Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft Privacy

Microsoft: 2021 Is the Year Passwords Die (neowin.net) 185

Usama Jawad writes via Neowin: has been a proponent of passwordless technology for quite some time, saying that it wants traditional and unsafe passwords to die. To that end, it has invested in various solutions over the past few years such as Windows Hello, Microsoft Authenticator, FIDO2 security keys, and a palm vein authentication system, among other things. Now, the company has highlighted the strides it made to kill off passwords in 2020, and has stated that it plans to make them a thing of the past for all its customers in 2021.

Microsoft noted that almost 80% of all cyberattacks target passwords, and one in 250 corporate accounts get compromised each month due to this. That said, the company is making an effort to transition people to passwordless solutions. In November 2019, 100 million people were using Microsoft's passwordless sign-in. This number grew to 150 million by May 2020, which goes to show how millions of people are ready to ditch passwords due to the inconvenience of remembering them, coupled with how insecure they can be. [...] 2021 is the year in which Microsoft plans to make passwords obsolete for all its customers. It is currently developing new APIs and a UX for managing FIDO2 security keys, and is also aiming to deliver a "converged registration portal," where customers can manage their passwordless credentials. While it hopes that 2021 marks a return to the "old normal," the company has emphasized that going passwordless will make online lives significantly easier.

This discussion has been archived. No new comments can be posted.

Microsoft: 2021 Is the Year Passwords Die

Comments Filter:
  • by Sebby ( 238625 ) on Friday December 18, 2020 @06:46PM (#60846642)

    ....because many have been trying for years now.

    • ....because many have been trying for years now.

      Microsoft is going to kill them for whatever things people use Microsoft stuff for.

      • by Anonymous Coward on Friday December 18, 2020 @07:42PM (#60846866)

        ....because many have been trying for years now.

        Microsoft is going to kill them for whatever things people use Microsoft stuff for.

        ...and all it's going to take is buying into the Microsoft Azure E5 Office 360 E3 Cloud Directory E1 Endpoint E5 Manager E9 Identity Hello E2 (for business). Depending on all the various combinations that are intentionally confusing, it'll only cost you $24.95 per user per month and include Exchange and Office, but also $6 per device per month to cover any computer or device you use, but it'll include a subscription to Windows Enterprise. You'll also be charged a per-hour Azure compute fee that you can pay-as-you-go, (or pre-pay for your expected usage in buik). Cancelling anything you don't really need to reduce the price actually means the bizarre bundling falls apart and the price goes up. One day you'll wake up and realize you forgot to pay your Microsoft Life and Everything bill, your power is off, no computerized device will work, and you can't vote. You will eventually end up in jail, unable to get out because you don't have your Microsoft Passport bill paid and you have no Microsoft Points.

      • Just YESTERDAY slashdot ran an article of shit tons of money being stolen out if accounts, even though 2FA was setup on those accounts. Hackers had gained access to their devices and in some cases were intercepting their SMS messages.

      • So you've got a mouse, keyboard, no camera, no biometric devices. Just how does Microsoft think it will make progress then?

        • You're not expected to make progress in that case. I'm pessimistic: cameras and biometric devices will probably become a requirement.
      • It's going to be the year passwords die, but only for people running the most secure version of Windows yet, Windows XP SP2 [zdnet.com]. That'll finally demonstrate that Microsoft can solve security problems once and for all.
    • by Tough Love ( 215404 ) on Friday December 18, 2020 @07:12PM (#60846748)

      Microsoft's marketing droids are going to hunt down and kill the passwords. If Microsoft's marketing droids can't kill the passwords then they will kill the password users. If Microsoft's marketing droids can't kill all the passwords or kill all the password users then they will kill themselves. Any further questions?

      • by rtb61 ( 674572 ) on Friday December 18, 2020 @11:02PM (#60847276) Homepage

        Do you know why they want to kill passwords in reality, the truth behind the lies. Keep in mind the anal retentive privacy invasive control freaks tiny limpers are, passwords are anonymisers. Username password could be anyone, eleminate them and no one ever has private access to the internet, TOTAL POWER, TOTAL CONTROL, run through the tiny limpers mind, as they contemplate their own fetid turd, that is windows anal probe 10.

        No more anonymous access for you worthless poor filth who must be controlled.

        • Do you know why they want to kill passwords in reality, the truth behind the lies. Keep in mind the anal retentive privacy invasive control freaks tiny limpers are, passwords are anonymisers. Username password could be anyone, eleminate them and no one ever has private access to the internet, TOTAL POWER, TOTAL CONTROL, run through the tiny limpers mind, as they contemplate their own fetid turd, that is windows anal probe 10.

          No more anonymous access for you worthless poor filth who must be controlled.

          Er, except FIDO2 security keys are not personally identifiable and can be trivially swapped or a new key generated in one of their slots.

          Not to derail a good rant or anything...

    • by infolation ( 840436 ) on Friday December 18, 2020 @07:18PM (#60846772)
      But passwords are going to disappear the year after the year of LInux on the desktop!
    • by LenKagetsu ( 6196102 ) on Saturday December 19, 2020 @10:15AM (#60848332)

      I can generate secure passwords with three clicks.

      rVJQnd$#y6F3Z*m@n!C^GLfKxs
      yQiHJxA$$&ChokE9wA^%wgDJTe
      empfh5zBcCFK^EuPG9&f3%#BR6

      I have much more faith in a password that only I know than my thumbprint or face recognition. Especially since I work in the repair industry where an accident can blow my fingers off or disfigure me, and industry I'm sure no MS bigwig has set foot in in his life. The most serious injury they would suffer on the job is a paper cut.

  • *yawn* (Score:5, Informative)

    by Shaitan ( 22585 ) on Friday December 18, 2020 @06:47PM (#60846648)

    Everything ultimately is a password. Security keys are themselves passwords, your biometric authenticators amount to a stored digital fingerprint which is a password (whether it is fingerprint of a literal fingerprint or a vein, retina, etc) and while stored in a potentially difficult to crack way once cracked they can't easily be changed... and if you make the storage one off and unique.. that has a key, which is a password.

    • Re:*yawn* (Score:5, Insightful)

      by Junta ( 36770 ) on Friday December 18, 2020 @07:17PM (#60846766)

      While *technically* true, there is a huge difference between 'human, enter a password of your choosing' and having humans enter 12345678 or hunter2 which is easy to guess and probably the same password they use everywhere, versus '256 bits of random data generated by the service that is unique to the service and shared between service and user' in the suboptimal case of TOTP style passwords, and in the better case a bunch of random bits comprising a private key that never leaves the device and only the public key matters.

      That specific device using a PIN or biometrics is intended to protect against a casual attack/buy time for the legitimate user to recognize the problem and invalidate the importance of that device if possible.

      Overwhelmingly the attacks come from remote channels without possessing anything physical of the person they are trying to impersonate, channels over which the PIN or biometrics won't be processed.

      In short, this is moving security away from 'something you know' and more towards 'something you have'.

      • Re:*yawn* (Score:5, Insightful)

        by Sleeping Kirby ( 919817 ) on Friday December 18, 2020 @09:14PM (#60847086)

        While *technically* true, there is a huge difference between 'human, enter a password of your choosing' and having humans enter 12345678 or hunter2 which is easy to guess and probably the same password they use everywhere...

        While I agree with everything you've said, I think MS's emphasis on passwords is misplaced and making everything key based would just shift the problem. Most hacks these days do target passwords, but only in simple password guessing and using passwords that were stolen from insecure systems. If they move towards a private key, I think it'd just be a matter of time before the hacks focus on stealing private keys. Not only that, but it's another method in which large companies try to shift more responsibility on the user. With a private key system, they can just say "Well, if you got hacked, it's unlikely they guessed the password. So *you* must have done something wrong." Not to mention the trouble you'd go through for "forgetting your password", i.e. losing your private key. Or using your "password" on multiple devices, i.e. keeping you private key on multiple devices. Not to mention, I feel like this is another way for large companies to put the responsibility of their product on you. "Oh, your account was compromised? Well, we use asymmetrical keys for authentication so it can't be us. It must be you. We're certainly not responsible for it."

        The problem with biometrics is, once that info is leaked (because, let's face it. It still comes down to bits.) you can't change it (or, if it's just reading a finger, you only get 9 resets). And that's assuming biometric reading are unique enough (or at all. Finger prints being complete unique is actually a myth) that 2 people won't accidentally log into each other's account. And that's even on top of mythbusters having once gotten by a fingerprint scanner that supposedly checks for other things like body heat, pulse rate and galvanic skin response.

        Personally, I'm all for better security. But a lot of these just sound like fads that a large company is trying to push instead of proving that it's somehow better. Correct me if I'm wrong, but I could have sworn that, like 5 years ago, MS was trying to make everything 2FA and OAuth. Saying that passwords were insecure and everyone should 2FA by phone, touting the unlikelihood of being hacked via 2FA. And now everyone is saying how 2FA can be easily compromised and hacked and it's insecure (which, I don't really agree with, but just pointing out the shifting nature of authentication technology). Personally, I feel that if they really wanted to improve security, no MS systems would impose a password character limit nor would they restrict what characters to use, but I'm pretty sure I've ran across that on a few MS systems. Because, personally, I'm all for copying and pasting a page and half of text from a random book I choose as a password. Or using unicode instead of ascii (yes, I've used non-english characters for passwords before. It's had limited success. Some systems handle it better than others, if at all.). But I suppose neither of those doesn't make MS money nor does it make them control over auth for your system.

        • Re:*yawn* (Score:4, Funny)

          by thegarbz ( 1787294 ) on Saturday December 19, 2020 @06:25AM (#60847942)

          Most hacks these days do target passwords, but only in simple password guessing and using passwords that were stolen from insecure systems. If they move towards a private key, I think it'd just be a matter of time before the hacks focus on stealing private keys.

          I think you're missing the point. We've spent 30 years trying to teach people the importance of passwords and not only do we still have "password" and "123456" as the two most common passwords on the planet, we also still have login systems that insist on stupid password policies that force people to mishandle passwords. The point is not that passwords are cracked because they are popular. The point is passwords are cracked because we suck at them.

          You are absolutely right that the hacks in the future will focus on private keys. And if people stop using passwords statistics will show that the shift moves towards keys instead. However I have little doubt given how stupidly people handle security that this forced move would also see the number of successful attacks drop dramatically.

          Sidenote from 3 weeks ago: We were trying to commission a boiler high level safety interlock at a refinery. The control systems person had left the site already due to working too long but he allowed me and a contractor to stay to try and finish up. As we were discussing documentation the system logged out *sh#t* didn't know the password. I asked the guy from Schneider electric to try his vendor defaults. and... nothing they were smarter than that. Then I tried one more password which also failed.

          Oh but then the Windows password hint came up. The password hint was: "The password is: contro!" Yep. Highly secure that is. If you don't know the password simply type it in 3 times incorrectly and it tells you what it is.

          People are too dumb to use passwords.

      • In short, this is moving security away from 'something you know' and more towards 'something you have'.

        That'll be great when I lose it or if it falls in the toilet.No more password reset emails for me!

      • The problem with "something I have" is when I lose the "something". I don't want my entire life attached to a physical object. For cars, houses, etc if you lose yuour keys, it a hassle and maybe some $$$ but soon you get it back.

        With computers either:

        1) If you loose your key your are permanently screwed
        or
        2) It doesn't *really* require the key because the exists some mechanism to create a new key or bypass that key - so it not really hardware security anyway.

        If the physical key is only used for specific

        • 2) It doesn't *really* require the key because the exists some mechanism to create a new key or bypass that key - so it not really hardware security anyway.

          Don't be an idiot. You're basically saying that you think bank vaults are "not really hardware security" because "[there] exists some mechanism to create a new key."

          Did you get confused and think the word "safe" makes the safes safe? Why would you not want a company you do business with to be able to make changes to your account when needed? There is no way in which the limitations you mention prevent removing passwords from achieving the security goals of removing passwords. If it doesn't solve world peace

          • If I have items in a bank vault then I am trusting the bank to keep them secure. Does that mean that in this case I have to trust Microsoft to keep my data secure? At a first glance that seems OK - Microsoft will have MUCH better security than I do, but the failure is that its really not worth anyone's effort to hack my accounts by themselves, but it is worth real effort to hack Microsoft in order to gain access to many millions of accounts. The NSA hack some years ago shows that even a large, well fu
            • Weird. MS has much*worse* security than I do where I need it.
              And I don't even mean the SolarWinds hack.

              Call me when you input the "something you know" *on* the "something you have", and all data transfers pass though it, where it uses the now decrypted part of the xor pad for the target device to send it the message it was asked to by the PC and verified by me on its display and with its keyboard.
              (If the pad is empty, I can fill it back up via physical plugging in to the target device. After making sure it

    • Re:*yawn* (Score:4, Interesting)

      by ShanghaiBill ( 739463 ) on Friday December 18, 2020 @08:03PM (#60846932)

      Everything ultimately is a password. Security keys are themselves passwords

      The problem is not that passwords are inherently bad, but that normal humans are bad at selecting them and managing them.

      It doesn't matter that a machine-generated security key is "ultimately a password" because it isn't being selected and managed by a human who can't figure out how to change the font in Excel.

      It is good to see Microsoft taking the lead here. I may be presumptuous, but I suspect Microsoft's customers are among the worst at password management.

      • 1. There is no guarantee they are taking any lead, they are just implying they are taking some sort of lead in a statement. Let there be a white paper first, establish the security of the "post-password era", and even then widespread adoption might be a pipe dream. Notably, credible action after an inevitable eventual compromise has been missing from many attempts to replace passwords.

        2. And even if they do end up taking a lead, their intentions might be far from security related. With passwords, I can pres

        • You're a few decades late if you didn't read the white papers on key based authentication and authorization yet.

          • Are you saying 2002 was the year when passwords died ? The premise here is based on 2021, which has not come yet so it is not clear what you mean by few years later.

            If someone is planning to "take lead" in killing passwords, clearly they need to publish new white papers, or address issues with existing solutions some of which I pointed out in my post.

      • The problem is not that passwords are inherently bad, but that normal humans are bad at selecting them and managing them.

        That is completely irrelevant to the problem, Microsoft has no interest in being your nanny. As much as you'd like that.

        The reason they want to get rid of passwords is to reduce the fallout from their business customers getting hacked, cracked, phished, or simply fumbling their data.

        • Lol. Microsoft literally has wet dreams of being as much your condescending nanny as Apple.
          But they still believe you can overtake a car in a race, by always driving in the direction it is, relative to you.

    • Re:*yawn* (Score:5, Insightful)

      by freeze128 ( 544774 ) on Friday December 18, 2020 @09:34PM (#60847114)
      Biometrics are WORSE than a password... You can CHANGE a password if it gets compromised...
    • And how many security keys will you need? Having one for everything is a horrible risk, that's why you shall have different passwords for different sites and not reuse passwords.

      The 'big brother is watching you' will be easier too because if you have a single key then that can be used to track you.

  • by Latent Heat ( 558884 ) on Friday December 18, 2020 @06:50PM (#60846652)

    The password plus entering a generated random code 2-factor authentication will no longer be enough.

    The University will require a strong password, the random 2nd factor code, and that I drop my pants, face away from the camera of my "device" and bend forward?

  • Sounds great! (Score:4, Interesting)

    by burtosis ( 1124179 ) on Friday December 18, 2020 @06:50PM (#60846654)
    Yes! Let’s have all passwords for all applications for all companies and products be stored and used by a single company remotely! Heck, let’s use the same company for public utilities and nuclear facilities. Such a superior security concept! I mean, not even counting down time, it’s not like that company could then ever be hacked themselves at which point you’ve handed the keys over to thousands of large business, utilities, and government facilities, all in one go right?
    • Now, now, let's not be mean. I think a compromise would work -- passwords, plus some sort of out-of-band backchannel verification to a physical device that the person frequently keeps with them. Perhaps something with a network-based mechanism that could deliver a second, I don't know, "factor" of authentication. If Microsoft were to produce the software for such a device, Microsoft could also make money on those devices. I highly doubt it would be generally rejected by the market after a few years.

    • FIDO2 *reduces*, not increases, that problem.
      It makes it easy/default to use authentication where the service doesn't store a secret at all. Like public key cryptography.

      FIDO2 is kinda a framework, it's flexible so you can do different things with it, so you probably COULD use passwords with it (and improperly store those passwords in some centralized location), but it would take extra work to do it wrong.

  • by cas2000 ( 148703 ) on Friday December 18, 2020 @06:51PM (#60846658)

    isn't it nice of Microsoft to store all the passwords in a nice big honey pot.

  • OpenID? (Score:5, Interesting)

    by Eravnrekaree ( 467752 ) on Friday December 18, 2020 @06:51PM (#60846660)

    Whatever happened to OpenID?

  • by david.emery ( 127135 ) on Friday December 18, 2020 @07:03PM (#60846694)

    That was infiltrated through Solar Winds Orion, where MS credentials were then used to install malware, bypass 2 factor authentication on Active Directory, and generally spy on mail hosted on Microsoft servers?

    Or is that another Microsoft, that we can actually trust?

    • by ToasterMonkey ( 467067 ) on Friday December 18, 2020 @10:32PM (#60847216) Homepage

      That was infiltrated through Solar Winds Orion, where MS credentials were then used to install malware, bypass 2 factor authentication on Active Directory, and generally spy on mail hosted on Microsoft servers?
      Or is that another Microsoft, that we can actually trust?

      Solar Winds was infiltrated, on what planet is that then a uniquely Windows problem? Your network is compromised.

      At that point, there's very strong odds your network devices get infiltrated, the hackers get a map of the entire network that Orion was monitoring, configurations of all your switches and firewall rules, and some network engineer login creds that are good for god knows what, probably a bunch of sysadmin creds as they come in for IPAM, and the rest is history. At the very minimum, some AMAZING social engineering attacks could be launched from all the credentials harvested from Solar Winds logins.

      There is absolutely nothing good about this story on the Unix credentials, OpenLDAP, postfix mail hosted on Linux servers front. Nothing.

      I'm sorry, what are you even thinking, this is a tool that Linux network and system administrators use along with everyone else. Their credentials will be stolen, and a map of the entire network on the other side of us-jumpymcjumpface-mfa1 will be had, period.

    • Yes that is the same completely irrelevant 3rd party to Solar Winds who had zero to do with the infiltration of the company and its systems.

  • For Microsoft it shouldn't be too much trouble. Roll out an update for Windows 10 that forcibly disables users' ability to enter passwords.
    • by gweihir ( 88907 )

      You mean then I have to lock their crap into a VM to secure it? Oh, wait, I am already doing that. Except for my gaming machine that never, ever sees anything else besides games.

    • How are they going to disable password fields on websites, via browsers they don't control?

  • Heard this before (Score:5, Informative)

    by mr5oh ( 1050964 ) on Friday December 18, 2020 @07:06PM (#60846710)
    Last time Microsoft said they were eliminating passwords... Windows 10 got "pin" codes. Apparently no one explained to Microsoft a pin code, is a password just using traditionally using numbers. Stop saying your changing things to pretend you're innovating. In fact stop trying to innovate things no one asked for.
    • Re:Heard this before (Score:5, Interesting)

      by azcoyote ( 1101073 ) on Friday December 18, 2020 @07:25PM (#60846808)

      Yeah and it's technically less secure overall because it adds a valid way to bypass the password. Well, it would be less secure if it worked. About 50% of the time on my wife's Win10 laptop the PIN stops working for no reason whatsoever and we have to use the password anyway.

      I wonder if MS plans to have people call them when they are locked out in a password-free world. Given that many big hacks are done by social engineering, relying on calls like that would likely make such hacking easier.

      • Re:Heard this before (Score:5, Informative)

        by sound+vision ( 884283 ) on Friday December 18, 2020 @08:16PM (#60846960) Journal

        I entered the wrong "pin" (actually a password since I checked the option to let you use non-numbers) into my W10 laptop a few times and then it had me enter some 4 or 6 digit hex-looking code, before it let me try again. (Something like, "You entered the wrong PIN too many times, please enter 4B0CAF and then try your PIN again.") From that day on, about half the time I'd boot up the laptop, it would prompt me to enter that same hex code, before I even had an opportunity to put in my actual PIN. Not only that, but all the colors on the screen would be weird whenever this message appeared, almost like the display was in 8 or 16-bit color mode. This went on for a month or two, then it stopped, presumably fixed by some kind of Windows update. Hard to tell when they just update whatever, whenever, and may or may not let you know.

        Also after upgrading to W10 this year, I find out its USB MIDI device drivers have been broken since release. It took them years to get it working... assuming you have a USB 2 port. My laptop only has USB 3. Ended up having to shell out for a USB 2.0 hub - thankfully they're still available - and now my class-compliant device works as intended. "Where do you want to go today?" To the Microsoft support forums, to read through years of unaddressed bug reports? How about to your wallet, because now you have to pay for a hardware workaround?

    • Re:Heard this before (Score:5, Informative)

      by Junta ( 36770 ) on Friday December 18, 2020 @07:27PM (#60846822)

      The PIN code thing was horribly under-explained, but that code would only be accepted from local keyboard *and* if the TPM and TPM state checked out. It was relaxing the needed complexity, but as a carrot to pull users into basing security more on physical possession more than just a password.

      Of course those restrictions and requiring a traditionally 'hard' password would technically be even safer than the PIN+TPM+local entry restrictions, but it's more trying to make the human behavior change.

      I don't know if they will hit upon a reasonable implementation, but providing multiple public keys to services (so I have backup devices) rather than 'set a password' would be a great improvement in the status quo, with recovery from lost/broken devices being a sufficiently well-throttled mechanism such that attackers can't really use it.

      • Re:Heard this before (Score:4, Interesting)

        by joe_frisch ( 1366229 ) on Friday December 18, 2020 @09:55PM (#60847160)

        This is one of the problems with security - users need to understand them at some level in order to be able to use them.

        The pin must be entered on a local keyboard? OK - if that is *really* true. Does it bypass all drivers etc? In that case what is a "keyboard"? If I have a usb dongle keyboard, that must work. So I assume there is some firmware USB driver (no OS) that reads the keyboard from USB? How secure is the bluetooth / USB link - can someone snoop on my PIN?

        If I have multiple computers on a network sharing files, how does the pin work to get access to files on a different computer?

        I guess this assumes you always use the computer locally, no through some remote login? Or if not is there also a password in which case that remains a week link.

        Maybe all this is taken care of, but without spending a ton of time, how do I know.

    • Re: (Score:3, Insightful)

      by Entrope ( 68843 )

      Windows "PIN"s can be alphanumeric. So really they're just... less secure passwords. It's rather incredibly dumb.

  • No (Score:5, Insightful)

    by gweihir ( 88907 ) on Friday December 18, 2020 @07:08PM (#60846722)

    But maybe 2021 should be the year MS dies. Would be better for everyone. Probably not going to happen either.

  • What a mess (Score:5, Insightful)

    by Misagon ( 1135 ) on Friday December 18, 2020 @07:10PM (#60846738)

    All I read from this is that 2021 is the year that Microsoft is going to royally screw up Windows again for everyone.

    • by gweihir ( 88907 )

      All I read from this is that 2021 is the year that Microsoft is going to royally screw up Windows again for everyone.

      Well, they have got a reputation to maintain! I think we truly have entered the age of "crappy computing".

    • Well, actually, I left it in my pocket and washed then dried it.
      Tech: "It might work, did you try it?"
      Ah, no, I thought it was busted so I threw it in the trash.
      Tech: "Well, we have your pass phrase as a backup alternative"
      Minutes later...
      Ok I remember it was "battery horse staple!"
      Tech: "Well, that explains why we had to re-image your machine last week"

  • At last the techno-rapture is here, now drop your pants and insert appendage for vascular ID scan.
  • by TheNameOfNick ( 7286618 ) on Friday December 18, 2020 @07:22PM (#60846802)
    Biometric logins aren't better than password logins. I can make a new password if Microsoft or some other company exposes my current password. I can't get new vein patterns or a new face. That's why I don't want biometric logins and that's also why they want them. What they're saying is that 2021 is the year of the internet going "real name". Fuck that.
    • by dwye ( 1127395 )

      > I can't get new vein patterns or a new face.
      Just suffer a small stroke after an auto accident.

      > What they're saying is that 2021 is the year of the internet going "real name".
      OK, there are only 18 people with my name (or at least used to be, 25 years ago, when we were sent a book with everybody in the world sharing my surname) in the country, so how to disambiguate us? SSN only works in the USA

      I wouldn't care, but they bought Mojang, and Minecraft keeps threatening to shift logins to M$.

    • Nonsense. With surgery today, you can have a new face, typically 20 years younger!

    • by bussdriver ( 620565 ) on Friday December 18, 2020 @11:13PM (#60847304)

      Cuts off the index finger tosses it across the room.
      #1 "No, stupid it's his thumb!"
      #2 "Whatever. I'm not cleaning up this mess!"
      Cuts off the thumb and tosses that.
      #1 "@#$! He must be left handed!"
      #2 "I'm sick his screaming this is taking too long!"
      Cuts off the whole left hand.
      #2 "shut up! Who needs their left hand? you're married right?"
      Tosses hand.
      #1 "finally! ok we can go now-- @!#!$ now it wants his iPhone to verify. Get his phone."
      #2 "Got it. Oh, it wants a face scan. Hey, go get a bag we're going to have to take the head with us."

  • by jonwil ( 467024 ) on Friday December 18, 2020 @07:24PM (#60846806)

    Fido2 is great, it does away with passwords by using strong cryptography instead. There are no passwords stored on a server for a hacker to steal, no way for a hacker to intercept traffic and steal credentials, no way for a hacker to carry out a replay attack and (because of how he system works and because the crypto keys are unique per website) it eliminates the problems of phishing attacks as well.

    I just wish I knew what things are holding up broader adoption of Fido2 instead of passwords (or for that matter broken technology like the RSA SecurID keyfobs)

    • by Entrope ( 68843 ) on Friday December 18, 2020 @07:47PM (#60846888) Homepage

      There are two major weaknesses of RSA SecurID tokens: First, they use a shared, immutable secret; the issuer (and historically RSA itself) must keep a copy of the secret, and this is susceptible to compromise. (This happened to RSA in 2011.) Second, they are specific to a single authentication system, so they do not scale well.

      Yes, U2F and FIDO2 are great. They scale very well, they rely on asymmetric crypto, the client-side private key is unique to each authentication service (so colluding authentication services cannot feasibly tell which users use the same token), and they can use fairly simple hardware (so it is easier to secure the hardware).

      • Also -

        The network protocol for SecurID was apparently written by a bunch of drunken monkey - it makes no damn sense.

        The only server, the proprietary RSA one, is poorly implemented with obvious errors that point to exactly where to attack.

        It was designed to prevent MITM, but utterly failed to do so.

        The protocol isn't properly documented.

        The core security concept is the same as TOTP, a much better designed protocol supported by dozens of clients such as Google Authenticator and Microsoft.

    • I just wish I knew what things are holding up broader adoption of Fido2 instead of passwords

      Maybe browser support that actually works? I bought a couple U2F keys last year. I foolishly tried writing a server side app to test them, according to the docs, and it wouldn't work on any of my debvices. I finally found a test site from the manufacturer. It was able to do 1 kind of auth (out of the 10 or so that were supposedly supported), and only on one specific browser on one specific device. None of the other devices or browsers work even though every single one of them claimed to support it.

  • by chispito ( 1870390 ) on Friday December 18, 2020 @07:37PM (#60846850)
    If there is no password, then your data can be accessed without you having to testify against yourself.
  • Biometric identification has a false positive, false negative, and a forgery problem.

    Security tokens or 2fa tokens have both a reliability problem in that your ability to access your system depends on the proper functioning of an additional device (or two if it plugs into a usb port or a card reader) as well as additional backend infrastructure, and a usability restriction in that in order to log in to two systems at once, you need to shuffle that token between two or more readers. The latter is particular
  • My company has been trying to force me to install the MS authenticator app on my phone so that my Outlook app will work. I refused and decided not to have email on my phone.

  • Biometrics? No. Can't be changed

    Voice prints? No. Can't be easily changed

    FIDO2 security keys? Incompatible with ADHD and easily stolen/left behind - but it shifts responsibility away from Microsoft and they can blame the person... the end result is the same though

    Passphrases... sure that works

    • Keys are so much better though. I dunno, I guess an implant is too creepy for most, but as a youngster I had an eyebrow piercing I loved. You need something like that, passive power and tiny, ring, piercing, something always with you. It could work.

      • Anything that can be skimmed, stolen, lost, damaged, etc. doesn't work. My wife's piercings are ones she doesn't take out. She's still managed to lose at least 4 in the past 10 years that I know of.

        An implant would work in theory, until it's skimmed - then what? Surgery to remove it and implant a new one? If it can be rewritten through the skin, what stops it from being hacked?

        Then there's the fact that electronics degrade. No matter what medium, they'll wear out eventually. What happens if a person c

  • What about those of us who don't have (nor want) those insecure devices called "cell phones"? (which are not actually cell phones but rather "smart devices" which just happen to also support making and receiving telephone calls)

    What about those of us who don't have (nor want) laptops? Or iPads? Those of us who only have (and only want and only USE) desktop systems?

    What about those of us who use extremely strong unique passwords on every single one of their many dozens or hundred of web sites because they us
  • good luck getting a new one.

    WTF, did they never watch Demolition Man?

    You always need "Something you know", *regardless* of you having "Something you have" or "Something you are"!

    But hey, maybe we'll se actual physical mechanical keys, like from the door, being put into laptops in a few years. :P
    I'll keep my box of playdough and metal casting tools ready. ;)

You are always doing something marginal when the boss drops by your desk.

Working...