FIDO Alliance says it has finally killed the password There's a new proposal on eliminating passwords, but it relies on putting a lot of security eggs into OEM security baskets. The FIDO Alliance has been trying to eliminate passwords since its inception in 2012. Ten years on it has yet to see that dream realized but the organization said it has finally come up with a mechanism …
'"A smartphone is something that end-users typically already have..."'
I don't. Know why? Because they're expensive and designed primarily to benefit carriers and manufacturers. They are riddled with buggy proprietary software and firmware and untrustworthy as all hell.
'This framework for passwordless authentication relies heavily on mobile devices, and thus also on the security of the underlying OS. That's by design, FIDO said.'
So it's broken by design, then.
It's not very difficult for a human of ordinary intelligence to examine a password and determine whether it's strong or weak. It's also not very difficult to avoid phishing attacks: block all email from people you don't trust, use a provider that enforces DKIM (most do) or do so yourself, use a plain-text MUA, type URIs instead of clicking links, and stop answering phone calls if you haven't already (99% of all phone calls are spam and/or scam). While this may not quite be enough if you are a spy or a CEO, it will suffice for the other 99.99% of us.
However, I defy anyone, even an expert in the field, to look at a USB dongle or smartphone and tell whether its authentication functionality is strong, weak, defective, or malicious. It basically can't be done, especially if the software and firmware are proprietary -- let's not even start on hardware -- so therefore this is a step backwards from passwords. And worse, the more trust is placed in such devices by upstream service providers like banks, the harder it will be to avoid the consequences of unknowingly using an insecure, defective, or malicious device for authentication. Oh well, your life savings are gone and you can't get them back. Good thing we have unlimited lives in which to start over!
I'll stick with my strong passwords in a physical notebook kept in a hidden safe, thanks. That's never failed me and I don't expect it ever will. If you won't let me use a password to authenticate myself, I'll take my business elsewhere.
Exactly. Smartphones are:
As authentication tokens, smartphones are abysmal. It would take some effort to devise a worse choice.
The FIDO alliance has spent most of its history barking up the wrong tree. This is no exception.
In the name of security I have 6 different authenticator applications on my phone, 4 of them for work. (single sign-on is amazing) Do I really want something else tied to my cell phone that can die without notice, or get lost or damaged? And personally, one of the things I've begun to look forward to when I eventually retire is no longer being tethered to a cell phone. (another is dumping LinkedIn) Software updates alone is making me feel like a slave to my computers.
A more pressing issue is that before long I need to replace my phone. I intend to go back to Android so all these security tasks that are tied to apps on my iPhone are complicating things. Guy at the phone store "Sure, we can move all your apps to the new phone for you. What is an authenticator app?"
Precisely. It's insane. There a few components in security - something you know (secret), something you have (a physical token or certificate) and who you are (some for of identifier).
Removing a secret component and replacing it with one of the others can never improve security. Biometrics, such as face and fingerprint, are a good replacement for an identifier to identify who you are, but they are not secret and they are not changeable but they are relatively easily copied. Adding biometrics alongside a password improves security in the most part, adding biometrics alongside something physical as well as a password improves security further. However replacing the secret component with biometrics or a token only reduces security. And this is before the realities of what happens when the physical component goes wrong and has to be replaced or just bypassed because access is required.
Security is all a matter of balancing convenience vs security. When the "convenience" is all for the benefit of data collectors and not the end user it's even more insidious.
(I cannot change my face)
I'd be happy to "change" your face for you. I have hammers and knives readily available. You may even pick the tools. Please leave me a message if you are interested in a price list for various levels of change.
--> Can do beauty adjustment too (see nurse' iconic image)
My first rule is to minimise the number of entities which I will trust. Apart from myself, who I usually do trust, that means entities which have earned my trust. So what do I make out of FIDO cites Apple's adoption of "Passkeys,"?
In the article that includes a link to documentation about Passkeys, at least that's what the link indicates. And it's a link that does nothing without javascript being enabled. Javascript, just to read documentation.
A body consisting of a list of the usual suspects offers as an example of what it's about something that requires javascript just to read what it's about? Of course I'm going to trust it. About as far as I can throw it.
All this is not being done for you. It's in their interest only.
The main idea here is for you to be identified even if you don't want it. With a USB key it takes a voluntary action for you to prove your identity. With a mobile phone tied to your identity and leaking information to whoever happens to want it, you're entirely out of the loop. You're no longer needed for their plan to work.
I find it frightening that all this is slowly overflowing from Internet realm to the rest of our real lives.
Stupid ideas need to be repeated often enough until everybody simply gives up complaining about the stupid idea.
That is how we introduce oldnew features that do not benefit the users in any way. It is also an effective way to take control away from the users. And, of course, get even more data about the users to (ab)use and empty their pockets a bit more in the process.
What is not to like?
Instead of the bad guys tying you to a chair, shining a light in your face and slapping you until you reveal your password... this way, they just tie you to the chair. Your watch will read your biometrics and squeal.
Or am I understanding this wrong?
Parent wakes up in the morning and the watch is on their wrist. Screams at child... "Johnny! What did you just buy on e-bay with daddy's ID?"
You're understanding it wrong, because this is not about protecting you, Apparent International Super Spy, from an adversary who would go to the extreme lengths of kidnapping and torturing you. It's about protecting J. Random Person In The Street from using the same bad password on all 1500 accounts they have, and getting phished.
This is a solid effort to try and improve security and convenience in the vast majority of real-world applications for real-world people. Who do *not* use password managers, or safe passwords, who hate passwords, who constantly forget them, and who do not have adversaries who would expend huge amounts of resources to compromise them. For such a person, "we'll authenticate you using a system where your phone checks your biometrics then sends out a safely-stored key" is both more secure and more convenient than "we'll authenticate you with that terrible password you use for both your bank account and fifty shoddily-coded PHP web forums, plus *maybe* a 2FA code we'll send you via a protocol known to be insecure and easily redirected, if you're lucky".
If you actually are an International Super Spy, this is not the standard for you. There are others (including ones set by FIDO) for your use case. By all means use them.
Those are good points, but what actually worries me more is law enforcement and what seems to have become the routine aspect of not only stripping our devices of data when either arrested or even when making a complaint in some cases...
https://www.theguardian.com/uk-news/2020/jun/18/police-in-england-and-wales-taking-excessive-personal-data-from-mobile-phones
...but also to the extent that the USA, Australia, etc. border went to in terms of demanding your device and password...
https://www.abc.net.au/news/2018-10-08/if-a-border-agent-demands-access-to-your-digital-device/10350762
"Both Australian and New Zealand customs officers are legally allowed to search not only your personal baggage, but also the contents of your smartphone, tablet or laptop. It doesn't matter whether you are a citizen or visitor, or whether you're crossing a border by air, land or sea."
...social media accounts...
Well, that's the problem. Whatever they like, and it is just becoming more difficult to be able to refuse and say no.
The problem is that *for me*, this mechanism is much weaker than the one I prefer (super spy though I am not). Sure, I can choose not to implement it on my own services. But the problem is that the services I use may try to force me to use it. I'm willing to go to literally any lengths in the service of refusal; I even enjoy it. That doesn't mean I prefer it to the right outcome. Forcing people to choose between using a weak and dangerous authn protocol and giving up useful services -- that we pay for! -- should not be considered desirable. If the people who refuse to use and protect strong passwords value so little the things those passwords protect, let them be victimised. Don't force the rest of us to subsidise their (still inadequate) safety by giving up our own.
> solid effort to try and improve security and convenience in the vast majority of real-world applications for real-world people
Let's agree to disagree on the definition of "solid". Letting phone manufacturers (of all people!) be the custodians of your safety and fortune is for me at least the stuff nightmares are made of. Besides, people are motivated (cattle prodded) to change phone ever so often, usually handing their old phones to family and friends (who will hand them to their friends), which should create all kind of problems if it the phone is the sovereign means of identity and authentication. Don't you see it?
As someone who actively enabled passwordless auth on their Microsoft account - I'm an advocate for this.
Not only do I have to not worry about a password (even though I use 1password for everything else), it actively has 2FA built in: I log in > I get an auth prompt on my phone > I approve it > I have to select the correct number shown to me on my computer from the list > If I choose correctly it logs me in.
It's pretty simple and stops bots from trying to crack my password. If everyone else takes a leaf from the MS book, I'm here for it - one overarching auth platform.
But this is just one positive opinion against, I'm sure, plenty of people who would rather comment negatively than try :)
What happens when you lose the phone, or someone steals it?
There are only two possibilities:
1. You're locked out forever. The good news is that the thief/attacker still has to guess your password. You chose a strong one, right?
2. There's some means of recovery without the "second factor", which is really just another way of saying that there's only one real factor.
Similar questions can be asked about what happens when (not if) you get SIM-swapped, or forget the password part. They all devolve to one of the two possibilities: either there's only one real factor, or you're locked out forever. Then what if both things happen? Authentication is about providing an actor's identity. How do you do that? What *is* identity, anyway? Is it the human being, or is it the device the human is using, or is it the credential(s)? Nothing in FIDO's, or Microsoft's, proposed solutions address these fundamental problems.
No, there is two factor authentication if you need to set up the app on a new phone, I did it recently and it easy enough to complete, but clearly had steps to validate identity.
This is for the general public and it's better than P455w%d1 , I too welcome it.
The good news is Microsoft's 2FA is based on a standard (RFC 6238, Time-based One Time Passwords). So you can use any compatible authenticator, or roll your own (the algorithm is trivial, roughly: token = hash(current time, key for pairing the authenticator) ).
I'd even say authenticator should run on a PC (being a more secure device), not on a phone. This way it would be safer to log in on a phone.
"but clearly had steps to validate identity"
How? If this is a 2FA system and you've lost your phone (the token), you now have only one authn factor: your password. To set up a new phone (get a new token), they presumably require you to provide your password just as they would have when you set it up the first time. The way you've phrased this implies that one must also supply additional information about the account owner in order to complete recovery. But does that information satisfy the necessary criteria for use as an authn factor? Possession of identifying information does not prove that the actor is the subject the information describes. Which means either Microsoft are treating possession of public information -- things like date of birth, social insurance numbers, home address -- as an additional authentication factor or they are relying on some additional (3rd, 4th, ...) legitimate authentication factors that were established at account creation. Example implementations include "security questions", which are really just additional passwords. In that example, one may have 4 passwords plus a token, and any two of the passwords can be used to recover the token. That's not 2FA, it's N-of-M FA, where M-1 of the factors are just good old passwords. So if passwords are inherently insecure (they aren't), so is the "2FA" system that allows recovery using N passwords. Worst of all, and one of the reasons that the security questions approach is no longer recommended, those questions almost always have answers that can be obtained from public information, meaning that users who establish their answers as intended (instead of treating them as another opportunity to use a high-entropy password) get no security from them at all. While security questions are not the only additional authn factors one can use, they always fall into two buckets: things you can forget ("something you know"), and things you can have stolen from you ("something you have").
All of this reduces to my case (2), which is why I consider 2FA to be security theatre: if you can recover from loss of the second factor, it's still just 1FA. If you can't, no one will be willing to use it.
"it's better than P455w%d1"
Not really, and it's definitely worse then 5kZ30FRpo@x11$Sm,0J, because you're relying on P455w%d1 plus some combination of public identifying information and equally or even weaker passwords in the recovery path. Ergo, all an attacker has to do is trigger the recovery path and your vaunted 2FA has been reduced to the weak password you're trying to avoid. That's bad, but because you're lying about the security of the system you're also encouraging two separate undesirable behaviours: the user feels less need to choose and protect a strong password, and whoever is relying on the authn system is going to place much more trust in the assertion that a successfully authenticated actor is authorised to act on behalf of the account owner. Neither behaviour is warranted by the true security properties of the system as implemented; one in fact reduces its security while the other penalises users whose accounts are compromised even if it's through no fault of their own.
This problem is really, really difficult to solve even in the abstract. And if you want to solve it while preserving anonymity or even weaker assertions about privacy, it becomes nearly impossible. I can't agree with nor support blasé assertions like these that Microsoft, or FIDO, or whomever have "solved it" or that any of these proposals "just work". They haven't, they don't, and they can't, because we can't even define identity and there is ultimately no way whatsoever to verify it. Let's admit that and stop pretending that any of this stuff is significantly better than a plain old password. The first step is admitting you have a problem. Unfortunately, the problem people think they have is that we use passwords; in reality, the problem is that there's no way to identify an actor as being, or being under the control of, a specific human being. Solutions to the wrong problem are invariably wrong too.
I once got prompted for the answer to 'my security question'... only problem is that I don't remember having been asked to set up a security question, and if I had, I would not have picked that question because I wouldn't have an answer for it
One of the earliest security questions I was asked would only accept a single word answers, so I had to work out how to answer it and how to remember how I had answered it
So in the name of "security" you gave a third-party that doesn't actually need it, your phone number?
Bet you also gave then your address, bank account details and date of birth, plus if you signed up for a family account ... next they'll be asking for your social security number - in in the interests of 'security' ...(Don't tell me you also access MS via a VPN, because you are worried about revealing the IP address your ISP has temporarily allocated to you)
Given the biggest risk seems to be the leakage of credentials from compromised websites/organisations, you've just made your MS credentials of interest to all the Indian "Microsoft Tech Support" companies...
So explain again why ElReg needs to know my phone number, just so that I can comment on here?
Remember the lesson from FB is that your data will be abused and used against you to generate revenue by the website owners.
Nope, I just installed the authenticator app ¯\_(ツ)_/¯
To head off any further inaccurate assumptions I will also state that I keep sole control of my mobile device, and practice good security hygiene, along with backups and fallbacks. You can be sensible and still like convenience.
Again though, my opinion is just that, my opinion :D
You are right that security and convenience are trade-offs. For convenience I just leave myself logged in to this site and rely on the screen-lock password. Simples! Not such good security - but adequate for my concerns.
For my banking I use a private browser session, unique passwords (well I do that anyway - PWSafe), whatever 2FA protocol they are mandating (except mobile phone), and I log out afterwards and shut the browser down. Not so simples, but not bad. Better security.
I have one, but would not trust it for "ID", or much at all really.
Don't use biometrics on it.
Don't have any apps installed on it that involve my financial details (not difficult as I do not do online or phone banking, and if I am going to make purchases online I will do it on my PC where I have a lot more control of being able to monitor for malicious activities and have various IP / JavaScript blocking / whitelist* tools in use) - no way I am doing it on a phone where anything could be going in under the hood.
In general use very few apps on the phone (hence I have a cheap and cheerful one)
Obviously I'm not "the norm" being FB, insta, tiktok etc lacking & generally (bar the odd game or listening to some music from the sd card I when stuck on a long & dreary public transport journey) just using phone for calls & texts
* apols for not using whatever is the PC phrase used for this these days
Smartphone luddites aside... in the real world people drop and break their phones.
So what's the fallback mechanism? How do you authenticate yourself to your bank and the phone store to buy a replacement phone? What's that Skippy: they just take their bank card to the phone store? But won't the bank then ping the banking app on the phone for approval?
What's that again Skippy? They'll know it's me because I'm their only customer that goes round talking to an imaginary kangaroo?
Upvoted for the kangaroo joke.
As to the question...the answer seems to be a bit complex. In the case where you replace an Apple phone with another Apple phone (or a Google phone with another Google phone, or a Samsung phone with another Samsung phone...), the answer is mostly "it's up to Google/Apple/Samsung to determine you're the same person and sync the tokens to the new device". How they do this is also left up to them. The paper implies this is already something they have processes for; I don't know if that's true.
In the case where you switch vendors, the answer seems to be "you keep the old device and sync the tokens from it to the new device via Bluetooth". This does seem to leave a rather large gap where the old device is lost or broken and you don't want to get a new device from the same company.
Another answer is sort of implied but not stated: keep an old device with the tokens on it around as a backup. Not everyone has two 'devices', of course, but lots and lots of people do. If this setup gets any momentum, as time goes on, it'll be more and more likely that you have an old device you can keep as a backup to seed a new device from if you lose or break your 'active' device. That's a lot of usable phones lying around in drawers just as identity backups when they could've been sold second hand and reused, though, I guess.
There's also a wrinkle to both answers, which is "if the app/site/whatever that's trying to authenticate the user doesn't want to just trust the process of syncing the tokens, it can choose not to: it will be told when the user is trying to authenticate from a device they haven't authenticated from before, and can then add its own steps to verify the user's identity, whatever they may be".
"That's a lot of usable phones lying around in drawers just as identity backups"
Apart from any other consideration that's also a lot of phones identities lying about to be nicked if you're burgled. Plus when you really need them you'll find that the battery life has decayed to 2 seconds and nobody local stocks that odd battery size any more.
I think you (and several others) are missing the bit where you can't just use the tokens from any phone you get your hands on. You have to pass the authentication - biometric or PIN - to access them. Unless someone finds a flaw in the secure storage, of course, which is one of the bigger potential weaknesses in the overall system. But then, no system is perfect.
I suspect the tokens will also have an EoL attribute, I know the tokens many applications install have an expiry even if I've ticked the "I trust this system" box, because I've not used that token within some unspecified timeframe.
Additionally, with SSL certificates increasingly having only a 1 year life, those old devices can rapidly become junk.
"The paper implies this is already something they have processes for; I don't know if that's true."
I happen to know that its not. I know this because my significat others' nineteen-year-old was not dating a guy who worked at the at&t store. In an attempt to get more of her attention, ha ha, he added a 'spare' phone that he had laying around (the at&t store) to her mother's account, without her mothers permission, and migrated her data from her older less-shiny iPhone onto this new, spare, shiny iPhone. When it came time for a store inventory, the nineteen-year-old started complaining that he was bugging her about returning the phone he had given her or he was going to have to pay the cash price for it. I believe he paid the cash price for it, and still got terminated because they determined that he hadn't had approval from the account owner to remove/add the old/new phone to her account (the nineteen-year-old was not allowed to make changes to the account, and the store phone log showed that no call/message was made to the account owner.)
> it's up to Google/Apple/Samsung to determine you're the same person and sync the tokens to the new device
So, what you say is that it's some spotty-faced vendor at Google/Apple/Samsung who'll get to decide if that person is indeed me or an imposter? My, that's strong security indeed.
.
> you keep the old device and sync the tokens from it to the new device via Bluetooth
I'd pay good money to see my old aunt do it. If this is simple to do, it should be trivial to borrow somebody's phone to make a call, and while pretending to do it, quickly transfer the authentication to another phone. Chances are he won't notice for at least a day, giving you the time to siphon off his bank accounts, savings and other valuables.
I'm not saying the scheme is perfect. But I *am* saying it's very hard to come up with a system that provides a decent level of security and convenience for most people, and it's very *easy* for commentards to laze around on comment threads poking holes.
The system we have now is *definitely not it*. For most people, passwords do not provide sufficient security, because they use bad passwords, and reuse them; and they are not convenient, because typing in passwords sucks, especially on phones. Current widely-implemented 2FA schemes add substantially to the inconvenience, while still having significant security issues (especially SMS-based 2FA). Something better is desperately needed. At least FIDO is *trying*, and on the whole, there's a lot of good ideas in the things it has come up with so far.
Why is something better needed? If most people are using bad passwords, it seems safe to conclude that they consider theft and destruction of their data and other assets acceptable. That means passwords are an acceptable solution and therefore something better may be desirable but is not necessary. If that outcome were *not* acceptable, presumably those users would choose strong passwords, which would achieve the desired result.
Note how this is different from, say, a system of authn that relies on 4-digit numeric passwords. Since it is not possible for such a system to provide strong security for any user, if that were the most popular authn system in use we would indeed need a better one. Oh, right: in most of the world, that *is* the most popular authn system, and it protects MONEY of all things. Perhaps we ought to start there instead of worrying about people who purposely choose passwords they know to be weak in authn systems that are capable of providing excellent security if only they wanted it.
> I'm not saying the scheme is perfect
It's FIDO who says it, or at least suggests it.
Don't forget the current "various passwords" system has potential to be secure, as much as the suggested "password = phone" system has potential to be insecure. Now if you think about it, there is no logical reason to change an imperfect scheme for another imperfect one -- except for the opportunity to make money in the process, isn't it.
Yes, most people use bad passwords, but you can't fix stupid and if you take a minute you'll realize they will find just as easily ways to screw up a "password = phone" scheme. The devil is in the details, in this case in the implementation: You can be sure corners will be cut, adware will be liberally added, and the whole phone swapping process will be made as insecure as it gets to keep customer service costs down.
Net gain? Zero, just a general leveling down to the least secure common denominator. If I want to use different emails/passwords for every account, or use huge passwords for important ones, I can't, I'll have to trust some fly-by-night OEM implementation to keep my stuff safe(-ish).
>it's very *easy* for commentards to laze around on comment threads poking holes.
The trouble is (and I'm willing to bet on it) that the ElReg commenters have more real-world security experience than FIDO et al...
Take one example, the banks move to 2FA, up to late last year, my partner could call me from a meeting breakout, train etc. and ask me to use online banking to perform some task on 'her' account(*). Now her account is tied exclusively to her phone, so try and do anything sensible like login and pay a bill or transfer money, now requires multiple auth codes from her phone...
(*) For some reason, as I've been the one managing the joint account, the bank has discontinued her bank card and tied it to my phone and hence it is now 'my' account. What is even better, their telephone banking also uses the phone for auth, so she is now unable to even use telephone banking...
>Smartphone luddites aside... in the real world people drop and break their phones.
Well in theory they still have the SIM...
Last summer there were several smartphones visible on the bottom of the boating lake where my daughter worked, unfortunately, the water is several metres deep and so they were unable to fish them out...
I sit here with my phone next to me, if I wanted to login to a web site my PC could connect to my phone via Bluetooth with a challenge it gets from the site. If I have authenticated myself to my phone in the manner I specify (could be Face ID, could be a fingerprint, could be a password) within the time limit I specify (so you don't need to re-auth yourself to login to a different site two minutes after you last authenticated yourself) the operating system forwards the challenge to the Secure Element (or Android equivalent) and receives a response it forwards via Bluetooth which your PC sends to the web site, logging you in.
The OS cannot compromise your security, the private keys allowing the challenge/response mechanism to work are in the Secure Element where the OS can't get to them. This would also be brand agnostic, it wouldn't matter if you had an iPhone, a Galaxy, a Pixel or a Chinese phone. It is simply taking advantage of a secure area of the SoC that the OS has limited ability to communicate with. Presumably someone would also sell dedicated dongle type devices that can perform only this function, for those who are paranoid Apple/Google will steal their Reg account, or don't own a smartphone but don't want to deal with passwords any longer.
So what happens if your phone is stolen? The thief would have to get into your phone, and then bypass the "FIDO" authentication you have set (before you can follow whatever process is defined for disabling FIDO) If you are paranoid, you could use a different method for that than for accessing the phone itself, so i.e. your phone uses Face ID but accessing FIDO uses a password that's different than your phone's password.
Yeah most people will just use Face ID or fingerprint for both, but this is still WAY more secure since only someone who steals their phone (and can jump through other hoops to fool their phone's biometrics) can exploit them, versus the situation today where half the world's population can potentially exploit them.
Bluetooth is a potential security vulnerability.
My phone does not have Bluetooth enabled except on the odd occasion that I actually need it. Leaving Bluetooth permanently enabled increases battery use and is a potential attack surface.
My PC does not have Bluetooth and I'm not about to buy a card for it since it would increase the potential attack surface for no reason.
Not to mention the security vulnerabilities that exist in so called "secure elements."
The issue isn't whether security of this scheme is perfect. It is whether it is more secure than passwords, and that's undoubtedly true given how the average person (mis)uses passwords.
Are you really going to argue that switching to this would be net security loss overall? Even for the people who have "password" as their password? Even for people using SMS for 2FA, which has far more security issues than key exchange over Bluetooth let alone secure enclaves on mobile SoCs?
Security is not a binary, it is a percentage. And you can never ever reach 100, unless the device you are trying to secure is permanently turned off and stored in a vault at Fort Knox or a similar facility.
"Are you really going to argue that switching to this would be net security loss overall?"
To whom? To me, certainly. To the people I want and value as customers, absolutely.
"Even for the people who have "password" as their password?"
It has been my experience that the incurably stupid are incurably stupid and very little can be done to protect them from the consequences. If you don't care enough to choose a better password and protect it, who am I to argue with you? Someone will take or destroy whatever that password protected, then you won't have it any more and won't need to worry about choosing and protecting a password. Problem solved.
If you routinely leave your home with all the doors and windows open, someone is going to steal your belongings. This is no different. You cannot claim ignorance of the threat; take it seriously or accept that you will lose. I care nothing for which you choose, but I care very much that I can buy a stout door and a reliable latch.
"let alone secure enclaves on mobile SoCs"
One man's "secure enclave" is another man's opaque nest of horrific bugs deliberately obfuscated by vendors. A notebook and a hidden safe comprise a very simple solution with very few, well understood, failure modes. Can you say the same about a firmware feature (or a silicon feature, for that matter) that you've never been given a chance to assess in detail? Or lack the skill to do so? Even if you were, do you really trust the vendor not to deliver something different from what you reviewed? No thanks.
"Security is not a binary, it is a percentage. And you can never ever reach 100"
Very true. But I know that the passwords I choose and the methods I use to protect them are more secure -- even if never 100% secure against all possible threats -- than any smartphone. Telling me I have to use this inferior mechanism would reduce my security to an unacceptably low level. I won't do it. Stop trying to force me.
I'm talking about OVERALL i.e. for the whole world, not just you. No one is forcing you to use this, so unless/until you are forced you can't complain about it compromising your personal security.
They will never be able to force everyone to use this, because there will always be people like my mom who don't have a smartphone and will never get one. Instead she'll keep using the same email/password combo for all six or so sites she visits (she refuses to do anything with her bank or retirement account over the internet, so I know she's safe as worst case someone steals her grocery store rewards gas discount)
"No one is forcing you to use this ..."
There are those who are trying very hard to force things like this upon us. I am continually nagged to provide a mobile phone number for a banking account - because the government has ruled they must apply a 2FA. Problem is mobile reception around these parts is iffy and I would need to travel to a spot where I could receive the code then hurry back to avoid getting timed-out.
Some banks don't accept a landline number, some do; some allow you to authenticate with one of the banking card readers and your bank card (my preferred approach). Things might improve (I complained to the bank about not accepting landline numbers - but it was a limitation of their IT, it might get fixed in an update that might come out later this year. I know: astounding incompetence - but that is the reality of the situation, and this is only the part we can see. What horrors lurk beneath?).
Unfortunately the choice of bank does not solely rest on whether or not they allow my preferred choice of authentication - so it is not so easy to simply take my business elsewhere.
"I'm talking about OVERALL i.e. for the whole world, not just you."
I only care about me and mine. I have no wish to be pulled down to some intermediate level because your mother uses the same email/password combination for all sites.
In fact, right there, you've indicated one possible area for improvement which needs not particular technological fix nor optimistic trust in providers such as Okta: make it illegal to specify an email address as a login ID. That in itself would make it easier for those who care to use multiple login IDs without juggling multiple email addresses.
"... within the time limit I specify (so you don't need to re-auth yourself to login to a different site two minutes after you last authenticated yourself) ... "
Would that mean that a malicious application could monitor for an authentication event, then initiate its own interaction with another of your secure services and receive an authentication code from your phone?
I am sure _you_ are sufficiently careful and knowledgeabe to avoid malware running on your systems - but others might not be.
> if I wanted to login to a web site my PC could connect to my phone via Bluetooth
First fail right there!
For this to happen it has to be "your" PC and you must have informed "your" PC about "your" phone and these must have exchanged some security token so that in the future they can verify each other etc.
Once your PC can talk to your phone, it is only a matter of time before a third-party application on your PC can also talk to your phone without your involvement...
"A smartphone is something that end-users typically already have."
Yes. And they get stolen, hacked, borrowed, and the issues regarding OS updates (or lack of them) is infamous.
"Virtually all consumer-space two-factor authentication mechanisms today already make use of the user's smartphone"
Wrong! With the partial exception of my bank, every single two factor jobbie except Google's pain in the arse "enter this number" that doesn't appear to work unless you're using Chrome... with the exception of that, everything sends me an SMS. So my phone number is the important part, not the phone type. I could be using an old Nokia... I forget the number, the famous feature phone one. And it would work.
I say partial for the bank, can as it wants you to authorise using their app. But after about thirty seconds it will offer to send a code via SMS instead.
"and thus also on the security of the underlying OS"
Count me out. My attitude towards the internet is "they're all out to get you", and sites that I feel I can trust are whitelisted (but all their third party resources are not). I don't believe in scanning to see if something is malicious, I believe in assuming it is until shown otherwise.
My phone as my single and sole method of authentication everywhere? Guys, April 1st is in a week and a half.
"is how we can meaningfully reduce the internet's over-reliance on passwords at a massive scale"
Are you willing to be held legally liable for when it goes horribly wrong? (notice I said when, not if)
You don't fix crap passwords and sites doing passwords badly by getting rid of all of them and using a single point of failure instead.
Plus, I have multiple identities that I use online. Oh, they're all "me" but the email address differs (depending on my level of trust when signing up). Will the phone authentication cope with that, or do you expect everybody to just hand over all of their private information "because authentication"?
"proximity-based authentication"
Why do I get a bad feeling about this? Oh, yes, something by the door of a shop will happily require you to login in order to benefit from all their special offers of the day. It's cool, it just happens automatically as you go in. Just don't ask what information they're busy extracting from you.
"but said it would still be better than using plain passwords of phishable second factors"
The thing is, passwords can be changed. Identities, only if you're of importance to the government...
"to be the ultimate arbiters of their organization's credentials"
They can't be trusted with what they currently have access to. Screw the idea of handing over more information.
"I say partial for the bank, can as it wants you to authorise using their app. But after about thirty seconds it will offer to send a code via SMS instead."
You do know criminals have actively exploited banking login via SMS right? As in, this is not a theoretical exploit, real money has been removed from real bank accounts. You are _probably_ OK because there are now few enough people using SMS that it isn't worth the scammers while to pursue it - but suggesting SMS is more secure than a TOTP app is a joke.
TOTP may well be better than SMS, which isn't saying much. However, it is still vulnerable to an infinite array of common attacks. The key problem (yuk yuk) is the storage of the token used to generate the OTPs. If confidentiality of the token is compromised, so are all future OTPs. In other words, the token has exactly the same security attributes as a password you put in a text file on your phone. Or, if you are using an open-source implementation like totp-cli or any of the others, a text file on your desktop, laptop, etc. If the user software is malicious or the OS fails to protect the token storage on its behalf, the game is over. It is of course also possible for this shared secret to be compromised on the other side, something over which the user has no control whatsoever.
Like all "2FA" implementations in common use today, TOTP is just another password -- only unlike a password I can't store the token exclusively offline to protect it from software, firmware, and hardware defects, to say nothing of malicious actors looking for ways to automate access to such keying material. The attacks against SMS and TOTP are quite different in nature, making them a somewhat reasonable pairing. The attacks against passwords are different still, especially if one avoids storing the password on digital media. We could do a lot worse than requiring all three together, but only if all three were always required. In practice, the need for recovery paths always makes it possible to gain unauthorised access with fewer factors than are supposedly employed... almost always zero.
The FIDO Alliance is basically a bunch of platform creators and bankers.
Yay, the platform creators want to manage our online security for us. No surprise that the likes of Google, Apple and Microsoft want to control the keys to our lives.
The bankers want them to as well. No more being sued by ten million angry users because you let online crims steal their cash, now you just turn around and sue Google, Apple and Microsoft instead.
There are also a handful of governments, presumably hoping to move their currencies totally online and pretend they know what they are doing.
I really looked, but could not see one consumer group or user representative on the membership list.
I really looked, but could not see one consumer group or user representative
M'god man. Are you daft? If we have to consider usability, we'll never get this internet thingee secured. And if we can't secure it, there goes our IPOs and the chance to be wealthy. And we'll face a grim future of working for decades and decades just to stay alive.
Get thee, and thy odd notions, behind me Oh Satan.
"If we have to consider usability, we'll never get this internet thingee secured.
Erm, did you notice that the whole thing about this dogFIDOshit is to make t'interweb both secure and usable? Arguing that one cannot have both is like sawing off the branch you just sat down on. I trust your base jumping skills are up to scratch.
And for the price of your soul, I'll sell you this parachute before you saw too far...
I suspect this is more about controlling the Internet than securing it. Once you have one mechanism that is required, and identifies all users, then you can choose who you want to allow and track their usage. It would make it so much easier to punish people/nations that don't bend to your will.
Nothing FIDO maintains "identifies" anyone. The standards are all about the interchange of tokens. Very simply put, you create an account with SomeOrg and agree with SomeOrg that "this magic token" is associated with that account. The token itself doesn't identify you, or SomeOrg. It's just a thing you've both agreed on. All FIDO standards cover is the process of generating and exchanging those tokens.
These standards also don't leak between organizations, so whatever SomeOrg knows about you, even if you also use webauthn to authenticate to your account at SomeOtherOrg using the same authenticator, neither SomeOtherOrg nor SomeOrg gets any information about you that is held by the other.
If you're worried about privacy, FIDO-defined standards are a better option than giving SomeOrg your phone number (a very sensitive identifier) so they can text you an authentication code.
I do wish people would do like five minutes of research before jumping into the comments with their tin foil hats on. FIDO's work isn't perfect, but it's a hell of a lot better than the alternative, which would be that Google or Apple just make this stuff up themselves.
It's not tinfoil hat, I'm simply not naïve when it comes to power and money. They are expecting us to depend on the benevolent actions of organizations not of our choosing when there are large opportunities for power and money. That hasn't worked out so well in the past, and here are some small examples.
Think of businesses that have been built on user contributions:
CDDB and Gracenote
IMDB
Wikipedia
YouTube
etc, etc, etc.
All have taken away from their users when the opportunity to make money presented itself.
And do you seriously believe that governments won't try to control this?
TOTP is a standard and works. It has no dependency on any particular organization.
Another consideration is the dependency on 3rd party authentication systems. If my domain is down and nobody can log in, it's fully within my power to fix it. If I'm relying on Microsoft for authentication and there is a problem I am a very small customer and I just get to sit around and wait for them to resolve their problem.
It still has the disadvantage that as it's sent to your phone
That would be a push, and it's not required. You can get authenticator apps for your pc, Chromebook, or tablet. (as long as your clock is accurate) They don't have to be linked to your phone number. When you set up the app you get a seed value for the TOTP. So for example, you can have no phone service but get a code from the app on your phone to authenticate to a web site on your PC. BTW, you can even get TOTP fobs.
Very simply put, you create an account with SomeOrg and agree with SomeOrg that "this magic token" is associated with that account. The token itself doesn't identify you
It's normal practice when you create an account to use an identity to do that. These days banks are very careful about establishing identity to cope with money-laundering legislation (unless, of course, you're handling sufficient funds to make money laundering worthwhile if not the object of the operation in which case the bank will be delighted to give you an account in the name of any off-shre shell company you choose).
Where was I? Ah, yes. Account. Identity. No, the token itself doesn't identify you. But the token is associated with account so we have Token > Account > Identity. That's what I'd call indirect addressing. For some purposes it might be enough or, depending on the purpose, too much.
> For some purposes it might be enough
For most purposes it will be way too much. For instance online purchases need to be delivered, and unless you go through the hassle to use PO boxes, this means they need a name and address. That's assuming they don't already have it from your credit card payment.
In practice it will be trivial to link your token to a specific real world identity, and collect a marketing goon's wet dream of PI. Don't forget the token handler sees all, all your purchases, which restaurant you eat at, where you spent your weekends, which websites you frequent, everything. It's impossible for them to not know you better than your spouse. (Which is probably the ultimate goal behind this harebrained scheme.)
Yes, but *only the organization knows the association between the token and the identity*. And they already *know* your identity. So the token isn't causing any net increase in loss of privacy. The token is not a problem. If the organization wasn't using this form of authentication at all, they would still have all the same personal information about you.
It's possible to use this kind of authentication system to authenticate to an account with ExtremelyAnonymousCo which has absolutely no personal information about you at all, or to an account with ExtremelyInvasiveCo which knows your name, phone number, address, social insurance number, bank account details, and inseam measurements. The token system doesn't care, and does not know any of those details, and does not provide a mechanism by which any of those details can be leaked from ExtremelyInvasiveCo to anybody else. It's your lookout whether you sign up for an account with ExtremelyInvasiveCo or not, and it doesn't have anything to do with this authentication system.
> only the organization knows the association between the token and the identity*. And they already *know* your identity. So the token isn't causing any net increase in loss of privacy
Who's that "organization"? If you mean FIDO, yes, they would sit on an extremely valuable hoard of PI. Now the question isn't really if they will sell it or if they will get hacked for it (my bet is on a mix of both), the question is why would I want somebody to collect that much information about me in the first place, just so he can give/lose all this juicy information to people who are up to no good.
Also, you totally forget implementation. If everything has to go through the phone, the phone carrier will know just as much, after all it implemented the token mechanism of the phones it sells. So we have FIDO, some obscure OEMs, the phone carrier (and its software subcontractors), obviously Google/Apple (depending on phone brand), and in reality probably a couple others too, subcontractors, processing facilities, data warehouses. All this in a time where selling one's customer information is so hip... Thanks, but no thanks.
If in theory this scheme is just pointless, if you factor in reality it becomes outright nasty. Probably only good to earn FIDO heaps of "monetizable" personal information.
El Reg said: "That may be the case, but a key question remains: will businesses be OK with trusting their security to an OEM?"
More pertinently, will businesses be OK with trusting their security to an OEM located in another country outside the reach of their legal authorities? They would have to be severely negligent to do so for anything other than trivial applications.
More pertinently, will businesses be OK with trusting their security to an OEM....
My (large) employer has migrated us to Windows Hello. In the name of making passwords more secure, we are now using 6 digit PINs. (because the fingerprint readers in our laptops are unreliable) So instead of the 12 character mixed case, numbers, special chars, etc. passwords.... 6 digits. And we still have to maintain those 'unsecure' passwords for various parts of our network that don't support Hello. I feel safer already.
I get the idea of improved security by authentication via secondary channel. But what if we want to access a secured resource on the smartphone itself? How do we authenticate then, with a second smartphone?
In real life most people will of course use the same phone, which for a regular person means an Android v{current - rand(2,6)}, maybe even with some patches if the manufacturer was feeling generous, and inversely proportional number of available exploits. How secure is that?
This is kind of a subtle point. For 'true' two factor security, yes, you shouldn't be able to log in using only a single device. Your phone can be a second factor when logging in with something else, but it can't be a second factor when logging in on the phone. You must have a, uh, second second factor for that.
And FIDO knows this, and has *already* produced standards for that scenario. You can buy a Yubikey with NFC support for exactly this purpose, in fact.
The problem is, we live in the real world, and - as the white paper points out - we have several years of evidence to prove that people just aren't doing this. Even for highly-sensitive things like bank accounts, in most of the world, true 2FA is not being implemented. Banks aren't sending out hardware tokens to their customers. A *minority* of banks in a *minority* of places are doing this, but in most places, banks have only just got around to doing SMS-based "2FA" - which, as you point out, isn't 2FA at all if you're logging in on the phone to which the text is being sent.
The system described in the white paper doesn't meet the standards of "true" 2FA, but that's kind of intended: the idea is that we acknowledge that in most cases, "true" 2FA is just sufficiently cumbersome that it's not going to be used. We need an alternative that's as secure as possible, but lets you log in on a smartphone without needing any other hardware.
The answer proposed is basically "secure storage on the phone, usually with biometric authentication". PIN authentication is an alternative, but since that has most of the same drawbacks as passwords, isn't preferred. In general, when you go to log in to your bank, you'll have to pass fingerprint ID or face recognition on the phone; in the background this allows a token to be sent from the phone's secure store to the bank. It's not 2FA, but - as long as the biometric implementation is solid, and the secure store isn't hacked - means not just any Marlon Rando who finds your phone can log in to your account. It's not perfect, and the white paper doesn't pretend it's perfect; it specifically says that the existing FIDO standards for true 2FA are stronger and should be used where both parties are willing to deal with the inconvenience.
This is something that's *already happening* in a not-so-standardized way, BTW. My bank's phone app requires authentication each time it's run to access anything important; optionally this can be via phone biometrics rather than entering the account password.
"....A smartphone is something that end-users typically already have...."
Errrr, nope, not here, and I think they had better do some wider research - article in the news today that usage of dumb phones is on the increase; more than doubled in the last two years whilst use of 'smart' phones has dropped back. It is reported that 1 in 10 mobile phone users in the UK are using dumb phones (I am not alone!) See https://www.bbc.co.uk/news/business-60763168 for the full article.
".....Virtually all consumer-space two-factor authentication mechanisms today already make use of the user's smartphone...."
Again. nope - the only thing that I use that forces me to 'verify' via a second authentication method does so via my landline - not convenient perhaps as I can't use it when away from home, but I'll be damned if they are having my mobile number!
@fredblogggs ".....and stop answering phone calls if you haven't already (99% of all phone calls are spam and/or scam)."
Mine aren't! In fact, I can count the number of spam/scam phone calls that I have had on my mobile over the last 15 years on the fingers of one hand (and have some spare); largely because I absolutely do not give my mobile number to anybody or any organisation who I percieve as having no legitimate reason for knowing it. I strongly suspect that the people inundated with spam calls are those who are handing out their number to all and sundry, including because 2FA!
Similarly with my email addresses - the only one that I now get occasional spam on is almost certainly because of a breach that occured to an organisation who run web forums, a couple of which I am registered with. The amount of crap is still small however, and almost all ultimately traces back to a single source.
I stillfirmly believe a single very strong password is as good a security as any other. The problem is that vast numbers of people do NOT have strong passwords (and vast numbers of websites and organisations do not force a strong password policy) - educating/forcing the use of strong passwords would be a better way forward - treat the underlying cause, not simply gloss over the symptoms.
"I strongly suspect that the people inundated with spam calls are those who are handing out their number to all and sundry, including because 2FA!"
In my case, they are all wardialer-generated recordings. Most of them are also now using the bug the carriers refuse to fix that allows them to bypass ringing entirely and splat their scam straight into voicemail. If it does ring and you pick up, you get the recording until you say something or touch a number and then you're transferred to a scammer. They have no idea who I am and didn't get my number from anywhere; they're just scattergunning their crap hoping some random recipient is gullible enough to do whatever they're trying to get you to do. The carriers refuse to stop it, or even clamp down on the use of injected bogus caller ID, because they make money connecting these calls. Because the spam now accounts for most POTS use, the wireline carriers at least would be out of business without this revenue source. I'm happy for you that you've somehow managed to avoid having random number generators discover your number, but unfortunately refusing to disclose it won't help a bit. Maybe if we had 80-digit numbers...
Because the spam now accounts for most POTS use, the wireline carriers at least would be out of business without this revenue source.
I don't disagree with this, there is also some measure of not wanting to spend the money to fix CID and secure communication between carriers. Telcos have a long history of weak security within their networks.
It's short sighted though. Part of the reason POTS use is dropping off is the amount of garbage you are forced to take to use it. In my case, due to the volume of SPAM calls, if you aren't in my contacts I will likely never answer your call. You'd have to leave voicemail, but I'm not about to play phone tag with you. IE. voicemail could get your number whitelisted, but I'm unlikely to call you back. And with other communications options available, I just don't care about voice calls anymore. (my 80yo mother prefers texting)
I strongly suspect that the people inundated with spam calls are those who are handing out their number to all and sundry, including because 2FA!
Not in my case. I have a second cell phone that I have never given out the number. I don't have any 2FA apps on it. Actually, only has one app that wasn't pre-installed. I never answer the phone. The intent was to use it for Craigslist ads that I have never gotten around to posting. I occasionally use it for outbound calls. It also has data and WiFi turned off.
This phone receives calls daily with offers to buy my house, pay off my student loans, etc. Note that I've had that phone/number for 2 years.
""....A smartphone is something that end-users typically already have...."
Errrr, nope, not here, and I think they had better do some wider research - article in the news today that usage of dumb phones is on the increase; more than doubled in the last two years whilst use of 'smart' phones has dropped back. It is reported that 1 in 10 mobile phone users in the UK are using dumb phones (I am not alone!)"
Er. So, 9 in 10 mobile users *are* using smart phones? So, in other words, you could say..."a smartphone is something that end-users typically already have"? Since, you know, "typically" is not a synonym for "always".
When the inevitable name-brand bug (I suggest "FIDObyte") is found in their system or in an OEM implementation of it, every account protected by that device or platform could potentially be compromised. Sorry, hard pass.
Ultimately, it won't matter though. Passwords will continue to proliferate because they're cheap to implement and support. Keeping track of a crap-ton of passwords is inconvenient for a site's users, not its owners. Sites will still need to support password authentication anyway, because you'll never get 100% user adoption for FIDO's standard.
Which brings up another roadblock: if tech history is a guide, every vendor / OEM that implements FIDO's authentication mechanism will "extend the standard" with their own proprietary tweaks to force user lock-in. Site owners and app devs will then be stuck trying to figure out why users can log in with HTC phones but not Samsungs (or whatever). That tips the economic incentive even further in the direction of the status quo aka passwords.
"...They have no idea who I am and didn't get my number from anywhere; they're just scattergunning their crap hoping some random recipient is gullible enough to do whatever they're trying to get you to do....."
".....Not in my case. I have a second cell phone that I have never given out the number.......This phone receives calls daily with offers to buy my house, pay off my student loans, etc....."
I would nearly dare put money on those numbers being on a list somewhere - whether due to the current user randomly giving it out, or someone who had been issued with that number previously to the current user, or possibly due to a breach somewhere that the number had previously been recorded. There are enough of us out there who have had the same number for years (in my case over 15 years) who do not get any significant mobile phone spam to suggest that a 'scattergun' approach of random numbers isn't the reason for some people recieving large quantities of crud.
I don't even get that much in the way of spam on my landline, even though it is publicly available in the telephone directory - perhaps my approach of issueing a torrent of vile expletives to any of them who cause me to answer has the desired effect?
"I don't even get that much in the way of spam on my landline"
In my case I think it was a result of getting them to "hold the line a minute" until they realised they'd been had and hung up. I must be blacklisted. To my great sorrow I missed the only call I think might have been from Microsoft.
You are right for some of them, but I too have a cell phone number I actually never used and never gave to anybody (never previously allocated, not listed anywhere either). I have had it for 20+ years now, and it still gets the occasional spam call. Not daily, but still way more than you'd expect for a random phone number that has been totally unused for 20+ years.
I guess it depends on the country you're in? Apparently some countries are more spam-infested than others.
a) my job requires me to go into jails, and to log in to access electronic health records while I'm in there. Carrying a cellphone into a jail is a misdemeanor, so phone-based MFA is out. And our jails have disabled usb ports, so yubikey-like devices are out too. Maybe one day they'll update their terminals to have something that can handle biometrics, but it ain't going to be any time soon and $5 says they'll disable it anyway for some demented reason.
b) We all die. Even the idiots on the FIDO board. When I die, particularly if that's a sudden or unexpected event, I need my spouse to be able to get into absolutely any non-work related account and device I own, and I need my co-workers to be able to get into any work related account and device. Biometrics get a bit ghoulish at that point.
Edge cases are *important*. And everyone has at least one. Passwords have persisted in part because we've discovered most of the edge cases (usually the hard way) and come up with solutions. The fact I can immediately name two edge cases, one of which is a *universal* 'edge case', and the whole FIDO approach doesn't seem to have addressed it is a bit worrying.
The problem with these kinds of ideas is that they're developed by people who spend their lives sitting in nice cozy cubicles in southern California. Those of us who live in the Real World can see the shortcomings.
Dead cel phone battery. Area with lousy or no cel coverage. And relying on Bluetooth? For anything? Half the time it won't even connect my phone to the car radio to play music. It's often my last choice for anything.
I recently moved from Canada to France, and already I can see how many ways this tech could fail me. I now understand that for much of the American tech community ALL phone numbers, but especially those used for 2FA, are structured as (xxx) xxx-xxxx. If you're in France, where numbers go (33) xx xx xx xx xx you're shit out of luck. And if you live in a country that doesn't include a state or province in your address, well you might as well not exist. Or if you're dealing with a Canadian company that can't believe that your postal code is 61000.
And honestly, I don't trust Google, or Apple, or Microsoft particularly much, and I have little or no faith in the safety and security of either my phone OS or any app that I install. Maybe it's because of 30+ years of working on-line and in tech, but my experience has shown that you just can't trust any of these 100%.
As a government myself, this is great.
I see subject x53b2 has been protesting something I want, zap, his only key to access the internet disabled, or maybe we just track everything by his token so we can document this evil freedom loving fool. Now we know exactly who is doing what where and all associated accounts. I don't even need spys anymore, just thugs to pick them up at the tracked location.
As a criminal myself, I only need to get the persons phone while it's unlocked (Yoink!) and I own Everything they did LOL, it's so easy, just snag a phone and cash in! no passwords to worry about, this makes life so much easier - for me.
Disclaimer I am not really a government or criminal.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
