Sign in / up

back to article RIP P4ssw0rd? IT giants agree to share patents to rollout two-factor auth

Passwords, right? If they're too weak, they can be worse than useless – but making them too strong means people do dumb things like writing them down or forget them and piss off IT workers with frequent reset requests. Now the FIDO Alliance – whose members include Microsoft, Google, ARM, PayPal, and Lenovo – has published the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Why single out Apple?

    I don't see Facebook, Amazon, IBM, HP, Oracle, SAP, and on and on!

    But I guess because Google is involved you're going to claim Apple is defying this alliance that has yet to produce any finalized standards, let alone test implementations, because you guys love to hate on Apple?

    2 11 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Why single out Apple?

      Amazon, IBM, HP, Oracle and SAP don't make smartphones with integrated touch sensors.

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Why single out Apple?

        What does making a phone with an integrated touch sensor have to do with it? Google, Dell and all the rest named in the article don't make those either.

        Sounds like people are dodging my question and just hating on Apple because they don't sign up for any random collection of corporations that gets together and tries to set a global authentication standard. How many times have we seen efforts to try to create such a standard (most of which happened back when Apple was a small fish so whether they joined or not would have been irrelevant) They have all failed.

        I see no reason why this one will succeed, especially since people have no reason to trust US corporations involved in an authentication standard given that it is a proven fact that the US government will twist their arms and Google and all the rest will quickly give in. I'd trust a Chinese company before I'd trust Google, because the Chinese government spying on me doesn't hurt me since China has no power over me. The US government spying on me is a very bad thing since I happen to live there.

        0 0 Reply
    2. big_D Silver badge
      Reply Icon

      Re: Why single out Apple?

      FIDO hardware dongles were released last month by Google and Yubikey keys have support for the standard as well.

      I use my Yubikey NEO as 2nd factor for LastPass, for example, even on my mobile using NFC and over USB on my Windows PC.

      1 0 Reply
  2. Anonymous Coward
    Thumb Up

    iPhone TouchID

    According to the report on The Verge, the iPhone's TouchID sensor works with FIDO courtesy of an interface to Apple's open API. Nok Nok Labs did the work. I wouldn't know, personally.

    3 0 Reply
  3. Anonymous Coward
    Big Brother

    May we assume it's been back-doored by the NSA?

    2 0 Reply
  4. Simone

    Security of Passwords?

    So, it is foolish to write down passwords, and if I forget them I have to "piss off IT workers"? If I keep the piece of paper / notebook hidden away at home how is someone going to get that? Perhaps I should get my "device" to remember them for me; it won't get hacked will it?

    And if my password is compromised, I can easily change it

    What about biometrics? If that is compromised I cannot change my fingerprints. What about the "spy film" techniques of grabbing my drinking glass and lifting the fingerprint off that? Do I now wear gloves everywhere?

    I am not sure about the technologies, or the perceived problems with authentication, but I feel they are trying to make it more complicated than it needs to be. They should start by addressing the industry practice of making me sign up to a website just to get a price on something

    2 0 Reply
  5. Cliff

    Just waiting for more implementations

    I got a key from a French outfit for under a tenner (no need for it to be expensive, and I'm sure prices will become a LOT lower with time) and it works a treat with Google 2FA via Chrome and is pretty indestructible. Still waiting for PayPal et al to implement it, but it's such a good idea for anything with a USB slot.

    0 0 Reply
  6. Chris Evans

    Confused!

    I don't understand how in practice two factor authorisation is that secure. An example on Wikipedia is "If users want to authenticate themselves, they can use their personal access licence (i.e. something that only the individual user knows) plus a one-time-valid, dynamic passcode consisting of digits. The code can be sent to their mobile device by SMS, email or via a special app."

    So if someone steels my unlocked phone what is stopping them from doing anything I would do?

    Nicking my credit cards at the same (quite common) would be a nightmare.

    Anyone know of a site with a good explanation?

    0 0 Reply
    1. Adam Connelly
      Reply Icon

      Re: Confused!

      Nothing will stop them from being able to access your account if they've got your phone running the 2 factor auth app. But from what I can tell, you can turn off 2 factor authentication, or switch it to another phone, at which point the codes generated on your old phone are useless.

      https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956

      Obviously, if they've already done the damage and managed to get access to your account, this won't help. But OTOH, they would need your password as well, so it's not any less secure than a username and password.

      1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Confused!

      That's why it's called two factor, because there's two parts involved to authenticating.

      Traditional username and passwords are one factor (you only need to know the password i.e. something you know)

      Two factor adds an additional element like something you are (biometrics like fingerprints, iris/retina scanners etc) or something you have (your mobile phone, a security token).

      Note: there are others like somewhere you are, how you do something (typing style etc) but they're less commonly used.

      So in the example you gave they'd have to steal your phone AND know your password. The benefits of this is your potential attackers are limited to those living near you. Also if another site is compromised where you use the same password, an attack still couldn't get in won't have your phone so still can't get in.

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Confused!

        "steal your phone AND know your password. " Password to what? Many/Most don't have one on to access their phone.

        Mmmmm... Not having to remember a PIN is an advance but for non password protected phone it seems an open door! Or am I still missing something?

        0 0 Reply
        1. Nigel 11
          Reply Icon

          Re: Confused!

          You're missing something.

          Say you used the same password for your bank and for some other e-commerce website. (Yes, you shouldn't, but many do!). Say the other site gets compromised and a list of names, addresses and passwords finds its way to the crims.

          With password-only banking, they'll likely hack into your account.

          With two-factor authentication using an app on your mobile, they'd also have to steal your phone before they can try to hack in. Which they can't do unless they are in your vicinity. If the hackability of random accounts from the stolen info is 5%, they'd have to steal twenty customers' phones to get into one bank account. I doubt that's feasible.

          The other way around, my bank has sent me a credit-card sized gizmo which I have to use to generate one-time authorization codes before I can transfer money. (There's an app alternative, which I don't yet feel any need for). If someone breaks in to my home and steals it, they won't be able to steal my money because they won't know my password.

          It's a bit of added hassle but on balance I'd prefer it is all banks did this.

          0 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Confused!

            Thanks for the explanation. I can now see it is a significant advantage in almost all scenarios.

            0 0 Reply
  7. Gert Leboski

    Google Authenticator does fine for me.

    I use GA to provide TFA on SSH connections into my home LAN from the dirty internets. I've allowed for a pad of a strong mix of characters, unlimited really but currently using 10 characters.

    Fairly simple to script up and combined with enforced key authentication and some adaptive firewall rules, has kept out a hell of a lot of attempts. It's attracted a few Hail Mary Clouds the most recent of which lasted 24 hours and saw over 400 unique IPs from 50+ countries added to the block table. This is my home VM broadband connection!

    TFA is a good extra authentication step, but I wouldn't entirely entrust it to any given entity ie Google, hence the custom pad.

    0 0 Reply
  8. Anonymous Coward
    Anonymous Coward

    What are the privacy implications?

    Assuming that I share the same token (the "something you have" bit) across sites, can the accounts be linked in the same way as if I were to re-use a signing-up email address, for example?

    0 0 Reply
    1. Cliff
      Reply Icon

      Re: What are the privacy implications?

      No, the FIDO U2F standard specifically prevents being used as some kind of supercookie.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like