FIDO2 hardware authentication
This is very interesting! I had read the article linked below not long before this one.
At 2004's RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords. But the possibility that internet users may be able to …
exactly - insecure phone with 4 digit pin and other "insecure security" involved
As for using a face: if I grow a beard or change hair style, will it affect my ability to log in? And, do I _REALLY_ want _MY_ _FACE_ being stored "all over teh intarwebs" ? No. Just no. Who knows how _THAT_ could be abused!
And this 'central central login' scheme sounds *SUSPICIOUSLY* like 'Passport', which was Micro-shaft's 'start of darkness' back in the early noughties [ok some would disagree that THIS was the 'start of darkness', that it started long before, but at least their products *PRIOR* to this point made engineering sense, mostly].
Keep in mind that Passport was "One login to rule them all", and integrated closely with the whole ".Net" thing, which I un-lovingly refer to as ".Not".
In any case, having some "pay to play" method of centralizing logins is a *BAD* idea. Google, Amazon, Microsoft, and even Apple would *GLADLY* provide "that service", for a fee of course. (or, by marketing YOU, like Fa[e]cebook - it's bad enough you see the 'login via' icons too often]
And keep THIS in mind: Do you REALLY want a "central central login" database to *TRACK* *YOU* *EVERYWHERE*??? Because THAT is what it would all be about, ya know!
Icon because we don't need a 'central central login' system that TRACKS US EVERYWHERE. And yes, the 'central central' thing is a reference to a book I read as a kid [and decades later, read to a kid] involving a teenage girl, her father, her little brother, and a giant mind-controlling brain named "It". And a bunch of other characters, yeah.
/me defeats tracking system by having 50+ different gmail addresses, one for each thing I log into. yeah, THAT'll help!
"Looking ahead, you'll get to worry about losing your physical hardware key rather than losing the secrecy protecting your passwords through a poorly secured server."
You'll also have to worry about the H/W key failing. You'll have to hope that the next computer, phone or whatever still has the slot that your key requires. It's not as if manufacturers would ever decide to eliminate connectors is it? And what happens when you're sitting on the end of a KVM switch with only a keyboard and mouse?
Currently if ThePowersThatBe want to get into your phone/computer & it's locked with a password, they can't force you to give up that password without a warrant. If that device is instead locked with merely a hardware keyfob then kiss your privacy goodbye. TPTB can't force you to divuldge something you know without a warrant, but "something you have" can be confiscated & used against you before you can scream for a lawyer. Putting the cat back in the bag afterwards is pointless, which is why you protect that password with your dying breath.
and relying on phone security isn't a good idea anyway. In a civilized non-dictatorship, there needs to be some kind of 'due process' before cracking your phone's encryption, which means you have to at least be a suspect for some OTHER relevant crime to warrant a phone search, and a judge needs to approve of it [at the very least]. In the USA, evidence collected without a warrant can be dismissed from a trial, and the entire trial dismissed if "that evidence" was the only reason for the trial/indictment/charges/whatever.
That being said, it's probably a good idea to NOT do things on a smart phone that might incriminate you...
(not like you can't have multiple intarweb identities, right?)
icon because being just a *little* paranoid is probably a good idea these days...
maybe the really hard part of a long password with a phone is using its virtual keyboard... regardless of how easy it is to remember.
an encrypted password locker (like keepass), one that has some LOCAL method of authenticating you without virtual-typing an irritatingly long password, might do the trick. But _ABSOLUTELY_ _NO_ on the idea of a 'central central logon' system. NO.
I have to agree. I regularly use 35-40 character passphrases on my laptops, but entering one of those on a stupid touchscreen is an exercise in frustration. It would have been fine with one of my physical-QWERTY phones, but those are getting harder and harder to find, and my last two phone purchases were emergency replacements after my previous phone died. (These things are such rubbish. My Nokia Symbian slider phone worked fine for several years, and is still usable in a pinch.)
You need both, that's why it is called TWO factor. All is takes is the use of your password on a less well maintained system (a cybercafe or a hotel guest system) and you're hosed, 2FA stops that.
Adding biometrics adds a third (something you know, something you have and something you are), but you should take into consideration the risks it creates (depends on what it's for of course). Needing a body part as well means that an assailant will have to take that to the place of authentication - if you're unlucky, they will do so without the rest attached..
Especially TOTP is so simple, cheap and ubiquitous that it's almost criminal not to implement it, and as long as the authentication triplet (UID, PWD and TOTP) is blocked from re-use for the duration of the TOTP cycle time there's no risk of re-use either (we've had that discussion before). In some cases that mandates HOTP (challenge-response), but that adds usability issues.
TOTP is IMHO a good balance between usability and security.
> Adding biometrics adds a third (something you know, something you have and something you are),
No. As you point out later, body parts are still just something you have. An assailant can take possession of your eye, or your finger as they see fit - whether they remain attached or not.
It's a second 2nd factor, nothing more.
I prefer the convenience of U2F to TOTP, but either is acceptable. What isn't OK (IMO) though is what's proposed - moving back to a single factor. Particularly when that single factor can be stolen (giving access).
Passwords work just fine if you do them right which isn't that hard, though god knows there's been plenty of stupid ideas on this.
I use "Romaji" versions of anime/manga titles, and since there are certain Hiragana characters that look similar to punctuation characters, I can mix them in too. Then do the typical letter/number swap and mixed case. Oh, and if the word is too long, I'll abbreviate some.
Yeah, no. Despite their (many) problems, passwords are going nowhere anytime soon. Facial or voice recognition are too unreliable, fingerprint readers are far too easy to fool and the methods for doing so far too widely known thanks to the Mythbusters, TFA is too inconvenient, and any other biometric authentication requires hardware that isn't yet widespread enough.
Unfortunately we don't have much chance of getting something better than passwords for a while.
I spoke to someone just this week who creates a gibberish password with the maximum number of characters for specific websites. He doesn't remember it at all and doesn't plan to. He just uses the forgotten password option each time. He does remember the quite long password for his email however.
DNA called it. Coming down from the trees was such a stupid idea...
It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.
Mostly Harmless, Douglas Adams
as a relatively non-techie, I can be confident that there is no way that at any stage in the future the door lock is able to copy my key. No "footprint" is left.
I'm not able to be sure that in some way a little while after widespread use of such a system, a compromised terminal wouldn't be able to use some currently unforeseen attack vector to do some kind of replay/brute force attack when I authenticate for some service in a public place. After all, how can I know that it's not storing some part of the electronic signal? I recall the rather iffy practice of petrol stations swiping cards through two readers many years ago until challenged.
M7S - 'as a relatively non-techie, I can be confident that there is no way that at any stage in the future the door lock is able to copy my key. No "footprint" is left'
Why would you be confident of that? How about a lock that accepts a Yale-type key and, instead of having pins split at different places to match up with the barrel, it electronically measures the key and the embedded processor compares that to the authorised key's measurements. From the outside, it could look identical to a Yale-type lock. This would be marketed to property-owners who need to change their locks frequently, e.g. for student accommodation: "Don't change the locks, issue a new key and update the lock electronically!"
Then, criminals get hold of these adaptable locks. One night, you come home and find your key doesn't work. When you leave to find a locksmith, the criminal approaches, removes the fake front door with adaptable lock that was covering your real front door and uses the duplicate key cut from the measurements taken by the adaptable lock and transmitted wirelessly to his key-cutter.
"From the outside, it could look identical to a Yale-type lock"
Except for the need for an electrical supply. Even if it has no wires and no batteries the solar panel might be a clue.
The real problem with what's commonly meant by "Yale-type" locks* is a lock that takes a key on the outside and has a simple knob on the inside. It holds the door closed but if there's a glass panel near the lock, either in the door or beside it don't regard the door as locked. Just because a door looks locked it doesn't mean it is.
In the present context consider the screen saver. If the login requires 2FA because password isn't enough have you remembered to require 2FA to unlock the screen-saver? And have you then required the H/W device to be removed after login to prevent it being left in place when the screen-saver is in operation?
* Yale also make multi-lever deadlocks.
a bit hard for actual keys, because you know what your own door looks like [and if you can swap out the lock, you had access already, duh].
However... this has been happening with ATM machines for a while. Criminal temporarily installs a device over the slot where the card goes. Victim inserts card, it's rejected. "Helpful" tech comes along, give you B.S. story how 'he can fix it', then he holds some button down and the card goes in ok. THEN he asks for your PIN NUMBER and TYPES IT IN FOR YOU. [that's only one such scam, others also exist]. The illegal front panel cover thingy just copied your card info. With the pin the 'Helpful' tech aka criminal can make a duplicate card and then access your bank account "whenever". oops.
But on your front door? A bit of a stretch, I think. I'd rather pick it with standard locksmith tools. I can easily pick cheap locks with a screwdriver and a paper clip. Someone who's more skilled than me could have your door open in a minute or two. Who needs a key? OK deadbolts are a bit more difficult but not impossible. They slow down the criminals, but don't stop them. Still, a deterrent is often enough. So yeah, I use deadbolt locks, too.
thinking of lock picking... a funny story, at a used-to-company the devices I needed to test with were kept in a locker with a cheap lock. The lady in charge of testing usually kept the keys in a plastic bowl on her desk, so people could get to them. But one day she was out and had the keys with her. I needed to get a device to test with, and waiting around is boring and unproductive, so I simply picked the lock and opened it. The hardware engineering manager watched me do it, and was kinda shocked, not only that I did it, but that the lock was so easily picked. I made sure to lock it when I shut it again, too (like that would actually help). heh. It was such a cheap lock, the 'put a little pressure on the lock with a screwdriver and stroke the pins with an unbent paper clip' method got me access in about 10 seconds.
(and all of the locks on every locker and every cube desk were of the SAME design)
I can be confident that there is no way that at any stage in the future the door lock is able to copy my key.
Your door lock can't copy your key, but if you take your key out of your pocket in public? That news item is just over 10 years old.
I seem to remember this being gone over some time ago by Rear Admiral Hopper (originator of COBOL).
If I recall correctly (questionable), she favoured three factor authentication - there should be
* Something you had (key, dongle, nowadays a phone perhaps)
* Something you knew (password, passphrase, some other challenge/response system)
* Something you were (i.e. a physical characteristic, like fingerprint, retina scan, or similar)
Does anyone else remember this or is it a figment of my imagination?
Trouble is, ANY of them can be defeated by a determined adversary (and worse, the level of determination required, a la the siege problem, continuously gets lower). Basically, ANY of the three can be copied (even something you are, using photography or whatever's at hand, even 3D vein diagrams are being convincingly faked).
"Trouble is, ANY of them can be defeated by a determined adversary"
Exactly! It is all just data (once it is digitised). A finger-print scanner sends a digitised finger print, a retinal scanner another digital image. By the time they're standardised, you won't need the scanners, you'll just carry your finger print around with you as a long string of numbers. Because that's all the dog on the other side of the internet is ever going to see to let you in to the chamber of secrets.
And you know that every tin-pot site is going to store your email address next to your fingerprint next to your retina scan next to your dongle id next to your salted password next to the salt... poof, and it's gone...
It all sucks. There is no solution. Just make it awkward - password and dongle with authenticator combo do that without having to get a new finger every time someone has a data breach.
Duress options! We should be able to unlock and use our widget with one finger/eye/PIN or combination of these. Another one - just alike but a different finger/eye etc - would provide a duress option, or several. If being mugged, the duress method unlocks the phone and calls for help, while perhaps experiencing "network problems". If enduring an illegal search at the border or stopped by a nosy cop, Duress One unlocks MOST of the phone but leaves certain other hidden elements encrypted or locked out. These let your attacker believe you're cooperating to avoid nasty consequences. Duress Two could be used to trigger a reset or brick the device. That's when you're already in bad trouble and trying to cover your butt.
The debate is stupidly limited to how to unlock a device, or keep it encrypted. We need other options than Submit or Refuse when faced with cops or criminal attackers.
This is also simple way to reduce ATM muggings as well. One PIN to access the account, plus a duress PIN to fake a transaction, call the police, and maybe even dispense marked bills. Strange that so many industry "experts" can't seem to think of this.
Strange that so many industry "experts" can't seem to think of this.
I suspect a lot do (my old and relatively simple house alarm system has a duress code that sets off the alarm), but in most cases management veto the idea on grounds of cost or belief the users won't understand it/will trigger it by mistake. As most people aren't mugged at ATMs, there are going to be far more cases when someone confuses their PINs and gets locked out without money or card, rather than being saved from losing money in a mugging, and they are going to whinge loudly and long about it.
They do. They just don't see the point. If the adversary knows a system has a duress code, they can find ways to test it out such as by sending someone else to try it out (possibly a second hostage). That's why the TrueCrypt/VeraCrypt hidden partition concept isn't effective against a determined adversary: they'll simply demand you enter the OTHER password. Seen this way, a duress code may actually make the situation MORE dangerous for someone who doesn't use a duress code because the adversary will assume you do and that you're lying, raising the threat level.
Biting the hand that feeds IT © 1998–2019