Microsoft: 2021 Is the Year Passwords Die (neowin.net) 185
Usama Jawad writes via Neowin: has been a proponent of passwordless technology for quite some time, saying that it wants traditional and unsafe passwords to die. To that end, it has invested in various solutions over the past few years such as Windows Hello, Microsoft Authenticator, FIDO2 security keys, and a palm vein authentication system, among other things. Now, the company has highlighted the strides it made to kill off passwords in 2020, and has stated that it plans to make them a thing of the past for all its customers in 2021.
Microsoft noted that almost 80% of all cyberattacks target passwords, and one in 250 corporate accounts get compromised each month due to this. That said, the company is making an effort to transition people to passwordless solutions. In November 2019, 100 million people were using Microsoft's passwordless sign-in. This number grew to 150 million by May 2020, which goes to show how millions of people are ready to ditch passwords due to the inconvenience of remembering them, coupled with how insecure they can be. [...] 2021 is the year in which Microsoft plans to make passwords obsolete for all its customers. It is currently developing new APIs and a UX for managing FIDO2 security keys, and is also aiming to deliver a "converged registration portal," where customers can manage their passwordless credentials. While it hopes that 2021 marks a return to the "old normal," the company has emphasized that going passwordless will make online lives significantly easier.
Microsoft noted that almost 80% of all cyberattacks target passwords, and one in 250 corporate accounts get compromised each month due to this. That said, the company is making an effort to transition people to passwordless solutions. In November 2019, 100 million people were using Microsoft's passwordless sign-in. This number grew to 150 million by May 2020, which goes to show how millions of people are ready to ditch passwords due to the inconvenience of remembering them, coupled with how insecure they can be. [...] 2021 is the year in which Microsoft plans to make passwords obsolete for all its customers. It is currently developing new APIs and a UX for managing FIDO2 security keys, and is also aiming to deliver a "converged registration portal," where customers can manage their passwordless credentials. While it hopes that 2021 marks a return to the "old normal," the company has emphasized that going passwordless will make online lives significantly easier.
Who’s going to kill them? (Score:5, Informative)
....because many have been trying for years now.
Re: (Score:2)
....because many have been trying for years now.
Microsoft is going to kill them for whatever things people use Microsoft stuff for.
Re:Who’s going to kill them? (Score:5, Interesting)
....because many have been trying for years now.
Microsoft is going to kill them for whatever things people use Microsoft stuff for.
...and all it's going to take is buying into the Microsoft Azure E5 Office 360 E3 Cloud Directory E1 Endpoint E5 Manager E9 Identity Hello E2 (for business). Depending on all the various combinations that are intentionally confusing, it'll only cost you $24.95 per user per month and include Exchange and Office, but also $6 per device per month to cover any computer or device you use, but it'll include a subscription to Windows Enterprise. You'll also be charged a per-hour Azure compute fee that you can pay-as-you-go, (or pre-pay for your expected usage in buik). Cancelling anything you don't really need to reduce the price actually means the bizarre bundling falls apart and the price goes up. One day you'll wake up and realize you forgot to pay your Microsoft Life and Everything bill, your power is off, no computerized device will work, and you can't vote. You will eventually end up in jail, unable to get out because you don't have your Microsoft Passport bill paid and you have no Microsoft Points.
Re: Who’s going to kill them? (Score:2)
Just YESTERDAY slashdot ran an article of shit tons of money being stolen out if accounts, even though 2FA was setup on those accounts. Hackers had gained access to their devices and in some cases were intercepting their SMS messages.
Re: Who’s going to kill them? (Score:3)
2FA that isn't actually 2 factors, but 3 times the same 1 factor, is *never secure*..
And it is how all "2FA" I have ever seen for consumers is implemented.
Re: (Score:2)
So you've got a mouse, keyboard, no camera, no biometric devices. Just how does Microsoft think it will make progress then?
Re: (Score:2)
Re: (Score:3)
Re:Who’s going to kill them? (Score:5, Funny)
Microsoft's marketing droids are going to hunt down and kill the passwords. If Microsoft's marketing droids can't kill the passwords then they will kill the password users. If Microsoft's marketing droids can't kill all the passwords or kill all the password users then they will kill themselves. Any further questions?
Re:Who’s going to kill them? (Score:5, Funny)
Do you know why they want to kill passwords in reality, the truth behind the lies. Keep in mind the anal retentive privacy invasive control freaks tiny limpers are, passwords are anonymisers. Username password could be anyone, eleminate them and no one ever has private access to the internet, TOTAL POWER, TOTAL CONTROL, run through the tiny limpers mind, as they contemplate their own fetid turd, that is windows anal probe 10.
No more anonymous access for you worthless poor filth who must be controlled.
Re: (Score:3)
Do you know why they want to kill passwords in reality, the truth behind the lies. Keep in mind the anal retentive privacy invasive control freaks tiny limpers are, passwords are anonymisers. Username password could be anyone, eleminate them and no one ever has private access to the internet, TOTAL POWER, TOTAL CONTROL, run through the tiny limpers mind, as they contemplate their own fetid turd, that is windows anal probe 10.
No more anonymous access for you worthless poor filth who must be controlled.
Er, except FIDO2 security keys are not personally identifiable and can be trivially swapped or a new key generated in one of their slots.
Not to derail a good rant or anything...
Re:Who’s going to kill them? (Score:4, Insightful)
Re: (Score:3)
And they want to know what those passwords are, you know, in case you lose them or use a different service or something.
Re:Who’s going to kill them? (Score:4, Funny)
Re:Who’s going to kill them? (Score:4, Insightful)
I can generate secure passwords with three clicks.
rVJQnd$#y6F3Z*m@n!C^GLfKxs
yQiHJxA$$&ChokE9wA^%wgDJTe
empfh5zBcCFK^EuPG9&f3%#BR6
I have much more faith in a password that only I know than my thumbprint or face recognition. Especially since I work in the repair industry where an accident can blow my fingers off or disfigure me, and industry I'm sure no MS bigwig has set foot in in his life. The most serious injury they would suffer on the job is a paper cut.
*yawn* (Score:5, Informative)
Everything ultimately is a password. Security keys are themselves passwords, your biometric authenticators amount to a stored digital fingerprint which is a password (whether it is fingerprint of a literal fingerprint or a vein, retina, etc) and while stored in a potentially difficult to crack way once cracked they can't easily be changed... and if you make the storage one off and unique.. that has a key, which is a password.
Re:*yawn* (Score:5, Insightful)
While *technically* true, there is a huge difference between 'human, enter a password of your choosing' and having humans enter 12345678 or hunter2 which is easy to guess and probably the same password they use everywhere, versus '256 bits of random data generated by the service that is unique to the service and shared between service and user' in the suboptimal case of TOTP style passwords, and in the better case a bunch of random bits comprising a private key that never leaves the device and only the public key matters.
That specific device using a PIN or biometrics is intended to protect against a casual attack/buy time for the legitimate user to recognize the problem and invalidate the importance of that device if possible.
Overwhelmingly the attacks come from remote channels without possessing anything physical of the person they are trying to impersonate, channels over which the PIN or biometrics won't be processed.
In short, this is moving security away from 'something you know' and more towards 'something you have'.
Re:*yawn* (Score:5, Insightful)
While *technically* true, there is a huge difference between 'human, enter a password of your choosing' and having humans enter 12345678 or hunter2 which is easy to guess and probably the same password they use everywhere...
While I agree with everything you've said, I think MS's emphasis on passwords is misplaced and making everything key based would just shift the problem. Most hacks these days do target passwords, but only in simple password guessing and using passwords that were stolen from insecure systems. If they move towards a private key, I think it'd just be a matter of time before the hacks focus on stealing private keys. Not only that, but it's another method in which large companies try to shift more responsibility on the user. With a private key system, they can just say "Well, if you got hacked, it's unlikely they guessed the password. So *you* must have done something wrong." Not to mention the trouble you'd go through for "forgetting your password", i.e. losing your private key. Or using your "password" on multiple devices, i.e. keeping you private key on multiple devices. Not to mention, I feel like this is another way for large companies to put the responsibility of their product on you. "Oh, your account was compromised? Well, we use asymmetrical keys for authentication so it can't be us. It must be you. We're certainly not responsible for it."
The problem with biometrics is, once that info is leaked (because, let's face it. It still comes down to bits.) you can't change it (or, if it's just reading a finger, you only get 9 resets). And that's assuming biometric reading are unique enough (or at all. Finger prints being complete unique is actually a myth) that 2 people won't accidentally log into each other's account. And that's even on top of mythbusters having once gotten by a fingerprint scanner that supposedly checks for other things like body heat, pulse rate and galvanic skin response.
Personally, I'm all for better security. But a lot of these just sound like fads that a large company is trying to push instead of proving that it's somehow better. Correct me if I'm wrong, but I could have sworn that, like 5 years ago, MS was trying to make everything 2FA and OAuth. Saying that passwords were insecure and everyone should 2FA by phone, touting the unlikelihood of being hacked via 2FA. And now everyone is saying how 2FA can be easily compromised and hacked and it's insecure (which, I don't really agree with, but just pointing out the shifting nature of authentication technology). Personally, I feel that if they really wanted to improve security, no MS systems would impose a password character limit nor would they restrict what characters to use, but I'm pretty sure I've ran across that on a few MS systems. Because, personally, I'm all for copying and pasting a page and half of text from a random book I choose as a password. Or using unicode instead of ascii (yes, I've used non-english characters for passwords before. It's had limited success. Some systems handle it better than others, if at all.). But I suppose neither of those doesn't make MS money nor does it make them control over auth for your system.
Re:*yawn* (Score:4, Funny)
Most hacks these days do target passwords, but only in simple password guessing and using passwords that were stolen from insecure systems. If they move towards a private key, I think it'd just be a matter of time before the hacks focus on stealing private keys.
I think you're missing the point. We've spent 30 years trying to teach people the importance of passwords and not only do we still have "password" and "123456" as the two most common passwords on the planet, we also still have login systems that insist on stupid password policies that force people to mishandle passwords. The point is not that passwords are cracked because they are popular. The point is passwords are cracked because we suck at them.
You are absolutely right that the hacks in the future will focus on private keys. And if people stop using passwords statistics will show that the shift moves towards keys instead. However I have little doubt given how stupidly people handle security that this forced move would also see the number of successful attacks drop dramatically.
Sidenote from 3 weeks ago: We were trying to commission a boiler high level safety interlock at a refinery. The control systems person had left the site already due to working too long but he allowed me and a contractor to stay to try and finish up. As we were discussing documentation the system logged out *sh#t* didn't know the password. I asked the guy from Schneider electric to try his vendor defaults. and... nothing they were smarter than that. Then I tried one more password which also failed.
Oh but then the Windows password hint came up. The password hint was: "The password is: contro!" Yep. Highly secure that is. If you don't know the password simply type it in 3 times incorrectly and it tells you what it is.
People are too dumb to use passwords.
Re: (Score:3)
In short, this is moving security away from 'something you know' and more towards 'something you have'.
That'll be great when I lose it or if it falls in the toilet.No more password reset emails for me!
Re: (Score:3)
The problem with "something I have" is when I lose the "something". I don't want my entire life attached to a physical object. For cars, houses, etc if you lose yuour keys, it a hassle and maybe some $$$ but soon you get it back.
With computers either:
1) If you loose your key your are permanently screwed
or
2) It doesn't *really* require the key because the exists some mechanism to create a new key or bypass that key - so it not really hardware security anyway.
If the physical key is only used for specific
Re: (Score:2)
2) It doesn't *really* require the key because the exists some mechanism to create a new key or bypass that key - so it not really hardware security anyway.
Don't be an idiot. You're basically saying that you think bank vaults are "not really hardware security" because "[there] exists some mechanism to create a new key."
Did you get confused and think the word "safe" makes the safes safe? Why would you not want a company you do business with to be able to make changes to your account when needed? There is no way in which the limitations you mention prevent removing passwords from achieving the security goals of removing passwords. If it doesn't solve world peace
Re: (Score:3)
Re: *yawn* (Score:2)
Weird. MS has much*worse* security than I do where I need it.
And I don't even mean the SolarWinds hack.
Call me when you input the "something you know" *on* the "something you have", and all data transfers pass though it, where it uses the now decrypted part of the xor pad for the target device to send it the message it was asked to by the PC and verified by me on its display and with its keyboard.
(If the pad is empty, I can fill it back up via physical plugging in to the target device. After making sure it
Re:*yawn* (Score:4, Interesting)
Everything ultimately is a password. Security keys are themselves passwords
The problem is not that passwords are inherently bad, but that normal humans are bad at selecting them and managing them.
It doesn't matter that a machine-generated security key is "ultimately a password" because it isn't being selected and managed by a human who can't figure out how to change the font in Excel.
It is good to see Microsoft taking the lead here. I may be presumptuous, but I suspect Microsoft's customers are among the worst at password management.
Re: (Score:2)
1. There is no guarantee they are taking any lead, they are just implying they are taking some sort of lead in a statement. Let there be a white paper first, establish the security of the "post-password era", and even then widespread adoption might be a pipe dream. Notably, credible action after an inevitable eventual compromise has been missing from many attempts to replace passwords.
2. And even if they do end up taking a lead, their intentions might be far from security related. With passwords, I can pres
Re: (Score:2)
You're a few decades late if you didn't read the white papers on key based authentication and authorization yet.
Re: *yawn* (Score:3)
Are you saying 2002 was the year when passwords died ? The premise here is based on 2021, which has not come yet so it is not clear what you mean by few years later.
If someone is planning to "take lead" in killing passwords, clearly they need to publish new white papers, or address issues with existing solutions some of which I pointed out in my post.
Re: *yawn* (Score:2)
Sorry, typed "later" instead of "late" due to auto-correct. And typed "years" instead of "decades" by simple mistake.
Re: (Score:2)
The problem is not that passwords are inherently bad, but that normal humans are bad at selecting them and managing them.
That is completely irrelevant to the problem, Microsoft has no interest in being your nanny. As much as you'd like that.
The reason they want to get rid of passwords is to reduce the fallout from their business customers getting hacked, cracked, phished, or simply fumbling their data.
Re: *yawn* (Score:2)
Lol. Microsoft literally has wet dreams of being as much your condescending nanny as Apple.
But they still believe you can overtake a car in a race, by always driving in the direction it is, relative to you.
Re: *yawn* (Score:2)
That is why every OS that is not a complete joke has a password "wallet" tool, and you can store the encrypted data for that on a machine that all your devices can reach. A machine that is yours too. Like a home server (with a VPN and dynamic dns or a static IP, for your phone).
Re:*yawn* (Score:5, Insightful)
Re: *yawn* (Score:2)
You have a good point, itâ(TM)s an interesting counter argument.
Re: *yawn* (Score:2)
And how many security keys will you need? Having one for everything is a horrible risk, that's why you shall have different passwords for different sites and not reuse passwords.
The 'big brother is watching you' will be easier too because if you have a single key then that can be used to track you.
Oh gosh, my employer will mandate a butt scan (Score:3)
The password plus entering a generated random code 2-factor authentication will no longer be enough.
The University will require a strong password, the random 2nd factor code, and that I drop my pants, face away from the camera of my "device" and bend forward?
Re:Oh gosh, my employer will mandate a butt scan (Score:5, Funny)
Hackers break in and wipe the authentication data.
Re: (Score:2)
That's just so that you can insert the anal probe that will verify your rectal microflora to biometrically ID you.
Re: (Score:3)
One bad case of diarrhea and you can be locked out, possibly forever.
You will be literally sh%t out of luck!
Re: Oh gosh, my employer will mandate a butt scan (Score:2)
Or just eating some odd organic food.
Re: (Score:2)
hurr durr, hurr durr, hurr durr!
Re: Oh gosh, my employer will mandate a butt scan (Score:2)
What a world you live in, where something axtually being natural is "weird" to you...
Do you only eat blue, foamy, white powder based things over there?
Re: (Score:2)
Make sure they first have the scan on file [gotfuturama.com]. Otherwise without some sort of identification, you might lose account access!
So if I kick your ass, can you log in? (Score:2)
Better: you created the account afterwards with the bruises.
Now you have to get your ass kicked every week so you can login.
Re: (Score:2)
Sounds great! (Score:4, Interesting)
Re: (Score:2)
Now, now, let's not be mean. I think a compromise would work -- passwords, plus some sort of out-of-band backchannel verification to a physical device that the person frequently keeps with them. Perhaps something with a network-based mechanism that could deliver a second, I don't know, "factor" of authentication. If Microsoft were to produce the software for such a device, Microsoft could also make money on those devices. I highly doubt it would be generally rejected by the market after a few years.
Re: Sounds great! (Score:2)
FIDO2 *reduces* that tendency (Score:3)
FIDO2 *reduces*, not increases, that problem.
It makes it easy/default to use authentication where the service doesn't store a secret at all. Like public key cryptography.
FIDO2 is kinda a framework, it's flexible so you can do different things with it, so you probably COULD use passwords with it (and improperly store those passwords in some centralized location), but it would take extra work to do it wrong.
so kind (Score:3)
isn't it nice of Microsoft to store all the passwords in a nice big honey pot.
Re: (Score:2)
The only question is whether they would get hacked or crash and lose the backups first.
Re: so kind (Score:2)
Law enforcement wants a back door, so hacked is going to happen first.
OpenID? (Score:5, Interesting)
Whatever happened to OpenID?
Re:OpenID? (Score:5, Informative)
It turns out people/websites picked Google and Facebook for their OpenID federated logins, and there's almost never a Microsoft login option on sites. Therefore Microsoft needs to kill OpenID and come up with something else that's forced on users of Microsoft products.
Re: (Score:2)
Re: (Score:2)
OpenId and FIDO2 work well together (Score:5, Informative)
Microsoft is backing FIDO2, which works well with OpenID.
Damn, Covid got the passwords too? (Score:2)
Bummer.
Is that the same Microsoft (Score:4, Insightful)
That was infiltrated through Solar Winds Orion, where MS credentials were then used to install malware, bypass 2 factor authentication on Active Directory, and generally spy on mail hosted on Microsoft servers?
Or is that another Microsoft, that we can actually trust?
Re: Is that the same Microsoft (Score:4, Informative)
That was infiltrated through Solar Winds Orion, where MS credentials were then used to install malware, bypass 2 factor authentication on Active Directory, and generally spy on mail hosted on Microsoft servers?
Or is that another Microsoft, that we can actually trust?
Solar Winds was infiltrated, on what planet is that then a uniquely Windows problem? Your network is compromised.
At that point, there's very strong odds your network devices get infiltrated, the hackers get a map of the entire network that Orion was monitoring, configurations of all your switches and firewall rules, and some network engineer login creds that are good for god knows what, probably a bunch of sysadmin creds as they come in for IPAM, and the rest is history. At the very minimum, some AMAZING social engineering attacks could be launched from all the credentials harvested from Solar Winds logins.
There is absolutely nothing good about this story on the Unix credentials, OpenLDAP, postfix mail hosted on Linux servers front. Nothing.
I'm sorry, what are you even thinking, this is a tool that Linux network and system administrators use along with everyone else. Their credentials will be stolen, and a map of the entire network on the other side of us-jumpymcjumpface-mfa1 will be had, period.
Re: (Score:3)
Yes that is the same completely irrelevant 3rd party to Solar Winds who had zero to do with the infiltration of the company and its systems.
Solution - Windows Update (Score:2)
Re: (Score:3)
You mean then I have to lock their crap into a VM to secure it? Oh, wait, I am already doing that. Except for my gaming machine that never, ever sees anything else besides games.
Re: (Score:2)
How are they going to disable password fields on websites, via browsers they don't control?
Heard this before (Score:5, Informative)
Re:Heard this before (Score:5, Interesting)
Yeah and it's technically less secure overall because it adds a valid way to bypass the password. Well, it would be less secure if it worked. About 50% of the time on my wife's Win10 laptop the PIN stops working for no reason whatsoever and we have to use the password anyway.
I wonder if MS plans to have people call them when they are locked out in a password-free world. Given that many big hacks are done by social engineering, relying on calls like that would likely make such hacking easier.
Re:Heard this before (Score:5, Informative)
I entered the wrong "pin" (actually a password since I checked the option to let you use non-numbers) into my W10 laptop a few times and then it had me enter some 4 or 6 digit hex-looking code, before it let me try again. (Something like, "You entered the wrong PIN too many times, please enter 4B0CAF and then try your PIN again.") From that day on, about half the time I'd boot up the laptop, it would prompt me to enter that same hex code, before I even had an opportunity to put in my actual PIN. Not only that, but all the colors on the screen would be weird whenever this message appeared, almost like the display was in 8 or 16-bit color mode. This went on for a month or two, then it stopped, presumably fixed by some kind of Windows update. Hard to tell when they just update whatever, whenever, and may or may not let you know.
Also after upgrading to W10 this year, I find out its USB MIDI device drivers have been broken since release. It took them years to get it working... assuming you have a USB 2 port. My laptop only has USB 3. Ended up having to shell out for a USB 2.0 hub - thankfully they're still available - and now my class-compliant device works as intended. "Where do you want to go today?" To the Microsoft support forums, to read through years of unaddressed bug reports? How about to your wallet, because now you have to pay for a hardware workaround?
Re:Heard this before (Score:5, Informative)
The PIN code thing was horribly under-explained, but that code would only be accepted from local keyboard *and* if the TPM and TPM state checked out. It was relaxing the needed complexity, but as a carrot to pull users into basing security more on physical possession more than just a password.
Of course those restrictions and requiring a traditionally 'hard' password would technically be even safer than the PIN+TPM+local entry restrictions, but it's more trying to make the human behavior change.
I don't know if they will hit upon a reasonable implementation, but providing multiple public keys to services (so I have backup devices) rather than 'set a password' would be a great improvement in the status quo, with recovery from lost/broken devices being a sufficiently well-throttled mechanism such that attackers can't really use it.
Re:Heard this before (Score:4, Interesting)
This is one of the problems with security - users need to understand them at some level in order to be able to use them.
The pin must be entered on a local keyboard? OK - if that is *really* true. Does it bypass all drivers etc? In that case what is a "keyboard"? If I have a usb dongle keyboard, that must work. So I assume there is some firmware USB driver (no OS) that reads the keyboard from USB? How secure is the bluetooth / USB link - can someone snoop on my PIN?
If I have multiple computers on a network sharing files, how does the pin work to get access to files on a different computer?
I guess this assumes you always use the computer locally, no through some remote login? Or if not is there also a password in which case that remains a week link.
Maybe all this is taken care of, but without spending a ton of time, how do I know.
Re: (Score:3, Insightful)
Windows "PIN"s can be alphanumeric. So really they're just... less secure passwords. It's rather incredibly dumb.
No (Score:5, Insightful)
But maybe 2021 should be the year MS dies. Would be better for everyone. Probably not going to happen either.
Re: (Score:2)
Re: (Score:3)
MS has had their own Linux distribution for their cloud for a while.
What a mess (Score:5, Insightful)
All I read from this is that 2021 is the year that Microsoft is going to royally screw up Windows again for everyone.
Re: (Score:2)
All I read from this is that 2021 is the year that Microsoft is going to royally screw up Windows again for everyone.
Well, they have got a reputation to maintain! I think we truly have entered the age of "crappy computing".
Tech Support: I lost my Yubi Key (Score:2)
Well, actually, I left it in my pocket and washed then dried it.
Tech: "It might work, did you try it?"
Ah, no, I thought it was busted so I threw it in the trash.
Tech: "Well, we have your pass phrase as a backup alternative"
Minutes later...
Ok I remember it was "battery horse staple!"
Tech: "Well, that explains why we had to re-image your machine last week"
Coming soon... insert appendage for security (Score:2)
Re: (Score:2)
Hmm. Women are getting the inverted version of this scan then?
Re: (Score:2)
Privacy focused system doesn't need password (Score:2)
Re: (Score:2)
Nope. It is a risk management problem. Everything else comes later.
No more accounts. They want your identity. (Score:5, Insightful)
Re: (Score:2)
> I can't get new vein patterns or a new face.
Just suffer a small stroke after an auto accident.
> What they're saying is that 2021 is the year of the internet going "real name".
OK, there are only 18 people with my name (or at least used to be, 25 years ago, when we were sent a book with everybody in the world sharing my surname) in the country, so how to disambiguate us? SSN only works in the USA
I wouldn't care, but they bought Mojang, and Minecraft keeps threatening to shift logins to M$.
Re: No more accounts. They want your identity. (Score:2)
Nonsense. With surgery today, you can have a new face, typically 20 years younger!
Hey! We need his finger to unlock this! (Score:5, Funny)
Cuts off the index finger tosses it across the room.
#1 "No, stupid it's his thumb!"
#2 "Whatever. I'm not cleaning up this mess!"
Cuts off the thumb and tosses that.
#1 "@#$! He must be left handed!"
#2 "I'm sick his screaming this is taking too long!"
Cuts off the whole left hand.
#2 "shut up! Who needs their left hand? you're married right?"
Tosses hand.
#1 "finally! ok we can go now-- @!#!$ now it wants his iPhone to verify. Get his phone."
#2 "Got it. Oh, it wants a face scan. Hey, go get a bag we're going to have to take the head with us."
I want to see Fido2 used more (Score:5, Informative)
Fido2 is great, it does away with passwords by using strong cryptography instead. There are no passwords stored on a server for a hacker to steal, no way for a hacker to intercept traffic and steal credentials, no way for a hacker to carry out a replay attack and (because of how he system works and because the crypto keys are unique per website) it eliminates the problems of phishing attacks as well.
I just wish I knew what things are holding up broader adoption of Fido2 instead of passwords (or for that matter broken technology like the RSA SecurID keyfobs)
Re:I want to see Fido2 used more (Score:5, Interesting)
There are two major weaknesses of RSA SecurID tokens: First, they use a shared, immutable secret; the issuer (and historically RSA itself) must keep a copy of the secret, and this is susceptible to compromise. (This happened to RSA in 2011.) Second, they are specific to a single authentication system, so they do not scale well.
Yes, U2F and FIDO2 are great. They scale very well, they rely on asymmetric crypto, the client-side private key is unique to each authentication service (so colluding authentication services cannot feasibly tell which users use the same token), and they can use fairly simple hardware (so it is easier to secure the hardware).
Re: (Score:2)
Also -
The network protocol for SecurID was apparently written by a bunch of drunken monkey - it makes no damn sense.
The only server, the proprietary RSA one, is poorly implemented with obvious errors that point to exactly where to attack.
It was designed to prevent MITM, but utterly failed to do so.
The protocol isn't properly documented.
The core security concept is the same as TOTP, a much better designed protocol supported by dozens of clients such as Google Authenticator and Microsoft.
Re: (Score:2)
I just wish I knew what things are holding up broader adoption of Fido2 instead of passwords
Maybe browser support that actually works? I bought a couple U2F keys last year. I foolishly tried writing a server side app to test them, according to the docs, and it wouldn't work on any of my debvices. I finally found a test site from the manufacturer. It was able to do 1 kind of auth (out of the 10 or so that were supposedly supported), and only on one specific browser on one specific device. None of the other devices or browsers work even though every single one of them claimed to support it.
If there is no password (Score:5, Interesting)
Re: (Score:3)
You know, that may be behind this. Hmm. How much business does MS do with law enforcement?
Re: If there is no password (Score:2)
And you can get unwanted data stored under your id as well. Of course it can happen anyway, but if someone breaks the protocol it will offer new vectors.
Workarounds to passwords have failings (Score:2, Interesting)
Security tokens or 2fa tokens have both a reliability problem in that your ability to access your system depends on the proper functioning of an additional device (or two if it plugs into a usb port or a card reader) as well as additional backend infrastructure, and a usability restriction in that in order to log in to two systems at once, you need to shuffle that token between two or more readers. The latter is particular
This explains a lot (Score:2)
My company has been trying to force me to install the MS authenticator app on my phone so that my Outlook app will work. I refused and decided not to have email on my phone.
No passwords, but MS account required (Score:2)
No thanks.
No. (Score:2)
Biometrics? No. Can't be changed
Voice prints? No. Can't be easily changed
FIDO2 security keys? Incompatible with ADHD and easily stolen/left behind - but it shifts responsibility away from Microsoft and they can blame the person... the end result is the same though
Passphrases... sure that works
Re: No. (Score:2)
Keys are so much better though. I dunno, I guess an implant is too creepy for most, but as a youngster I had an eyebrow piercing I loved. You need something like that, passive power and tiny, ring, piercing, something always with you. It could work.
Re: (Score:2)
Anything that can be skimmed, stolen, lost, damaged, etc. doesn't work. My wife's piercings are ones she doesn't take out. She's still managed to lose at least 4 in the past 10 years that I know of.
An implant would work in theory, until it's skimmed - then what? Surgery to remove it and implant a new one? If it can be rewritten through the skin, what stops it from being hacked?
Then there's the fact that electronics degrade. No matter what medium, they'll wear out eventually. What happens if a person c
What about people without cell phones? (Score:2)
What about those of us who don't have (nor want) laptops? Or iPads? Those of us who only have (and only want and only USE) desktop systems?
What about those of us who use extremely strong unique passwords on every single one of their many dozens or hundred of web sites because they us
Whem your palm vein structure leaks.... (Score:2)
good luck getting a new one.
WTF, did they never watch Demolition Man?
You always need "Something you know", *regardless* of you having "Something you have" or "Something you are"!
But hey, maybe we'll se actual physical mechanical keys, like from the door, being put into laptops in a few years. :P ;)
I'll keep my box of playdough and metal casting tools ready.