authorised user actually is. Once you start getting into fingerprints, retina scans etc it becomes a matter of saying that Mr Anthony Hancock of 23 Railway Cuttings East Cheam, NI number AB 123456A, DOB 12/5/1924, member of the Royal Marine Commando Club etc is asking for access to the account. Bye-bye anonymity.

The plan must have been dreamed up by NSAGCHQ...

4
2
Silver badge

Re: One fundamental flaw...

Very good point, Mr Hancock :)

The only 2nd factor I'd be happy with would be a USB device, provided it was possible to buy one without registering my identity.

I would also hope that the device is not easily clonable, otherwise I wouldn't use it on any machine that I don't control.

1
0
Anonymous Coward

Re: One fundamental flaw...

The only reason I'm against any of these retinal / finger print scanners is because they probably won't work for me.

Work in a factory bit where my fingertips regularly get scratched up / cut on bits of metal etc. And I have nystagmus so retinal scans definitely don't work.

0
0
Bronze badge
Stop

Re: One fundamental flaw... really?

OK, this is just something said in the article and I cannot verify it myself but:

"The fingerprint or voice print never leaves device. We're not building big database of secrets."

Does that make you feel less troubled?

1
0
Anonymous Coward

The thing that's wrong with passwords

Is the user who's making it up. Never had an issue with 1 factor password auth, maybe because I have 15 char minimum passwords and don't spread my personal info all over anti-social media sites.

0
1
Silver badge
Holmes

Re: The thing that's wrong with passwords

Smug much?

99% of people (and I'd guess 80% of El Reg readers) favour short, easily remembered passwords because speed and usability trumps online security in their minds, every time. Ok, they might get ripped off, but their perception of that risk means it going to keep happening whether you or anyone else likes it or not. And when they get ripped off, YOU pay, despite your 15-character passwords, through higher insurance costs, or bank charges, or interest rates, or access to credit, or the price of goods.

So you're actually right in one respect: the thing that's wrong with passwords is the people who use them. But a heightened awareness and use of security in a tiny minority is never going to fix that; FIDO just might.

But you're still a smug git.

4
0
Happy

Re: The thing that's wrong with passwords

"80% of El Reg readers" posted 3 hours ago and no downvotes! So all the *bois think you mean everyone else. ROFL

2
0
Silver badge
Devil

Fail Fail

Rely on a shared 3rd party authentication failure, I mean service.

1
0

To paraphrase Blackadder

"there are two tiny problems with that theory..."

The two major misconceptions here are:

[1] that the problem is primarily "weak passwords". Yes, the passwords exposed by major offline cracking attacks are generally weak, but before offline cracking can be carried out the authentication server has to be breached so the password database can be stolen. That is the real root problem we have to solve, and it remains regardless of the authentication mechanism in use. There must always be, somewhere, a record of legitimate credentials in some form or other to compare authentication attempts with. It may be made more difficult to abuse it, but the threat cannot be eliminated.

[2] that biometrics should be used for authentication. Biometrics are validly used for identification, as the identity of a supplicant is not expected to change. But using a biometric for authentication (i.e. validating that the supplicant has presented their legitimate identity) is fundamentally flawed. The reason is simple - how do you change the credential when it gets compromised? Eye and fingerprint replacements are still the stuff of Hollywood, and will remain so.

1
0
This topic is closed for new posts.

Forums