back to article Microsoft, Apple, Google accelerate push to eliminate passwords

Microsoft, Apple and Google – all longtime proponents of doing away with passwords for authentication purposes – are throwing their support behind standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) that could eliminate passphrases completely. Sometime this year or early in 2023, the three US …

  1. Chris Gray 1
    Trollface

    Upgrade!!!!

    Am I being too cynical when I suggest that this is also about getting everyone to buy new devices to replace ones that are too old to support this new stuff. And, as I've seen elsewhere, its yet another grab for control and information by those large corporations?

    1. mark l 2 Silver badge

      Re: Upgrade!!!!

      Yes and will probably only work on their big tech proprietary software, so the small guys and FOSS will get locked out of being able to support it.

    2. DS999 Silver badge

      Re: Upgrade!!!!

      The "new stuff" this requires is bluetooth and some sort of biometric ID in your phone, so hardly a big leap.

      The main roadblock is likely to be Android phones that are no longer getting updates, but that's partly the fault of the buyer for not choosing to buy from someone who supports their devices for a long time.

      1. jake Silver badge

        Re: Upgrade!!!!

        I've got all kinds of old kit still doing useful work. None of it will ever be downgraded to this new, about to be forced upon the rubes, "standard".

        Thankfully, I see no need to do business with the likes of Microsoft, Apple, Google and their ilk ... Not now, and not into the foreseeable future. The Internet (and my old kit) will still be trucking along quite nicely long after they and their megalomaniacal ideas are dead and buried.

        1. VoiceOfTruth

          Re: Upgrade!!!!

          -> I've got all kinds of old kit still doing useful work. None of it will ever be downgraded to this new, about to be forced upon the rubes, "standard".

          I agree with the sentiment, but the thing with these companies acting as a cartel means you may not have a choice if you want to participate. Although you may see no need to do business with MAG, what happens when the next pandemic comes round and the numbskulls in government say 'our new pandemic tracking app uses Google technology'?

          This idea is pernicious.

      2. Chris Gray 1

        Re: Upgrade!!!!

        Would be nice. My phone is 8 years old. (Samsung Galaxy S4) I don't think many folks expect them to be used that long. But, it has a replaceable battery, earphone jack, etc. I like it. I just don't but any new apps on it. Ever.

    3. Anonymous Coward
      Anonymous Coward

      Re: Upgrade!!!!

      Nothing like the big three colluding to discriminate against the disabled. I can't use pin numbers unless it corresponds with my very old army service number. My password manager deals with most logins by using the same default password. Any change that is thrust upon me is subject to the provisions in the Convention and in the Equality Act.

      In short, will Alzheimers finish me before Microsoft does?

      1. Pascal Monett Silver badge
        WTF?

        If you have a password manager, then why on Earth did you set it to use the same password on "most" logins ?

        1. dogcatcher

          So that I have a chance of recognising it and being able to copy it. With two screens open I can manually copy a password; with only one screen I cannot remember the password long enough to transfer it.

          1. NeilPost

            But a Password Manager does all that heavy lifting for you. Indeed you don’t need to know the passwords, but have access to them if required. Microsoft Direct Access VPN - tied to an AS Integrated 2FA PIN works well too.

            That being said I generally prefer (Phibe based) Two Factor Authentication (2FA) whether Google or Microsoft Authenticator, Okta Verify, Fortinet Token, Apple Sign in…. though the all your eggs in one cloudy basket hack at Okta irony is not lost on me.

          2. jake Silver badge

            "with only one screen I cannot remember the password long enough to transfer it."

            You've never head of paper and pencil? Note that this intermediary step is trivially destroyed by fire. Or ingesting. Or any number of other methods.

            1. TheWeetabix Bronze badge

              You have literally no idea of the ways his disability may affect him, he may not be able to use a pencil, he may have memory issues that would make writing it down just as pointless. The statement "so I have a chance of recognizing it" would make me think perhaps they have a reading difficulty, and pointing out that they should just write it down is effectively telling them to stop being handicapped.

    4. Richard Jones 1
      WTF?

      Re: Upgrade!!!!

      Where do I buy new fingers with ready to use, reliable fingerprints?

  2. Anonymous Coward
    Anonymous Coward

    New ways to choose to fail?

    Through all of the discussion of this, I feel like what we have is a case of people pushing before the plan has been hashed out. While I have been hoping TOTP and FIDO would get on by default first party support from the big 3, I feel like this may not address some of the issues the way it is being discussed. I think we needed the big three to implement an authentication layer where alternates could replace all the places where just a password was allowed before. That way aps, devices, and organizations could adopt new methods without re-architecting their whole deployment(which has been the main thing holding everything else back).

    Instead we are getting a hard push for what appears to be a swap of one inflexible baked in method for a newer one, which while it has it merits, will be behind the state of the art by the next major release of each of the operating systems.

    Worse is Bluetooth. If you want to ensure something never quite works, build it on top of Bluetooth. Connections will be hit an miss, connection setup slower then necessary, and probably have to suffer repeated device pairing. Al least the security can be run over the top, so even if the bluetooth data was in the clear the FIDO drivers on the devices probably will handle security on their own.

    1. LateAgain

      Re: New ways to choose to fail?

      You notice also that the assumption is that an actual person is there trying to do something.

      Not a shared login (loads of those!) or a machine.

      Asking a Linux server to pop up a weblogin to authorise something is daft.

      Just give me an "app login" FFS

      1. Anonymous Coward
        Anonymous Coward

        Re: New ways to choose to fail?

        re: "Not a shared login (loads of those!)"

        Ayep. I set up a google account for a community group I chair and I am now, after a couple of years, getting the "can not log you in too many failed attempts" hooey. While I am happy to walk away from that dumpster fire and not waste further time on it, I had planned to share the account with whoever next chairs the group. Now google has made up my mind for me, since apparently they can not keep things running for just ONE account user. Agree with the speculation above that this appears more about collecting even more data than about functionality or security.

  3. Mark #255

    coping with device loss - print out this A4 sheet of random codes and keep it safe

    I've recently begun enabling 2FA on a couple of accounts, and, while some bits are quite whizzy (point your phone at the QR code - woo), the recommended steps for ensuring you can still get into your account if your Authenticating Device is lost/stolen/rendered obsolete are somewhere on the "no normal person is going to do this" scale (I do fully accept that I'm not normal).

    "Here's a bunch of codes: print them out and keep them safe" seems no more workable than "write the password on the back of an old business card and keep it in the box-o'-passwords"

    1. simkin

      Re: coping with device loss - print out this A4 sheet of random codes and keep it safe

      It's awful. Our entire industry sucks.

  4. simkin

    And then your fingerprint scans get stolen.

    Try replacing those.

    1. Denarius Silver badge

      Re: And then your fingerprint scans get stolen.

      do you mean there are fingerprint readers that work reliably ? Never found one. Also those of us who work in abrasive conditions do not have detectable prints sometimes, not to mention the issues of dirt, grease. All very well taking 3 minutes plus to use an industrial hand-cleaner, redirecting to toilet facilities, back to office or device location. etc. How long before intrusion developers find ways to hijack TFA systems ?

      OTOH, in remote office situations, WFH, etc, TFA is sensible. Used it for decades. IMHO, just not a one size fits all solution, especially with the various device types now in use. Is having a second physical device so I can unlock my phone reasonable ? As others have said, will this be another closed system by the tech bros that is used to levy excess costs onto a population with no choices ?

    2. Martin Gregorie

      Re: And then your fingerprint scans get stolen.

      Try replacing those.

      Same goes for Ubikey or Bluetooth connected phone, unless there are actually three devices involved in the sign-in:

      1) the Ubikey, Bluetooth-connected phone, or whatever holds the encrypted token(s)

      2) the device you're using to connect to the required service

      3) the server supporting the required service.

      In addition the first two must have a secure way of storing something unique which can be sent to the third for validation.

      I have a Ubikey and use it to access services on one of the GitXXX code suppositories, However, I know almost nothing about its anti-theft safeguards: no documentation came with it and their website is equally uninformative about how its security systems work and why they are more secure than user name and password.

      IOW I'm happy to accept that the Yubikey is one factor but have absolutely no idea what 2nd factor may be or if it even attempts to be 2FA, when all I did to activate it was to stick it in my laptop's USB socket, and login normally to GitXXX. Since then I've been able to simply stick the Ubikey into the USB socket and immediately use git push/pull commands to update or access the remote repository.

      To me that seem less secure than, say, a UK bank's 2FA card reader, where at least you know what both factors are and that the card reader is not one of them.

    3. SundogUK Silver badge

      Re: And then your fingerprint scans get stolen.

      Yup. Nobody is ever getting me to log in with a bio-metric identifier. Sooner or later someone's going to crack quantum computing and all those hashed bio-metrics are going to be 'plain text.'

      1. ThatOne Silver badge
        Facepalm

        Re: And then your fingerprint scans get stolen.

        No need to crack anything - That data will quite likely be stored unencrypted on a publicly accessible test VM at some point, and thus will eventually land on the dark web, forcing you to change your face, fingerprints, DNA signature and whatever other immutable information they decided to use.

        But then again security isn't important to them, it's all about control, and it never ends well for those who fall for the scheme. (Don't you remember "One ring to rule them all..."? Embrace your new existence as authentication wraiths.)

  5. tekHedd

    Small devs

    Am I being cynical when I suspect they'll come up with a nightmarish implementation that basically guarantees small devs will be pushed out?

    I am being cynical. But I'm probably right.

    1. Anonymous Coward
      Anonymous Coward

      Re: Small devs

      I'm sure anyone can implement the 180 page spec from scratch in no time at all.

      Web Authentication: An API for accessing Public Key Credentials Level 1, W3C Recommendation, 4 March 2019.

      Of course, it helps if you're a big company with megatons of cash and already have a head start from implementing the code as you write the spec.

  6. ITS Retired

    All these new and improved ways to log in either involve a gadget, or or something that can't be changed when needed, like fingerprints and faces. Or gets changed because of damage to same and can't be updated because - Damage.

    The problem with passwords is passwords commenced with the beginning of computers and have been working reasonably well for decades. That means some people think passwords are old and need to be replaced with something "new".

    Never mind this "new" can't cover all the devices that need passwords. Different devices need different way to sign in. The have been trying to eliminate password for how many decades now? There is a reason they are still around.

    My 2005 HP, with a fresh load of Linux Mint and an IBM Model M keyboard would be hard pressed for facial recognition, with no camera, led alone any fingerprint reader. It works just fine for what I need it for. Word processing, banking, web surfing, any of several web sites I frequent... All without a hassle.

    1. Anonymous Coward
      Anonymous Coward

      Facial recognition only seems any good to me when it is used to unlock the encrypted passphrase on your device for onward use. Then you require two-factor just to make sure.

      Thinking somehow a face will replace a password - when you think about it they're all just 1s and 0s sent on, it's just that for a password you know what was the exact source. It's not really a password it's all just various forms of an encryption key with different derivations.

    2. Cliffwilliams44 Silver badge

      What I don't understand is this PIN number nonsense! How is a PIN any different than a password yet MS seems to think it is?

      Face recognition on my phone works great, unless I am outside working in the sun with my hat and sun glasses on, then it doesn't and I have to enter my PIN.

      What's the final endgame here? Some surgically implanted technology that authenticates us to all deceives and services? (That includes some undisclosed nefarious technology?)

      In the words of Timmy Turner! "What could possibly go wrong!"

  7. Neoc

    So we settle on fingerprints. But there are people out there without fingerprints due to missing hands/arms (and let's not forget those with Adermatoglyphia)

    Oh, so what about iris scanning? Cataracts, anyone?

    And, as someone rightly said, I can change my password/physical key if it gets compromised. How do I change my biometrics?

    1. NeilPost

      … or more rudimentary if your hands are wet…. Like say outside when raining.

    2. Alumoi Silver badge

      Been there, done that: Face/Off

      1. Anonymous Coward
        Anonymous Coward

        Unrelated, but I feel it's my public duty to point out Face is a far better movie.

  8. david 12 Silver badge

    FIDO is a dog

    2FA sent to your phone doesn't work just when you need it most -- while in some alien foreign country like China or Nigeria. It can be easily spoofed -- but not by ordinary users, only by criminals with a bit of practice.

  9. HatchFields

    It's def about money. Just not yours.

    All of you sound like you're approaching that age where nothing good can come from anything that might require you to adopt new skill sets by way of technical advancement. This is a huge boon for everybody involved. Overall the internets stand to reduce overall energy use by way of eradicating enormous amounts of bandwidth currently devoted to the goose chasing fallibility our current password processing and its logistical hoops eats up. Of course the big three stand to make a buck or two on upgrades but you'll be waxing even more nostalgia from bed by the time your arguments are archived. Until then, keep in mind FIDO was proposed by the W3C and the big 3,4,5, 8 or 9 or whomever your fear mongering monkey minds want to rage against, they ALL stand to save a serious ton of money currently spent in supporting lazy users who refuse to think creatively when it comes to adopting good technology and how to work with it rather than against it (I.e., ask your kids dishwashing buddy how he manages his fingertips and with biometric logins). You all complain too loudly only to eventually forget stashed that one piece of paper listing the 15 usernames and passwords they use for every login form they encounter. For god sakes don't keep it file on your 'tried and true' now obsolete phone that's going to die maybe tomorrow from over exhaustion. Go with the flow bro and use your heads and your time wisely. Don't ever forget your first Motorola beeper.

    1. jake Silver badge

      Re: It's def about money. Just not yours.

      Sez the dude/tte who created an ElReg account for this one, single post.

      Shill away, dude/tte, shill away. We smell where you're coming from.

      1. This post has been deleted by its author

      2. HatchFields

        Re: It's def about money. Just not yours.

        Yes I did create an account to post. Those were the rules unfortunately. But I'm glad I did as I don't speak up enough for reasons not unlike your own pearls of wisdom that I'd be wasting time. I wasn't intending to hurt feelings as most of my commentary was in jest merely to make my point that the majority of commentary sounded (perhaps smelled) like an echo chamber in the mens room. So I smelled too. ;) At the end of the day I raise my glass.

        1. Cliffwilliams44 Silver badge

          Re: It's def about money. Just not yours.

          It's El Reg! The echos in here are infinite!

          infinite,infinite,infinite,infinite,infinite,infinite...

    2. SundogUK Silver badge

      Re: It's def about money. Just not yours.

      Your pathetic immaturity sings out load, millennial.

      1. This post has been deleted by its author

    3. AMBxx Silver badge
      FAIL

      Re: It's def about money. Just not yours.

      Try using paragraphs. Then try to make a reasoned point without insulting people who aren't like you.

    4. Nick Ryan

      Re: It's def about money. Just not yours.

      Did you have a point other than to claim "it's shiny therefore it's good"?

  10. Pascal Monett Silver badge
    FAIL

    "It's time for us to collectively ... commit to eliminating passwords entirely"

    I agree.

    I will gladly do that the day you prove to me that my biometric data will never be hacked.

    1. Anonymous Coward
      Anonymous Coward

      Re: "It's time for us to collectively ... commit to eliminating passwords entirely"

      And don't forget the part where someone should also guarantee your biometrics are used **only** for the login

  11. Barry Rueger

    What could go wrong?

    Given the track-record of these companies on things like privacy, or even basic human rights, there is really only one question that needs to be asked:

    What are the ways that this could all go horribly wrong?

    1. Richard Jones 1
      WTF?

      Re: What could go wrong?

      Correction, 'What are the ways this will go horribly wrong'.

  12. HenryCrun

    Mobile devices are not the answer either

    I really hope that as well as passwords we can junk using mobile devices, particularly mobile phones, as an authentication solution because of the risk of theft or SIM cloning. Still fighting so many sites that mandate a phone number as part of their security protocol.

    1. Richard Jones 1

      Re: Mobile devices are not the answer either

      For a start, what about the not spots with poor to no mobile service? I can see the buildings of central London from near my home, but mobile service in the house, all I can do is hope.

  13. Big_Boomer

    This old chestnut again?

    Once again someone announces "we are doing away with passwords" but we have nothing PRACTICAL to replace them with. <YAWN!>

    Fingerprints, face recog, hardware keys, 2FA, and many many others have all been tried, and all have failed the 2 tests required for universal adoption - Is it easy to use? - What happens when my authentication is compromised? 2FA is fine for anything that you only use occasionally but is a royal PITA when used multiple times per day. Fingerprints are too easy to fake, face recognition can be fooled with a decent photo although some of the newer systems would require you to 3D print a copy of the face, and hardware keys,... ooops dropped it in the loo/dog ate it/is in my wife's handbag and she has gone to NZ to visit her sister.

    1. Giles C Silver badge

      Re: This old chestnut again?

      Reminds me of when bmw introduced the keyless ignition there were stories of people dropping off someone at an airport driving to a fuel station and discovering the “key” was in a pocket 15000 feet above them as there were driving on the other persons key and theirs was at home….

      Obviously finding this out after stopping the engine.

  14. steviebuk Silver badge

    Sort your software out first

    So I was rolling out Outlook 2013 to phones and laptops a year or two ago still. Outlook 2013 is WELL aware of 2FA, yet the pissing, cocking bollocks would decide, on random users when I'd turn it on, in their account, to decide "What? 2FA? What's that then? I've never heard of that. You'll have to just give me a one time password for that user instead" so I'd have to, just for that one user, setup one time password, just for pissing Outlook 2013. Then a month or so later, another user would come along with the same issue. Their password expires, Outlook then asks for it, repeatedly fails to login & then I discover its another user where Outlook 2013 has randomly forgotten about 2FA.

  15. Anonymous Coward
    Anonymous Coward

    "found that users were continuing to use the same passwords"

    So replace all of them with a single five-six digits PIN? Once you're into a personal device you can access everything? Is this an improvement?

    Moreover the problem of 2FA is you need one or even multiple devices to access your systems. I already have to carry two mobiles - one for accessing work accounts, the other to access my personal ones. And no, I don't want to install my banking app on my work phone controlled by my company IT - nor my personal mailboxes. I don't even want to be forced to always carry with my phones designed to track me all the time.

    When using separate tokens more than once I had to call home and ask to read the number it displayed to access company accounts - because I forgot them. Now if my phone doesn't work I can't access my banking site until I get a new one.

    1. Nick Ryan

      Re: "found that users were continuing to use the same passwords"

      Every step is reducing security, not improving it.

      Security is always a balance of convenience compared to actual security, which is fine, but replacing the secret, changeable part of authentication and replacing it with something that is neither secret nor changeable is nothing short of retarded. Swapping the user identifier for biometrics is fine, pair this with a password and one has an improved system. Replacing the password with biometrics always reduces the security, hell it's what we do when letting someone we know, and possibly expect, into our own home. Replacing both the user identifier and password with biometrics is fine for very low security scenarios.

  16. Nick Ryan
    Stop

    Replacing the secret, changeable component of an authentication with something that is neither secret nor changeable is security idiocy all pushed by those who have absolutely no concept of security whatsoever and live in the shiny la-la land of Hollywood movies.

    Biometrics can add to security, in fact they are a very good replacement for the user identifier, however they are not a replacement for the secret component.

  17. luminous
    Pint

    A PIN is just a numeric password. I read this article thinking I must be really stupid, or just very worn out as it's Friday night. Tell me it's just me that's an idiot? None of it makes any sense whatsoever.

    1. ThatOne Silver badge
      Devil

      Don't let logic get in the way of a perfect marketing scheme. Things are what you tell the suckers to call them: Passwords are bad, so our password is not a password, it's a, um, well - a "Freedom Number"! Yay!!! Ain't we cool?...

    2. Captain Scarlet
      Mushroom

      Yup and because it can only contain digits less secure than a password.

      1. Anonymous Coward
        Anonymous Coward

        PINs used for Windows can be anything. For example, the "PIN" I use for my work laptop is a 12 character mix of digits, mixed case letters, and one symbol, and is not used on any other device in my life. And yes, I am aware the most secure part of that is the length.

        1. Cliffwilliams44 Silver badge

          So, it's a password!

          1. Anonymous Coward
            Anonymous Coward

            Not exactly. It only works on this one device and never expires. I have a separate password for the account which is used for some online services which aren't connected directly to the Windows login session, but it's different to the "PIN", and expires every three months.

            I mean, yes, technically all PINs function in the same manner as passwords to some degree. The fact a lot of PIN implementations limit themselves to just numbers is beside the point.

        2. ThatOne Silver badge
          Stop

          > PINs used for Windows

          Irrelevant. This here is a numerical PIN, because it has to work (mainly) on phones. So it is numbers only (not everybody has a smartphone).

          I know what I'm being offered here is 6 digits, that's all. YMMV but it would surprise me.

        3. Captain Scarlet
          Mushroom

          For me PIN means "Personal Identification Number"

    3. Cereberus
      Pint

      It's just you that's an idiot

      Sorry you did say - have a pint as an apology ----->

      I thought exactly the same how can systems access be more secure using a numeric password with each position having 10 options than one that has 36 lower case, 36 upper case, 10 numeric and whichever special characters may be allowed - so a minimum of 82 possible options for each position.

      Also how many people (general public) will just use the same 'pin' number or worse default to 1111 or 1234 (extending to the number of characters needed - i.e. six being 111111 or eight being 12345678)

      1. ThatOne Silver badge

        Re: It's just you that's an idiot

        > how many people (general public) will just use the same 'pin' number or worse

        Which shows once again that this crusade has nothing to do with "security". It's just a power grab, all your passwords belong to us.

      2. jgard

        Re: It's just you that's an idiot

        Upper and lower case each with 36 characters? That's one funky alphabet you are using there :)

        I set a Windows laptop up for my nephew recently, and after clicking through heinous and intrusive pages about directed advertising, I arrived at the request to create a PIN. If I remember rightly, it claimed that it increases security. I simply don't understand the logic behind PIN usage. Unless you are a complete buffoon, the PIN will almost certainly contain less entropy than a traditional password you'd create.

        To be fair, I discovered that a PIN won't give you admin access, even if you are an admin; you have to elevate permissions with your full password for that. I also realise that the PIN allows access to the machine only. But in terms of mitigating the most important threats, those two measures are useless. It doesn't really matter if a PC is hacked unless your victim has sensitive docs etc. But once you are logged in, you can probably access all their internet accounts via their cached browser credentials, or the cunningly titled pa$$w0rdz.txt that you find in the 'my docs' folder.

        From a security perspective that's pretty terrible, which is why I'm convinced PINs are NOT about security. Instead PIN authentication is a tactic to get you to use a Microsoft account - the PIN is a dangling carrot. If you tell Joe Public he can use a 6 digit PIN rather than a complicated bloody password that includes squiggles and numbers, and then advise it's more secure too, he'll take that carrot in a flash. The fact that he needs to set up an MS account first won't bother him at all. Hey presto, MS has access to a new user's personal information, their browsing habits, laptop login times, maybe their private conversations 'to improve Cortana' (yeah right) etc.

        It's all one big con, and one that Apple has been running for years (try using a Mac without an Apple ID and see how much functionality is unavailable). Microsoft are just playing catchup. It's thoroughly depressing.

  18. Anonymous Coward
    Anonymous Coward

    "Also, folks should be able to use FIDO authentication on their mobile devices to sign into a website or application on a nearby computer using whatever operating system or browser they're running."

    Unless it's my bank's website, all the other websites can piss off about getting my mobile number or me installing some crap-app on my phone.

    "The complete shift to a passwordless world will begin with consumers making it a natural part of their lives," Alex Simons, corporate vice president for identity program management at Microsoft, "

    translation: "once everyone forgets that in The Old Days they weren't required to have a mobile to access Internet sites on their desktop, life will be soooo much simpler for us"

    (...shakes fist at sky and mutters into beard.)

  19. ThatOne Silver badge
    Alert

    BS

    > people have a tendency to pick poor passwords

    And people have a tendency to cross roads without looking. The obvious solution is to ban roads, isn't it.

    This is such an obvious attempt to grab control: Once you have become the proverbial "one ring to rule them all", you totally and absolutely control the private and professional lives of everybody: They can't even step out of their homes without your consent. And you can charge for that consent as much as you want, because your offer is literally one they can't refuse.

  20. Anonymous Coward
    Anonymous Coward

    Control

    1. Gets you to upgrade to latest and greatest software and hardware.

    2. Gives them more control over when/where/how you access your data.

    3. Gives them greater access to and control of your data.

    4. Allows them to lock you out when you become a social media problem of any kind or are deemed unacceptable because you don't support the latest thing.

    5. Allows for greater surveillance, data sharing and access enablement to law enforcement.

    6. Claim it's for your own good.

  21. John 104

    PIN?

    A PIN is just a shitty, short password....

    As for moving away from passwords and using biometric? No thanks. A password is intellectual property and can not be subpoenaed. A fingerprint or your face, however, can be.

    2FA is the way to go and anything peddled as better is just dumbing down security.

    1. Anonymous Coward
      Anonymous Coward

      Re: PIN?

      That's why my phone's fingerprint authenticator runs a program thst does a 99-pass drive wipe thst can't be stopped once it starts. Go ahead, force me to "unlock" my phone with a print.

      I was going to use a small bit of C4, but decided against it - it would be MY finger being used as the trigger.

      1. Anonymous Coward
        Anonymous Coward

        Re: PIN?

        "it would be MY finger being used as the trigger."

        You do know, in the movies, you usually aren't still alive or attached to said thumb. Just saying... if you're gonna go, go with a BANG!

  22. jreagan

    SQRL

    Personally, I prefer Steve Gibson's SQRL solution which is also password-less and seems better than FIDO to me.

    www.grc.com/sqrl

    1. ThatOne Silver badge

      Re: SQRL

      Sounds like a password without a login to me. Thus (marginally) less secure than the classic login/password combo.

      Remains obviously the "app manages everything for me" part, but a password manager does as much for a login/password combo, so I fail to see the obvious advantages of SQRL.

      (But I admit I just had a quick look and didn't delve into the details.)

  23. nijam Silver badge

    > ... password-less authentication methods, such as the device PIN...

    Because a 4-digit PIN is so much more secure than a password? Now I think about though... it is just a password.

    1. Anonymous Coward
      Anonymous Coward

      PINs are unique to the device and are, in the case of Windows today and, presumably, other sites/services/software tomorrow, connected to the TPM which includes multiple physical security mechanisms to make it tamper resistant. The TPM will be responsible for holding encryption keys for the OS and/or the hard drive if that's also encrypted. Enter too many wrong PINs trying to unlock Windows today and the device will be locked - just like mobile phones have been since forever - essentially bricking it until it can be unlocked with a full account password and probably some other 2FA verification.

      If your password is compromised, on the other hand, any device or service connected to your account will also be compromised.

      1. Anonymous Coward
        Anonymous Coward

        Just like people re-use passwords, they will re-use PINs across devices - for the reason they are passwords.

        And when a device is compromised, all services accessible via the device are compromised as well. No defense-in-depth, you're protected only by the edge system.

  24. sreynolds

    No thanks....

    I am not putting all my tokens in one basket controlled by those ba$tard$.

  25. Champ

    Yes, I re-use my password - what of it

    There are a gazillion shitty websites that I've had to create an account on over the last 20+ years. Of course I'm not going to use a different password for each [1]. On precisely none of these do I care if my details get hacked. Say the crims find I bought some questionable furniture from Ikea last year - so what? Even sites that persist credit card details still need the CVV to complete the txn.

    For anyone with any sort of online life, the only options seem to be password re-use, or use a password manager [2]

    [1] and, yes, I have tried password managers. Haven't found one that gives me a compelling use case yet

    [2] see [1]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like