How to Eliminate the World's Need for Passwords

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft (as well as Intel and Arm). It describes its mission as reducing the world's "over-reliance on passwords."

Today Wired reports that the group thinks "it has finally identified the missing piece of the puzzle" for finally achieving large-scale adoption of a password-supplanting technology: On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption....

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.... FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there's no simple way to log in to all of your apps and accounts — or if you have to fall back to passwords to reestablish your ownership of those accounts — then most users will conclude that it's too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device's biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a "FIDO credential" manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device's biometric or passcode lock. At Apple's Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as "Passkeys in iCloud Keychain," which Apple says is its "contribution to a post-password world...."

FIDO's white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don't have to retain a backup password. Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future. "This grand vision of 'Let's move beyond the password,' we've always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets," Brand says....

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past.... When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google's Brand turns serious, but he doesn't hesitate to answer: "I feel like everything is coalescing," he says. "This should be durable."
Such a change won't happen overnight, the article points out. "With any other tech migration (ahem, Windows XP), the road will inevitably prove arduous."

You could use some sort of unique mark

[93 Escort Wagon]

Maybe on your forehead or the back of your right hand...

Re:

[dohzer]

Why not a little RFID chip under the skin?

Re:

[Antique Geekmeister]

RFID is fairly easily scanned and duplicated.

https://www.wired.com/2006/08/... [wired.com]

Has the technology improved in any significant way in the last decade?

Biometrics are even more vulnerable, and even Mythbusters documented their vulnerability

https://cryptome.org/gummy.htm [cryptome.org]
https://www.youtube.com/watch?... [youtube.com]

Re:You could use some sort of unique mark

[ShanghaiBill]

RFIDs are best used for identification rather than authentication. So they replace your username, not your password. But some RFID chips contain cryptographic keys that add an extra layer of security.

Biometrics are vulnerable if they are implemented poorly. Better implementations do 3D scans and detect your pulse.

But it depends on what it is used for. I use my fingerprint to open the Facebook app on my cellphone. I don't use it to authorize a wire transfer.

Re:

[redmid17]

Yes yes. RFID has improved hugely in the past 15 years since WIRED reviewed existing solutions in 2006. For one example, my current apartment building uses easily copied RFID fobs from that era. My old (but brand new construction) apartment building had new RFID fobs that were neither copyable by commercial key cloners nor myself / buddy using available COTS cloners. The level of encryption on it is head and shoulders above where it was before.

Re:

[Joce640k]

Why not a little RFID chip under the skin?

Because only a masochistic 0.001% of the population would agree to that.

Re:

[ShanghaiBill]

RFID hand implants are most common in Sweden.

Re:

[dromgodis]

Though I wouldn't say that they are common here. I haven't met or heard of anyone getting such an implant except as a publicity stunt ("Hey look at me, I'm a cyborg!").

Re:

[ClueHammer]

And criminals start hacking off body parts to get your password

Re:

[AmiMoJo]

Because then you can't remove it when you want to travel without an RFID chip on your body.

Also if someone wants to steal it, well I'd rather give them a token than have them trying to carve my RFID chip out.

Re:You could use some sort of unique mark

[Joce640k]

Note that most of the companies pushing this are the biggest data gatherers and personal-profilers out there.

I want anonymity. I want something that uses public key cryptography and uses a different public key for each 'service' that it signs me up for. Does this provide that?

I don't see where it explicitly says that in the summary so I'm guessing the answer is "no".

Re:You could use some sort of unique mark

[arglebargle_xiv]

Yup, pretty much everyone who wants to supplant passwords wants to be the universal gatekeeper for whatever password replacement they're currently peddling.

To paraphrase Churchill, "passwords are the worst authentication mechanism, except for all the others". There's a great paper by Herley and van Oorschot on the capabilities required of a mechanism that will be able to successfully supplant passwords. Turns out there's only one single mechanism that does all that: Passwords. There's a reason why they've stuck around forever, and why pretty much every attempt to replace them has failed.

Re:You could use some sort of unique mark

[larwe]

There's a great paper by Herley and van Oorschot

OK, I googled that and: you are literally a scholar, and either a gentleman or some other gender-appropriate noun meaning "chivalrous, courteous and/or honorable". That paper is even available for free. https://scholar.google.com/scholar_url?url=https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf&hl=en&sa=X&ei=cRw4YuSLO8OP6rQP09-e4AM&scisig=AAGBfm2m4jo9_cF-0Xsr7Nie1YQ0NL7wZQ&oi=scholarr [google.com]

Re: You could use some sort of unique mark

[Bearhouse]

Thanks for the link

Re:

[arglebargle_xiv]

Yeah, sorry, was on the train at the time with limited ability to cross-reference and provide links. The reason I referenced that one is because Paul posts all his publications [carleton.ca] so they're easy to find and get access to. On that page look for "Passwords and the Evolution of Imperfect Authentication" and "A Research Agenda Acknowledging the Persistence of Passwords".

Re:

[AmiMoJo]

How can they be the gatekeeper when the method they are proposing does everything locally using open-source, patent-free technology? There are open source implementations.

Re:

[arglebargle_xiv]

That's like saying that all Netflix movies are free because you have an open-source patent-free codec that'll play them.

Whether the software that implements it is open-source or not is irrelevant, you still need to authenticate to, with, and against something.

Re:

[AmiMoJo]

How is that any different to typing in a password?

Re:

[AmiMoJo]

The more advanced devices like Yubikeys can store your own public/private key pairs if you want. It's quite a good system because you don't have to keep your private key on every computer you want to use it on. You just keep it in the key and it provides the crypto functions using it without ever sending a copy to the computer.

That's not what this is about though, this is for protecting your Google and Facebook accounts from people stealing or guessing your password. I has nothing to do with anonymity, it's

Re:

[ras]

I want anonymity. I want something that uses public key cryptography and uses a different public key for each 'service' that it signs me up for. Does this provide that?

If you are talking about FIDO, then yes [fidoalliance.org]. Quoting: FIDO technical specifications state that a FIDO device must not have a global identifier visible across websites, which prevents unwanted and unexpected re-identification of a FIDO user. A user must not be identifiable by one entity because of a relationship with another Relying Party. Additi

Re:

[ElizabethGreene]

Second part first.
Separate Public key for each identity: That's it's in there.

First part second:
Seperate identity per service is harder. There isn't anything that ties all of the identities on e.g. a Yubikey together, but how you use that Yubikey might.

Example: If you use FIDO2 U2F Yubikey to MFA to e.g. a gmail account and then use that gmail account to sign in to services then those are tied back to the single identity.

What you want is probably in the protocol, but you'll have to document your requirement

Re:

[Tablizer]

Picard invented face-palm identification

Re:

[The Evil Atheist]

They could call that standard "The Beast".

Re:

[Wizardess]

Riiiight! Like 666 on your forehead.

If I rely on a finger I can lose the finger. Or my finger might be dirty and not trigger correctly. Parts of me can often be spoofed with pictures, molds, or other gadgets if somebody is dedicated enough. I prefer something recorded in my mind. When that is gone the rest is academic.

{o.o}

Stolen computer?

[drkshadow]

When I can use the method to get into my accounts, bank, airline, phone, credit card, etc. after having my computer an phone stolen from me, we can talk. Until then, it's a failure.

Re:

[whoever57]

I am dreading what will happen when I move from one country to another and replace my phone number with a local number.

Re:

[ShanghaiBill]

I am dreading what will happen when I move from one country to another and replace my phone number with a local number.

The solution is to keep your old number. You can get a multi-SIM phone, or use a cheap Android phone for the phone number you use the least.

I have phone numbers in three countries (US, China, Philippines). I need a local Chinese number to use WeChat-Pay. I need a local Philippines number to use Gcash.

Re:

[Joce640k]

The solution is to keep your old number.

And keep on paying the 'phone bill in the other country forever. Yep. Got it.

Re:

[K. S. Kyosuke]

There's such a thing as pre-paid cards, though.

Re:

[itsme1234]

You still need to pay them forever, otherwise they'll die (or worse they'll just cancel the service on you even if they have no specific minimum amount stated that you need to spend with them per month or year). I bet the GP was objecting to "paying forever" not to the fact that there's a bill to pay versus you pay in advance.

Re:

[K. S. Kyosuke]

You do, but for example in my country it's less then $20 per year. I consider that to be very reasonable.

Re:

[CastrTroy]

Transfer the number over to a VOIP provider and you don't even need a second SIM card, and it costs a whole lot less as well. You could probably find a service that would do it for free.

Re: Stolen computer?

[nasch]

I agree with the other person. If you have to forever keep paying for a phone number you don't otherwise need, that's a failure.

Re:

[ShanghaiBill]

If you have to forever keep paying for a phone number you don't otherwise need, that's a failure.

Except that you DO need it. I have a ton of accounts tied to my US phone number. Even when I am in Shanghai or Manila, I use my American phone several times a week.

But I am on a family plan and my kids live in America, so it costs me nothing extra.

Re:

[AmiMoJo]

Already solved. When you enable the use of 2FA you are offered recovery codes. You are supposed to keep them somewhere safe - I use Keepass password manager (open source, most platforms).

If you lose your 2FA device, e.g. your phone, you can use the recovery codes to get back into your account and revoke it.

Re:

[olau]

This must be an integrated part of making a password-less service.

Password-based services need a forgotten password feature, and password-less services need to make people make backup keys.

and service accounts? / non user shared stuff stuf

[Joe_Dragon]

and service accounts?
non user some what shared stuff?
app passwords?
passwords needed for temp jobs as part of an pipeline that runs tasks?
dumber devices that can't do smart auth.

Re:

[thegarbz]

The discussion here is about increasing adoption of general use cases. Listing your edge cases doesn't change a thing.

Re:

[geekmux]

and service accounts?

Should have had 200-character minimum passphrase standards set beyond cracking mechanisms, long ago.

non user some what shared stuff?

"non user"? You mean, the internet? Implement decent SSL.

app passwords?

See service accounts. Also see changing more often than once every decade.

passwords needed for temp jobs as part of an pipeline that runs tasks?

Something that "runs tasks" is called a script, and can therefore remember 200+ character passphrases. See service accounts.

dumber devices that can't do smart auth.

Will eventually be made illegal. For the Children.

No. Not kidding.

Re:

[AmiMoJo]

This is a solved problem. You just use tokens generated by the server instead of passwords.

A good example of this is how Google does it. Apps can use OAuth 2.0 to access your account data via a token instead of a password. They also support "app passwords" which are long passwords generated for apps that don't support OAuth, but they are discouraged because they aren't as secure as OAuth. Apps like Thunderbird support OAuth for accessing your Gmail account.

If you log in to your Google account you can see al

Not a panacea

[markdavis]

Most of these initiatives seem to rely on something you have replacing (not augmenting) something you know. And something you have can be taken/stolen or broken.

Those schemes that try to replace something you know with something you ARE then introduce serious privacy issues. (Biometrics can't be replaced and can leave physical trails, and is not something you really want to share).

And others try to rely on tracking you, by intermixing your device with your identity that is then known by other devices, services, and sites. Like linking your ID from one "authority" to serve another. Even more privacy issues. Plus single-point denial of service issues.

There is no panacea here, just tradeoffs. Personally, I am fine with non-insane passwords that do not have to be changed, login monitoring/throttling to prevent brute-force, coupled with something like TOPS, which do not rely on network, service, or tracking. Something you know, plus something you have. Not perfect (for sure), but, overall not bad either.

I am not OK with a company trying to force me to give up my cell phone number, install some type of spyware on my equipment (especially when if it is not compatible with my platform of choice), join some "federated" login system between services, or hand over biometric data.

Re:

[markdavis]

>"coupled with something like TOPS"

Sorry, typo, that was meant to be "TOTP"
https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Joce640k]

Surely you meant this: https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: Not a panacea

[SirSlud]

While passwords are something you know, in practice more people give it away (or use passwords so easy it's something anybody else can know too) than loosing something you have (and is also protected by biometric, thus not just "something you have" but "something you have that's still on you")

Re: Not a panacea

[dragonworks2050]

Yes, because in human reality a lot of things are shared. Household business and finances are shared between spouses, executive email is shared with personal assistants, entertainment libraries are shared between friends and familyâ¦oh wait I think I figured it out.

Re:Not a panacea

[larwe]

There is no panacea here, just tradeoffs

Very much so. This thread has listed quite a few of the tradeoffs, but one also has to wonder why the FIDO Alliance is pushing on this rope so hard. Possible dark answers include: the alliance was created with the assumption that eliminating passwords is a desirable/necessary goal, and nobody is allowed to question that assumption, or - more sinisterly - "by routing all access requests through technology we control, we gain even more monetizable information about/control (ecosystem lockin!) over what people are doing"

The solutions that FIDO is proposing smack of "sitting in my office in Silicon Valley" arrogance, frankly; they assume that every user in the world is sitting at a desk with multiple devices around them that have an Internet connection, and/or a hardware token that can be replaced instantly (I need to pay my rent TODAY not after waiting for a new device to arrive, assuming I can even afford one), and/or a willingness to federate all their access to things into the hands of one or two central players (the commentary about syncing cryptographic material between devices is terrifying - such syncing has to rendezvous somewhere, and the people who control that somewhere have way too much power over the process).

I predict that the long tail of the attempt to eliminate passwords will exceed the lifespan of the concept of "logging into" something.

Re:

[tlhIngan]

Exactly.

Heck, even 2FA has a fatal flaw in what happens if you lose the second factor? Be it a RSA key or phone or other device?

To log into my 2FA to administer it, I need the 2FA token. If I'm changing phones, I need to have the presence of mind to do it while I'm changing phones - to unregister one phone and register the next phone. But this is surprisingly hard if you're going to wipe one and restore to another. And what happens if I forget? Now I can't login to anything.

So for work, to get my email I ne

Re:

[OneOfMany07]

"I am fine with non-insane passwords that do not have to be changed, login monitoring/throttling to prevent brute-force, coupled with something like TOPS, which do not rely on network, service, or tracking."

What is "TOPS" in this context? Two quick search attempts didn't return anything useful.

And can someone explain the issue of biometrics being impossible to "replace" or change?

Re:

[larwe]

And can someone explain the issue of biometrics being impossible to "replace" or change?

If your digital identity resides in a set of biological features that are stored in a database and your body is measured/verified when you make an access attempt, then someone who compromises the database has your identity, permanently, because they can spoof the measurement step and inject a stolen copy of your biometric data. You can't change your fingerprints, iris, DNA, etc, so this is an irrevocable credential. By the way this is precisely why the FBI, etc, store your actual fingerprints when they do a

Re:

[larwe]

#define SNARK

I would be diffident about using Wordpress as an example of "how I want my entire digital life's security to be managed".

#undef SNARK

Less snarkily, even if this is supported by PKI, it boils down to key management. It's not really possible to imagine a system for consumers (WP admins are NOT CONSUMERS in this context) where the consumer owns their private key and has full control - what if they lose it? Ergo, there is a third party somewhere with the ability to "fix account problems" and "recov

Re:

[thegarbz]

Those schemes that try to replace something you know with something you ARE then introduce serious privacy issues. (Biometrics can't be replaced and can leave physical trails, and is not something you really want to share).

Except you've completely missed the point of the entire standard. The idea that biometrics are used to authenticate only on your local device level to a password manager which takes over the rest of the authentication process. There is no physical trail and nothing is shared. When I log into Azure my Face isn't scanned and sent off into the interwebz, my Face is scanned by my local machine, compared with the data stored in my local TPM, and if it is correct a completely different auth process concludes the

Re:

[AmiMoJo]

You can still have 2FA with passwordless.

For example, you might use your phone to authenticate, requiring a biometric unlock. So you have two factors, something you have (the phone) and something you are (your biometrics). Before you panic, most phones store the biometric data locally in a secure enclave, they aren't proposing you send your fingerprints over the internet.

Yubikey make a USB key that supports fingerprints too. Again, all stored and processed on the device itself.

It's not perfect, your biometr

Re:

[bradley13]

This. Really, the technology is maybe fancier, but this isn't so dissimilar to the 2FA "authenticator" apps. I have the Google Authenticator running on my phone. Six different services that I have, use it. This is in addition to a password, so if I were to lose my phone - somehow leaving it unlocked - those services would still be safe. Without the password? I'm supposed those accounts would be compromised.

As fancy as the tech behind this is, it seems to be aimed at the least tech-savvy of the internet us

Behavior

[John.Banister]

I notice that the organizations trying to replace something each customer knows with some object or system that a few really smart people design are organizations that have really large numbers of customers and have been able to study their behavior. When a cat brings you something it killed, your first thought may be "I don't want to eat that," but it's also useful to consider what it says about what the cat thinks (eg: "I think you're shit at hunting, and I want you to survive."). When these companies b

APPLE WATCH and iPhone

[johnjones]

while the latest Pixel phone has the ability I really want the Apple WATCH to have TOTP functionality

it already is supposed to have a secure element just get it done apple and use standards

Re:

[larwe]

I'm not sure what you're asking for here. https://apps.apple.com/us/app/otp-auth/id659877384 [apple.com] There are TOTP apps for the Apple Watch. So you moved your RSA keychain element from your keychain to your wrist... :D

Transient Access

[kamath]

My problem with all the assumptions laid out: You always have *something*. Since you *ALWAYS* have your phone, and if not, you're using your own computer, etc. . . . Ever been somewhere (like a friend's house) and realize "I forgot my phone, and I need to do something, almost anything, online?". When you LITERALLY have nothing with you, but need to authenticate yourself, how do you do that? And my problem with biometric data is that once it's compromised/impersonated, you're done. I can't change my iris scan/fingerprint/whatever. Sometimes you just need to log in to something on someone else's equipment. And let's not even _start_ the discussion of needing to log in as my aging relatives. Some of them get so confused by an SMS message with an authentication message (and it's almost comical how freaked out they get when they only have 10 minutes to enter the "special code" -- comic if it weren't so sad seeing them get so stressed out.). Good luck telling them to hold on to that FIDO key! Easy always wins.

Re:

[OneOfMany07]

"And my problem with biometric data is that once it's compromised/impersonated, you're done. I can't change my iris scan/fingerprint/whatever."

You shouldn't need to change your biometrics, the problem is data collection is insecure in your example. And perhaps you assume access based solely on matching biometrics.

HDCP is a cryptographic system setup to protect DRM'd digital movie transmission between a computer and a monitor...why can't we do something similar for biometric readings? Include a date/time s

Re:

[larwe]

And perhaps you assume access based solely on matching biometrics.

And there we have it - it cannot be assumed that biometrics are an adequate authenticator, since the underlying data is irrevocable and anyone who can spoof this would have the keys to the kingdom. In other words: Biometrics are like a password and would need a 2FA (3FA, ...) layer underneath them anyway. So they should be left out of the loop on any proposal for a universal authentication system.

Re:

[h33t l4x0r]

You completely misunderstood the proposal. Biometrics are for local authentication. They don't get sent over a network and they only unlock access to the encryption keys if you are already holding the device.

Re:

[AmiMoJo]

It's a trade off. You might forget your phone once in a blue moon, but at least your account isn't wide open to being hacked because someone got your password from a hacked database.

You use different random passwords for every site? Great, but since you forgot your phone you can't open your password manager to look up the password anyway.

Re:

[bradley13]

Hmmm. I see your point, but I guess I disagree with it. Most people seriously concerned about security use a password manager. Now, I obviously have the master password memorized, but almost all of the others are random, automatically generated strings that I don't know. There are only two or three services where I have deliberately set a memorable password - for everything else, I need some device with me, in order to access the password manager.

I'm betting that this is typical of 90% of /. users. What d

Re:

[h33t l4x0r]

It's pretty fucking simple to me. You're vulnerable to phishing attacks if you authenticate with a password and no 2fa. You're vulnerable to sim-swap attacks if you use 2fa. You're vulnerable to "losing your phone" attacks if you use the proposal here. Pick one and still lose because most people are be too stupid to use any of these options safely.

Someone needs to tell them...

[h33t l4x0r]

They just reinvented web3.

Hahhah a solution?

[oldgraybeard]

"no simple way to log in to all of your apps and account"

Trust chain

[locater16]

So... it's just a trust chain? You're logged into this device, and this device is keyed to your account, so you can get into your account. That's it. That's what took "years" to come up. WTF.

Re:

[Joce640k]

It was the part about everybody agreeing to do it the same way and not trying to leverage/monopolize for their own ends it that took the time, not the protocol.

(and I'm sure they're still doing that somehow, that there must be something they're not telling us or some way they're going to make more money than before... maybe by making this something that's $$$ expensive for your server to be a part of)

After looking at all the proposals...

[julian67]

After looking at all the proposals, seeing their user unfriendly and complex implementations, and their fragility, I'd like to suggest an alternative: each person chooses one password and uses it for everything, always, everywhere.

Thank you. I'm here all week.

What happens if you die ...

[Alain Williams]

say in a car accident that also destroys your 'phone, laptop, ... other secondary devices. Passwords you can tell your kids/friends so that they can manage your affairs but what in this case ?

Re:

[h33t l4x0r]

Save the encryption keys in a file on your PC desktop named "Hide from wife and kids.txt". They will find it.

Um...

[Flexagon]

(or a master PIN you select)

A PIN is a password.

Re:

[thegarbz]

Indeed reading the dictionary yes, but you make the distinction between PIN and Password because devices treat them as two different concepts with very different execution. Note how you can't use your PIN to log into your Microsoft or your Google account, and can't sync it between devices? A PIN identifies you locally only and isn't sent over the network.

Calling them both password would confuse things.

Re:

[evanh]

Yep, it's just like those loan merging offers. One company to simplify and guide and encourage ... but with a fee.

No, it's much worse. Because it become a single point of failure that can destroy your life. As such, the motivation to crack the system is far stronger.

Lots of passwords is by far the better way.

Re:

[h33t l4x0r]

Hmm, the summary does a shit job of explaining but the pin / fingerprint just unlocks your phone. It doesn't authenticate you on Amazon for example, obviously that would be retarded.

First try improving passwords

[Tablizer]

Don't store passwords on a regular server but a mirrored pair of sealed boxes, dedicated password servers, that have throttling built into the hardware so that nobody can try a given user name gajillion times.

Re:

[thegarbz]

We've been trying that for 30 years. It didn't work. A different solution is needed. The server admins are too dumb, the users are too dumb.

Re:

[account_deleted]

Comment removed based on user account deletion

So what they're really saying is...

[Miles_O'Toole]

Kiss anonymity goodbye, and with it, privacy.

Re:

[thegarbz]

Nope. They are saying the literal opposite of this. The whole point of the FIDO standard is that your credentials are not transmitted all over the place, are generated newly for each session, and the only way anonymity is affected is that the target service knows you're logging in (which it objectively needs to).

Re:

[Miles_O'Toole]

You didn't notice the group of companies saying this is a great idea? No doubt you also believe they have no influence with the US government.

Re:

[thegarbz]

I did. I also know the difference being reading the proposals, understanding the technical details, and stupid low-IQ conspiracy theories.

FYI the companies saying this is a great idea happen to also be companies with the largest exposure to problems related to user security and thus companies that spend a large amount of money dealing with fraud issues and user complaints. I'd be more worried if they weren't involved.

You know what's scary?

[Rosco P. Coltrane]

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft

My not-so-cursory understanding is that FIDO is generally a good thing.

What I wonder though, considering the fine collection of privacy invading sumbitches above, is: in what novel and odious ways will it be used to put people under even more intense corporate surveillance?

Because you can bet your ass all of those Big Data company wouldn't come together to promote something they didn't see as a major treasure trove of private data and surveillance opportunities to monetize. Just because of who actively promotes FIDO makes me suspicious of it.

Re:

[thegarbz]

Because you can bet your ass all of those Big Data company wouldn't come together to promote something they didn't see as a major treasure trove of private data and surveillance opportunities to monetize.

They are monetizing a massive reduction in fraud claims against their service. Here's a hint: The people above run services and hardware. Services and hardware already track and monetize you. The people above are also competitors, why would they work on a standard of sharing the thing they are trying to monetize themselves.

Your conspiracy theory doesn't pass the pub test, especially given how FIDO already works

Re:

[Rosco P. Coltrane]

I know FIDO works. I even know how it works. So I'm not particularly worried. And there is no conspiracy in any of what I said.

The only thing I said was, when those hateful companies get together to promote something, it's almost never for the benefit of mankind and you should be worried.

Re:

[Rosco P. Coltrane]

can't find a way that these companies have benefitted you

Well let's see:

- Google puts out great products the same way carnivorous plants offer nectar: it's free and delicious but if you touch it you lose - your privacy, in the case of Google. Google products are admittedly VERY attractive - when they're not plain unavoidable: e.g. try as you might, if you want video, it's fucking Youtube. If you want a decently-priced cellphone, it's Android. They have a monopoly.

- Facebook: it's worse: they put out addictive products. But like heroin, all you have to do is not s

So: All your eggs in one basket?

[Rick Schumann]

Then when the fox raids your digital henhouse, it's one-stop shopping: just grab (or hack) that one device, and it's all yours.
Nope. Fuck that shit. No biometric anything, thank you very much, and I never, never, ever use password managers of any kind.
What's wrong with 2FA anyway? Regardless, I'll just stick to passwords, mmkay?

Is this even desirable?

[Casandro]

I mean this will add a _lot_ more complexity to an already complex network. So much so that centralized services will pop up to provide authentication services for other sides. Outsourcing authentication is a terrible idea, as it opens you up to attacks from (potentially compromised) central services.

On the client side this will essentially move your authentication to some opaque to the user service which may even run on untrustable elements like the TPM. If biometric "authentication" is used, this element

On my iphone

[gnasher719]

I have a passcode, and my face or finger print is used as a shortcut to get to my passcode quicker. However, after I reboot the phone, or after using it for a few days, it suddenly wants my passcode and biometrics doesnâ(TM)t work until I enter the passcode once.

I wonder why that is and how it relates to passwordless phones.

Here's my problem with non password schemes

[Rosco P. Coltrane]

If all I need is a password, all I need is my noggin' to log in anywhere from anywhere. Nowadays, when you log in somewhere from another computer, the damn thing sends you an email to ask if it was you (you have to have access to your emails), or a text message on your phone (you have to have your phone with you). It's a major hassle.

I have implants in my hands that can act as Yubikey devices. Those never leave me by definitions, so I'd be fine with a challenge-response NFC scheme for 2FA. The problem is, w

The main problem with passwords

[Generic User Account]

Passwords allow you to make multiple accounts. That's the one and only reason they're going for biometrics. It has nothing to do with the security of your individual account. It's also the reason you need a phone number for everything even though realistically you can't even call any of these companies: Phone numbers aren't free to get as many as you want like mail accounts.

Creating a solution to an imagined problem

[BoB235423424]

All these stories on password issues, people re-using passwords across multiple sites, etc are creating a problem that really doesn't exist. Yes, data dumps of passwords show that lots of people use stupid passwords and reuse them all over the place. What they don't ever say is that the source of many of those breaches are web sites that people really don't want/need an account on to begin with and could care less if the account is compromised. The problem is not passwords. The problem is that far too m

Hey, they found kerberos

[WindBourne]

Hopefully, they will make it easier than kerberos.

Law Enforcement and Warrants

[freedom_surfer]

Since the courts have decided that cops can look at your phone without a warrant if they can get into it, how could this extend to this type of thing? Can they look warrant-less into all the future things that might by extension also be accessible? Food for thought.

Strange coincidence

[nagora]

That the list of companies involved in this is a 1:1 copy of the list of companies I would not trust with my privacy or security.

Link all accounts ...

[JasterBobaMereel]

Sounds like a brilliant way to link all and every account together so they can track you across all of them .... ....and if one device hacked then everything is now the hackers ....

Commercial motivation

[fluffernutter]

This just seems like a way for a small number of vendors to use every app you have as a way to lock you into them.

Blockchain for public keys?

[cjonslashdot]

Why not just have an open immutable registry for public keys? The anyone can prove their identity whenever they choose to.

#Yay!NoMorePasswords!

[Chas]

This is like the paperless office. Or x86 being replaced. Or the "Year Of The Linux Desktop".

It keeps getting announced and announced and announced.

Yet the tech it's supposed to replace keeps NOT HAPPENING.

And these keys are synced over your Cloud account.

[jovetoo]

(ie, Microsoft, Google, Apple). And their account recovery methods are protected by... passwords... (or other less convenient fishable methods).

Re:

[sconeu]

Then the Goatse guy is screwed (in more ways than one).