Get a new device, or lose your device, and then what?
Microsoft, Google do a victory lap around passkeys
Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN. The additional support for Microsoft consumer accounts works across Windows, Google, and Apple platforms, and Redmond described the move …
COMMENTS
-
-
-
Sunday 5th May 2024 06:54 GMT djnapkin
> Verify yourself using the Authenticator App
which was on the device you just lost
> Create a new passkey on the new device.
for every site. So, for the hundreds of passwords I have, I'd have to jump through all of those hoops, hoping I can get through the 2FA, for each one? Something doesn't smell right here. I recently did reset my device, and the 2FA for a stock trading site in the USA, was gone - their app has no backup. That required a phone call to the US based support staff to be able to log in again. Sure hope I wouldn't need to multiply that experience by a hundred.
-
Friday 3rd May 2024 06:37 GMT DS999
You sync to the cloud
Yes, this is a potential issue since by default cloud backups aren't encrypted with a user-supplied key on either iOS or Android, which at least on iPhone means your passkeys will NOT be saved to the cloud since they're on your keychain. Not sure what it means on Android, but either alternative (they aren't backed up, or they are but someone accessing your cloud can get your passkeys) is bad.
Ideally there would be a way to export your passkeys to an encrypted file you could put on a USB key (or two, they aren't super reliable) and stick in your safe. Not sure if that's supported already but I'm sure its coming if not.
-
-
Friday 3rd May 2024 00:28 GMT deltics2
This is the part I can't get my head around...
... if I get a new device, or simply want to access a site that I already have a passkey for from a different device, I don't have the passkey previously used. Presumably there will exist some mechanism by which I "prove" that I am the person who has/had that other passkey, so that a new/additional passkey can be created.
A bit like how I used to use a password to "prove" who I was before.
Can someone explain to me how that is not a bus-sized hole in the whole thing?
-
-
Friday 3rd May 2024 06:47 GMT DS999
Re: This is the part I can't get my head around...
The iCloud "fiascos" were people not using 2FA (I don't think Apple offered it back when they had the "celebgate" breaches) or I suppose using 2FA with SMS which isn't that hard to defeat.
If you use the option to encrypt your iCloud backups with a key you supply then it doesn't matter if someone breaches your iCloud. If you don't use that option your passkeys won't get backed up at all (by default anything on your keychain is not backed up via iCloud, you'd need to do an iTunes backup to your local PC instead)
As mentioned above, even if you don't back anything up you can recover your passkeys one site at a time using the 2FA method you enrolled when you created it. Not ideal but hardly a "747 sized hole". Maybe try reading something about passkeys (and iCloud in 2024 rather than 2014) before jumping to conclusions.
-
Friday 3rd May 2024 11:52 GMT Doctor Syntax
Re: This is the part I can't get my head around...
"or I suppose using 2FA with SMS which isn't that hard to defeat.
...
As mentioned above, even if you don't back anything up you can recover your passkeys one site at a time using the 2FA method you enrolled when you created it."
So you can recover a passkey site-by-site using a 2FA which may not be hard to defeat. That doesn't seem to add to security at all. And if you do have a protected backup you still need to preserve a means outside of the passkey mechanism - another easily defeated 2FA job> - to recover it.
-
Friday 3rd May 2024 14:17 GMT Anonymous Coward
Re: This is the part I can't get my head around...
What if the 2FA is an authenticator app on the broken device? To prevent account loss, there has to be some non-device-specific way of recovering access. Right now that would typically be either an SMS or email, neither of which is terribly secure.
-
Friday 3rd May 2024 16:29 GMT Crypto Monad
Re: This is the part I can't get my head around...
> What if the 2FA is an authenticator app on the broken device?
In principle you just need to back up your 2FA seeds, which is potentially easy (even a photo of the QR code used to enrol will do).
The trouble is, nobody remembers to do this until it's too late. And do it for every site you've registered to.
-
Friday 3rd May 2024 20:25 GMT DS999
Re: This is the part I can't get my head around...
At some point responsibility is on the users. Are you saying you would refuse to use a system that isn't perfect if you don't take basic precautions like cloud backup or insuring your 2FA is not a single point of failure? If you use the current password system + 2FA and use an app on your phone that's got no backup for 2FA how is that any better? Because you have the "security questions" to reset your password as a fallback? Those are just more passwords that are far far easier to guess (yes you can do what I do and make up answers so at least they are not guessable, but if you're smart enough to do that then you're smart enough to backup your passkeys)
There is no world in which passkeys are worse than the current alternative. For an educated user they provide near perfect security and full protection against loss of access vs passwords which only provide equivalent security if you use 2FA - and since 2FA is not standardized even to access the sites that support it you need multiple forms of 2FA including insecure ones like SMS. I don't even use 2FA that widely and I have two different apps plus Apple's built in 2FA, and SMS in addition to that, to deal with.
For an uneducated (typical) user passkeys also provide near perfect security, but there is some risk of loss of access. For stuff that's important like your bank there will be ways around it (going in person and showing an ID type of steps) for something less important like the Reg you'd just create a new account. Passwords by contrast provide terrible security for the typical user who will re-use them as much as possible, and only use 2FA where forced. You can lose access with passwords too...
-
Saturday 4th May 2024 19:18 GMT Crypto Monad
Re: This is the part I can't get my head around...
You can lose access with passwords too...
Pretty much every service lets you reset passwords via E-mail. And yes, that means your entire digital life ultimately is only as secure as your E-mail. But unless you lose access to E-mail (and that's just one recovery credential to secure), you can regain access to everything else.
Many systems today do not meet the underlying security and *availability* needs of normal users. For example, which would be worse: a stranger seeing your wedding photos, or you losing your wedding photos forever? The answer will be different for different people, but for many, the loss would be the worse outcome.
Passkeys tip things in that direction. You trade off a reduced risks of people accessing your accounts (which is good), and ease of access of not having to remember passwords (also good), against losing access to *all* your accounts (which is very bad).
Passkeys are not cloneable, by design. So what do you do? One option is to use a passkey to access a central authentication service, and then use that service to access everything else. You then only need to work out how to backup access to that central authentication service, which is relatively straightforward (e.g. recovery codes in a vault, or a second passkey kept in a different location)
-
-
-
-
-
-
-
Friday 3rd May 2024 04:41 GMT Pascal Monett
Because dongles cannot be monetized, whereas your biometrics can be compiled, collated and statistified, which allows for monetization.
Never mind that, if there is a cock-up (there will be), your biometrics will end up in a hackers' database and sold on the dark web. This is the Future, dictated by those who have the money.
And we all know the Golden Rule : those who have the money make the rules.
-
Friday 3rd May 2024 08:18 GMT Anonymous Coward
Man, they are really excited about getting my biometric data
If it's done properly, "they" never get your biometric data.
Decryption of your encrypted private key with your fingerprint, face or PIN happens locally on your device, so these are never sent. The private key isn't sent either - you send a message that is signed with your now decrypted private key (using a hashing algorithm.) The website you're trying to access has a copy of your public key associated with your online account, and using the magic of PKI cryptography, it can tell conclusively that the sender of the message has the private key paired with your public key, and therefore it really is you trying to log in.
-
Saturday 4th May 2024 00:05 GMT Anonymous Coward
The user TRUSTS their fingerprint/face/PIN are never sent.
The user TRUSTS both the fingerprint/face false negative and false positive rates are low enough. False negatives defeat the purpose, high cost is anathema, so expect some equipment makers to fudge on the false positives.
If/when the word gets out that brand X phones can be easily fooled then phone thieves will target them like KIA cars.
-
-
Friday 3rd May 2024 02:50 GMT luminous
"Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts," project managers Sriram Karra and Christiaan Brand said.
So each person has done it on average 2.5 times. Is this even impressive? And only 20% of gmail users have taken part.
Again I don't really understand how a passkey is better than a password. Just use a password manager. There are plenty that are free, if like me, I don't need the premium features.
-
Friday 3rd May 2024 07:50 GMT abend0c4
They're better in that the "password" never leaves the device and cannot be replayed. Many password managers support them. Indeed, you probably need a password manager to use them conveniently if you want to authenticate on multiple devices and back up your access credentials - and not be dependent on the whims of Google, Microsoft and Apple to preserve them and offer you continued access.
-
Friday 3rd May 2024 16:53 GMT Jaybus
It is because passkey is a strange name for the thing. It is really a system using public key cryptography. The website only stores the public key. The private key never leaves the client device. The biometrics or PIN also never leave the device. They are just used to unlock the private key.
-
-
Friday 3rd May 2024 06:24 GMT DS999
Re: Farcical
The goal is to prevent password based attacks where someone steals a list of email/passwords from some site and then re-uses those to login to a bunch of other sites because most people aren't going to bother with the whole "use a different password everywhere" thing and only push back harder against that as sites make them have capital letters, numbers and symbols - I keep waiting for the first site that tells me I need an emoji in my password lol
To spoof your face they'd need physical possession of your device, which will be rather difficult for a scammer in Russia or China. That's really a non issue as far as I'm concerned, especially since if my phone was ever stolen I'd be able to remotely brick it so they'd have to not only steal it but bypass my face pretty damn quick. If I had forewarning it would be stolen its easy to disable Face ID in an instant as I reach into my pocket to hand it to them, then they'd have to guess my phone's password AND spoof my face before I brick it.
I mean, which problem should be fixed? The password based attack problem that affects countless millions of people per year, or the face/fingerprint spoofing attacks that affect so few people I don't ever recall a single Reg article about a real case (i.e. not a researcher saying "it is possible to defeat this") If you're an Important Person(tm) you might have to worry about that but even there they don't bother to hack your biometrics. They deploy Pegasus (or whatever black hat world equivalents are out there) and remotely hack your phone. So spoofing your face/fingerprint just isn't something anyone needs to worry about in the real world, because it isn't being done in any actual attacks.
-
Friday 3rd May 2024 12:03 GMT Doctor Syntax
Re: Farcical
a list of email/passwords from some site and then re-uses those to login to a bunch of other sites because most people aren't going to bother with the whole "use a different password everywhere" thing
Don't require email as a login ID. Preferably have some other site issue a login ID. Unless the attacker can work out what ID a site might have issued that entire site list is useless for other sites. Collect an email address if needed to communicate with the user but don't use it as a login ID. Collect real names if needed but don't use them as a login ID. Set up a user handle if needed (e.g. on el Reg) but don't use it as a login ID. If that were normal practice we almost certainly wouldn't be having this discussion every year.
-
Friday 3rd May 2024 13:18 GMT Snake
Re: Farcical
You do realize that, by putting your trust into the face recognition on your device, it also means that, if ever arrested, the rozzer will have full and legal access to those accounts as it has already been decided that this is within their rights due to you being physically detained? And that 'physical detained' means 'allow all access to physical features of the suspect, including fingerprints and facial images'???
You want that, good for you. Stop believing that everyone else does.
-
Friday 3rd May 2024 14:54 GMT Frogmelon
Re: Farcical
Correct me if I'm wrong here:
Having seen Windows Hello in action, once face recognition is enabled the device (say, a Microsoft Surface) automatically scans for a face.
Sooo... Say you get accosted by criminals or detained by the police all they would need to do would be to force you to sit down in front of the camera and - bingo! - they're in to your account.
Without even having to pull your teeth out to force you to divulge the password.
I know it's a niche scenario but I did think that was rather unsecure.
-
Friday 3rd May 2024 20:40 GMT DS999
Re: Farcical
No the cops won't. If I'm ever arrested I'll disable Face ID on my phone (just squeeze one of the volume buttons and the sleep wake button on the other side for a split second) and then my password is required to unlock it.
I suppose if I'm arrested by surprise (for what, I can't imagine) they could theoretically get my phone before I could do that. But Face ID requires looking at the phone - I have to my eyes open and looking in the direction of the phone. Even if they hold my head down and pull my eyelids open I can look to the side and the phone won't unlock. I suppose they could beat me until I look at the phone - just like they could beat me enough to give up whatever passwords they want.
Anyway the law isn't clear on that in the US, I don't think many prosecutors would want to try a case where the cops made you unlock your phone with your face because they know there would be appeals and that evidence could be taken away from them. They like to win cases quickly by someone pleading guilty, they don't like to go to trial especially when they know they could not only lose but lose in a public way that makes them look bad before the voters.
-
-
-
-
Friday 3rd May 2024 06:40 GMT Adam Inistrator
Think of private keys as just passwords by another name and the mechanics and implications become more clear. They have advantage of being total random and separate for each site but you are dependent on the password manager that looks after them. Matters are out of your hands. That is a good thing for most people I guess.
-
Friday 3rd May 2024 08:49 GMT Anonymous Coward
Think of private keys as just passwords by another name
Not really, a password is not private, in that you give it away (type it in and send it over the network) when your're logging in to a server or website. A PKI private key is just that, i.e. private, in that you never give it away to anyone, ever, so it never leaves your device. The only thing to leave your device is your public key, which is safe to give to all and sundry.
-
This post has been deleted by its author
-
Friday 3rd May 2024 10:06 GMT AndrueC
Not really, a password is not private, in that you give it away (type it in and send it over the network) when your're logging in to a server or website
You shouldn't be. That would be a really, appalling bad design. What you send is some kind of encrypted version of your password. The remote server doesn't store your password either. What your computer sends is the encrypted version of your password and what the server compares this against is the encrypted version of your password. Your actual password is only stored in two places: Your brain and (very temporarily) the local computer's memory while it's being typed in and even then there should be some form of encryption so arguably it's not stored even then.
Now granted something is still being sent to the server but it isn't something that's useful for another human to type in. If you know that '$GHfg8H' is being sent then you need to work out what actual string when encrypted generates that sequence and with a complex password that could take you years.
And that's a simple example. In practice the software is not just going to send a user name and a password. It will send an encrypted blob of data (typically a list of actions/resources that it wants access to along with your user name and password). And the encryption will be such that the blob of data is different each time you send a log in request even with the same credentials.
But passkeys should not be seen as the ultimate solution. They are an attempt to mitigate against the most common attack vector. The force an attacker to either go the account recovery route or to gain access to physical devices. Both are a lot harder than simply re-using a password that worked elsewhere.
-
Friday 3rd May 2024 10:50 GMT Hawkeye Pierce
>> What you send is some kind of encrypted version of your password
That's not really true for 99% of all websites, at least in the way that I think you mean. Those 99% are sending your password as you typed it to the remote server although hopefully over an (encrypted) HTTPS connection. Yes, the server should then hash (not encrypt) the received password and compare against the hashed version stored in its database, but the server most certainly receives your password in the vast majority of any website (Google being an exception).
If it was as you said, then the hashing mechanism along with the salt would be visible for all to see in the client's browser making a rather large security issue. HTTPS provides sufficient encryption of your password to make it fine to send as you typed. After all, if someone was able to intercept and somehow decode your HTTPS traffic, your "encrypted version" of your password could be easily enough reverse engineered given that the encyption mechanism would be known from the front-end and thus you've not really added any additional security over the fact that your sending it over an encrypted connection.
(The above is somewhat simplistic, there are mechanisms whereby the server could pass randomly generated and time limited salt to the browser to use but that greatly complicates matters with no appreciable change to the security level.)
-
Friday 3rd May 2024 11:38 GMT Charlie Clark
Unless sites are implementing forward security, the password will arrive at the application as plaintext, which is when it hopefully gets salted and hashed for comparison with the hash on the server. Of course, it should be possible to do the salting and hashing on the client but AFAIK that's not the case, not that it would solve the problems anyway.
-
-
-
Friday 3rd May 2024 16:05 GMT David Nash
The other point is that the passkey is stored on your device and the biometric or PIN is only used to unlock it to sign the message sent to the server. ie. if you use a PIN rather than biometrics, the PIN is of no use to the bad guy unless he/she has your device.
That's if I have understood it correctly. I did wonder what I was missing with the whole "login with a PIN" thing, which just seemed like a less-secure password. But it makes sense in this context.
-
-
-
Friday 3rd May 2024 07:28 GMT Paul Crawford
most people have a phone that can install an mfa of their choice
The problem is most folks access stuff from their phone, so really it is SAF as anyone who can compromise the phone has all the keys to the kingdom. But nobody has a phone that has years-old un-patched vulnerabilities? Right? Right....
-
Friday 3rd May 2024 09:29 GMT Flightmode
TFA> For those wondering about multifactor authentication, it's kinda baked in...
"kinda" being the operative word here, and this is what gets me. The original idea for MFA (or 2FA as we called it back then...) was that you can only gain access to a resource with "something you know", i.e. a password or PIN, and "something you have", i.e. a one-time-password fob, a Yubikey or a mobile phone you could receive a text message on. When biometric data became more prevalent, the paradigm shifted more toward "something you know" and "something you are" - ie. use your fingerprint, iris or face scan to authenticate you. This, can be argued, made things more secure in some way; if someone has my password and steals my phone - they can't easily get into the phone to open my authenticator apps (or, god forbid, read my texts - for those services that still use SMS). Right now for MFA I need both my resource username and password (know), my phone (have) and my face to unlock it (are) and then either my face again (are) or a PIN (know) to unlock the relevant authenticator app. That's quite a few factors.
I fear that what we're seeing now is a shift to one or more "something you ares" combined with a single "something you have". This means that it if I get "physically compromised" - by muggers, kidnappers or even law enforcement - they will likely also have access to my phone as I always have it on me. With this shift, they no longer need the "something you know" portion; they can unlock the phone with my biometric data (by forcing my finger, holding my head or lifting open my eyelids; whatever method I use to unlock the phone/app).
Yes, this will help protect against the successful credential stuffing attacks that follow user data leaks. I'm sure that WE all use password managers with unique 20+ character randomly generated passwords for all our various services, but there are a lot of people who don't want to go through the hassle. For them, this might be a significant improvement in security. For myself, I'm not sure it's worth it?
-
Friday 3rd May 2024 12:13 GMT Doctor Syntax
Agreed, and the other downside is "access to my phone as I always have it on me" along with the unspoken "and it's always charged" and the OP's "most people". It creates a lot of cases where some people are permanently disenfranchised unless they get a phone they don't want or can't afford and others, including me, are often temporarily disenfranchised.
-
-
-
Friday 3rd May 2024 12:45 GMT heyrick
"that can install an mfa of their choice"
And be beholden to a third party that might have it's own issues...
Chrome almost hits a sweet spot here in that it supports regular password entry (via https) but when it spots an unknown site it will offer to suggest a suitably gibberish password, and remember it for you. In addition, you need to use biometrics or something in order to access saved passwords, which while it isn't foolproof it is good enough for most domestic use cases.
The reason why it "almost" hits is because you don't need to use biometrics to authorise the use of a stored password, which actually risks making things easier if somebody swipes your phone. So, almost but not quite.
-
-
Friday 3rd May 2024 10:22 GMT Mike 137
using passkeys with their face, fingerprint, or device PIN
Two identifiers and one authenticator. When, Oh when, with the distinction sink in? An identifier must be durable, but an authenticator must be changeable and rescindable at will. This is so basic that it's impossible to conceive why, after several decades, it hasn't been recognised, even by big players that profess to drive infosec.
Identifiers are not secret -- they're commonly public knowledge, but authenticators must be secret. Which is why a one time authentication code generator is the best tech we have. It's also why using a password as an authenticator is so stupid (but widely done).
However this is not just a tech problem -- it's cultural. One of my UK utility providers phone helpline uses the (relatively private) account number as the identifier, and the address and post code (zip code), which are public knowledge, as authenticators. There's a fundamental failure to understand the problem, coupled with an apparent lack of interest in whether it's really solved or not.
Incidentally, that utility now prefixes its caller message with "we take your security seriously" despite continuing to misuse credentials in this manner. I wonder whether they've had a data breach they're not talking about.
-
Friday 3rd May 2024 11:01 GMT Anonymous Coward
Re: using passkeys with their face, fingerprint, or device PIN
But you need to consider the security/threat level.
Why didn't you need a one-time authentication code to post your comment above to The Regsiter? Because that would be overkill in terms of security.
Depending on what the account number looks like at your utility, I suspect I could quite easily guess likely other account numbers. But, from the comfort of my own armchair, I'd have zero chance of randomly guessing another account number AND the postcode.
So your utilliy provider will (hopefully... but possibly not) have considered what level of identification is required versus the inconvenience to them and to you by putting something else in place and weigh that up against the potential threat. If the account number and postcode are used to just get past the initial "hello" they may then apply additional forms of security should you then ask for something that raises the threat level - for instance refusing to refund any balance to anything other than the account the direct debit comes from.
Any form of security creates barriers. Multiple levels of security creates multiple levels of barriers. The type/complexity and the number of those barriers has to be considered and should be proportional to the likely threat.
-
Friday 3rd May 2024 12:22 GMT Doctor Syntax
Re: using passkeys with their face, fingerprint, or device PIN
"Identifiers are not secret -- they're commonly public knowledge"
Why? They don't have to be. Sites insist on using an email address as an identifier. They shouldn't, even if they collect an email as necessary contact information. All that happens is that the general public has been trained to accept that they don't have to remember/record unique ID/password combinations. If the site issues a user ID, maybe three random words, then even if the user always uses the same password the unique, secret identifier means that the combination is unique and secret.
-
Saturday 4th May 2024 05:32 GMT Richard 12
Re: using passkeys with their face, fingerprint, or device PIN
And the user will have absolutely no idea what the identifier is.
Families who share the same PC generally don't use individual user accounts. Sure, they could, but for most it's just not worth the hassle.
So there will be a list of user ids stored in the browser. If they're email addresses or user-provided usernames then they'll recognise their own.
If they're randomly assigned, they will regularly accidentally try to log in as the wrong member of the household - probably only realising if the wrong cellphone pings the TOTP.
-
-
-
Friday 3rd May 2024 11:55 GMT Charlie Clark
It's all about liability
If you look at the history of securing commercial transactions, you'll realise it's really a history of liability. As soon as providers become liable for the security of a transaction, they look at technical means of shifting liability to the customer (or, in some cases as happened with banking PINs, selling insurance against fraud) and this is nothing different. The idea is that, if the password is never sent to the provider, they can't be held liable for it being compromised. But the implementations tend to prioritise ease of use and this will always introduce new areas of risk. In this case, the private keys have to be stored somewhere, making them the next target.
-
Friday 3rd May 2024 13:22 GMT Doctor Syntax
Re: It's all about liability
If the password is salted and hashed that should deal with the risk of holding that. The problem sites aren't really those who realise the risk - they could mitigae it. It's the sites who don't or don't care who hold the entire database in clear and don't hold it securely enough.
-
Friday 3rd May 2024 13:32 GMT Anonymous Coward
Car doors, innit ?
No security is going to be 100% effective.
The trick is being happy with the 99% which puts you just ahead of the people who make it easy.
In that sense it's like locking your car doors to encourage the threats to try the next one.
If someone *really* wanted into your accounts, then they'd call some blowtorch wielding bad guys.
-
Friday 3rd May 2024 13:34 GMT SHLinux
What about your phone breaks on holidays?
So in the old world, you are on holidays, drop your phone and it breaks. You go to a shop, buy a new one, login to it with user and password and setup everything else.
But what about when it happens with a passkey? You have no Authenticator app or anything else, so how to login?
-
Sunday 5th May 2024 07:12 GMT djnapkin
Re: What about your phone breaks on holidays?
> But what about when it happens with a passkey? You have no Authenticator app or anything else, so how to login?
Easy. You just request a reset via email, and ...
Wait, your email account is protected by a passkey, or SMS to your phone that you don't have? Ah well, too bad, so sad. No more fun holiday for you.
-
-
Friday 3rd May 2024 13:36 GMT Paul Uszak
So everyone's password is literally "SECRET"?
To you reading this post - is your password "SECRET" as well?
It must be as that's the only way 4000 password can be cracked per second. There's no other possible answer as all of the sites mentioned in this article obviously use salted key derivation functions (KDF). So rainbow tables are out with good salts (>=128 bits). And who's going to try millions of potential candidate passwords if all take 0.1 second to initially authenticate and then have exponential back off delays before the next login attempt is allowed? And where does all the RAM come from if the KDF is memory hard (e.g. Argon2) and requires 100's MBs to directly try an encryption key?
I'm pretty sure that the NSA is not trying to crack my skateboarding turtle with parrot video site.
What am I missing?
-
-
Sunday 5th May 2024 01:56 GMT Michael Wojcik
Re: Passkeys: A Shattered Dream
All true. Passkeys are crap. They're a crap implementation of Webauth, which was not a great idea in the first place. They're designed to lock users to a platform. They're difficult to back up. They're essentially impossible to duplicate to multiple devices, so they're a pain for anyone who has multiple devices. Apple, Google, and Microsoft — the triumvirate of "do it our way, peasants" — have tied them to biometrics, the worst of all authentication options. They're impossible to share, so they break shared accounts (which, again, is part of the plan). The implementations are bug-ridden.
Smartphones are inherently terrible authentication devices. They're fragile and failure-prone; they're expensive and theft-prone; people use them all the time and consequently they're loss-prone. They're riddled with security vulnerabilities. It's hard to think of a worse choice.
I understand why some security experts, such as many of the editors at SANS, are keen on passkeys. They deal with password exploits all the time: weak passwords, reused passwords, breaches, phishing, and so on. Anything that gets away from passwords looks good when passwords lead to half your problems. But passkeys are a terrible idea, made steadily worse by the efforts of Apple/Google/Microsoft.
-
-
Friday 3rd May 2024 16:58 GMT d.b.assets
Fingerprint
FFS people.
It's a new way to fingerprint users. Who needs cookies/trackers when anyone can simply request your public key?
All the world is sick of the privacy invasion crap, big data is under attack for it almost everywhere. Third party cookies? Dont need them, everytime you visit our site we ask for your public key (that's verified as you, or as good as) and we can id everything you do here. No more clearing all browser data, no more changing user agents, no more multiple logins. .gov wanna upgrade citizen web tracking? Sure, we now have user/software/hardware linked continuous passkeys.
Here's a question, what if I have 3 phones (business/personal/wife), 2 tablets (work/home), 2 laptops (work/gaming), 1 desktop. Say I'm on the jobsite, using my tablet, want to check my banking.
There's the home tablet passkey. Now say I'm out and want to buy a maguffin. Dont have my tablet, just my personal phone. Same public passkey? I'm just screwed until I get home to login with home tablet? What about when I'm paying bills once a month on the desktop.. How about all 5 of my checking accounts and 2 savings accounts. All same public passkey?
Only way it's usable in the 21st century is to have a single private+public passkey per person.
At that point, you are fingerprinted and (guaranteed) tracked for every jot and tittle. Forever.
Who needs cookies or trackers then? These are legal single point hardware/software/user IDs. Your public key is the ID, your private key is how you prove it.
-
Saturday 4th May 2024 17:21 GMT BPontius
Faulty theory
Passwords are compromised due to the use of weak passwords. Also it is my guess that using PINs that are typically half the digit count of a password (6-8 numerical digits instead of 10 - 16 mixed characters for a password) is a glaring security risk. At work they still require the regular changing of passwords which results in weak passwords being used, regularly encouraging the use of the same passwords for the multiple programs & systems requiring access. In theory using biometrics is a safe alternative, but what happens when your eye, face or fingerprint scan has been compromised due to the lax security practices common through out all sectors. Common in reported security breaches and hacks finding unencrypted personal information, banking and credit card information, usernames, business and trade secrets...etc stored on public facing servers or misconfigured databases.
There are more and more remote ways be invented and discovered in the remote intercepting keystrokes and data flow a PC. Keystrokes and voice through vibrations of light bulbs, lamps or windows, even RF signals from wireless keyboards and mice, power supply EMF variations. Planting a virus on a system can enable the transmission of data to a laptop, or to a server. With the common use of closed circuit cameras and the lax security of most video security systems (Shodan.io a search engine for such things), information can be transmitted off site. A cell phone or a web camera from another PC\laptop implanted with a virus can be used to see, hear or intercept data out side the office or home, through invisible screen refresh\blinking, hard drive light(s), Bluetooth and Wi-Fi data encapsulation, re-direction. Passwords are just the tip of the iceberg!!
-
Tuesday 7th May 2024 01:40 GMT sedregj
What actually happens
"When you create an account for a website or app, your device generates a cryptographic public-private key pair."
With a password, at least it is you remembering it, ie it is "you". With passkey n that it is your device that becomes "you". You are abrogating proof of your identity to a thing that may or may not have your best interests at heart.
-
Tuesday 7th May 2024 16:42 GMT fabsurplus.com
I recently GOT TOTALLY HACKED OFF with my android phone listening to everything I said and then giving me "helpful" lifestyle suggestions related to certain confidential conversations I had. Hence I switched off as much as possible all tracking and cookies etc.
The result of this has been very positive overall due to:-
1. I don't find myself visiting websites without a good reason, as I have to wade through all the cookie acceptance bumf every time I visit .
2. Zero adverts thanks to my ad blocker.
3. No nosey XXXXXXX following me round the internet.
Of course, this won't work with "passkeys", due to they have to give you a tracker, which will follow you round the internet and doubtlessly give "big brother" all the saleable data they can extract from your every bowl movement.
Hence the day I am required to use this system will be the day i stop logging into google's "essential" TM "services" TM, which frankly I am not missing in the slightest up until now (3 months and counting.).
-
Friday 10th May 2024 12:55 GMT TrumpSlurp the Troll
PIN for security?
My recent Windows 11 setup asked me for a photo and a fingerprint (declined) and a PIN.
Next thing I know it is authenticating with a PIN - 4 digits for this one (because I didn't think it would be used in this way).
Even with a 10 or 20 digit PIN it is surely very easy to crack.
No idea what the idea was.