Microsoft, Apple, Google accelerate push to eliminate passwords Microsoft, Apple and Google – all longtime proponents of doing away with passwords for authentication purposes – are throwing their support behind standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) that could eliminate passphrases completely. Sometime this year or early in 2023, the three US …
The "new stuff" this requires is bluetooth and some sort of biometric ID in your phone, so hardly a big leap.
The main roadblock is likely to be Android phones that are no longer getting updates, but that's partly the fault of the buyer for not choosing to buy from someone who supports their devices for a long time.
I've got all kinds of old kit still doing useful work. None of it will ever be downgraded to this new, about to be forced upon the rubes, "standard".
Thankfully, I see no need to do business with the likes of Microsoft, Apple, Google and their ilk ... Not now, and not into the foreseeable future. The Internet (and my old kit) will still be trucking along quite nicely long after they and their megalomaniacal ideas are dead and buried.
-> I've got all kinds of old kit still doing useful work. None of it will ever be downgraded to this new, about to be forced upon the rubes, "standard".
I agree with the sentiment, but the thing with these companies acting as a cartel means you may not have a choice if you want to participate. Although you may see no need to do business with MAG, what happens when the next pandemic comes round and the numbskulls in government say 'our new pandemic tracking app uses Google technology'?
This idea is pernicious.
Nothing like the big three colluding to discriminate against the disabled. I can't use pin numbers unless it corresponds with my very old army service number. My password manager deals with most logins by using the same default password. Any change that is thrust upon me is subject to the provisions in the Convention and in the Equality Act.
In short, will Alzheimers finish me before Microsoft does?
But a Password Manager does all that heavy lifting for you. Indeed you don’t need to know the passwords, but have access to them if required. Microsoft Direct Access VPN - tied to an AS Integrated 2FA PIN works well too.
That being said I generally prefer (Phibe based) Two Factor Authentication (2FA) whether Google or Microsoft Authenticator, Okta Verify, Fortinet Token, Apple Sign in…. though the all your eggs in one cloudy basket hack at Okta irony is not lost on me.
You have literally no idea of the ways his disability may affect him, he may not be able to use a pencil, he may have memory issues that would make writing it down just as pointless. The statement "so I have a chance of recognizing it" would make me think perhaps they have a reading difficulty, and pointing out that they should just write it down is effectively telling them to stop being handicapped.
Through all of the discussion of this, I feel like what we have is a case of people pushing before the plan has been hashed out. While I have been hoping TOTP and FIDO would get on by default first party support from the big 3, I feel like this may not address some of the issues the way it is being discussed. I think we needed the big three to implement an authentication layer where alternates could replace all the places where just a password was allowed before. That way aps, devices, and organizations could adopt new methods without re-architecting their whole deployment(which has been the main thing holding everything else back).
Instead we are getting a hard push for what appears to be a swap of one inflexible baked in method for a newer one, which while it has it merits, will be behind the state of the art by the next major release of each of the operating systems.
Worse is Bluetooth. If you want to ensure something never quite works, build it on top of Bluetooth. Connections will be hit an miss, connection setup slower then necessary, and probably have to suffer repeated device pairing. Al least the security can be run over the top, so even if the bluetooth data was in the clear the FIDO drivers on the devices probably will handle security on their own.
re: "Not a shared login (loads of those!)"
Ayep. I set up a google account for a community group I chair and I am now, after a couple of years, getting the "can not log you in too many failed attempts" hooey. While I am happy to walk away from that dumpster fire and not waste further time on it, I had planned to share the account with whoever next chairs the group. Now google has made up my mind for me, since apparently they can not keep things running for just ONE account user. Agree with the speculation above that this appears more about collecting even more data than about functionality or security.
I've recently begun enabling 2FA on a couple of accounts, and, while some bits are quite whizzy (point your phone at the QR code - woo), the recommended steps for ensuring you can still get into your account if your Authenticating Device is lost/stolen/rendered obsolete are somewhere on the "no normal person is going to do this" scale (I do fully accept that I'm not normal).
"Here's a bunch of codes: print them out and keep them safe" seems no more workable than "write the password on the back of an old business card and keep it in the box-o'-passwords"
do you mean there are fingerprint readers that work reliably ? Never found one. Also those of us who work in abrasive conditions do not have detectable prints sometimes, not to mention the issues of dirt, grease. All very well taking 3 minutes plus to use an industrial hand-cleaner, redirecting to toilet facilities, back to office or device location. etc. How long before intrusion developers find ways to hijack TFA systems ?
OTOH, in remote office situations, WFH, etc, TFA is sensible. Used it for decades. IMHO, just not a one size fits all solution, especially with the various device types now in use. Is having a second physical device so I can unlock my phone reasonable ? As others have said, will this be another closed system by the tech bros that is used to levy excess costs onto a population with no choices ?
Try replacing those.
Same goes for Ubikey or Bluetooth connected phone, unless there are actually three devices involved in the sign-in:
1) the Ubikey, Bluetooth-connected phone, or whatever holds the encrypted token(s)
2) the device you're using to connect to the required service
3) the server supporting the required service.
In addition the first two must have a secure way of storing something unique which can be sent to the third for validation.
I have a Ubikey and use it to access services on one of the GitXXX code suppositories, However, I know almost nothing about its anti-theft safeguards: no documentation came with it and their website is equally uninformative about how its security systems work and why they are more secure than user name and password.
IOW I'm happy to accept that the Yubikey is one factor but have absolutely no idea what 2nd factor may be or if it even attempts to be 2FA, when all I did to activate it was to stick it in my laptop's USB socket, and login normally to GitXXX. Since then I've been able to simply stick the Ubikey into the USB socket and immediately use git push/pull commands to update or access the remote repository.
To me that seem less secure than, say, a UK bank's 2FA card reader, where at least you know what both factors are and that the card reader is not one of them.
No need to crack anything - That data will quite likely be stored unencrypted on a publicly accessible test VM at some point, and thus will eventually land on the dark web, forcing you to change your face, fingerprints, DNA signature and whatever other immutable information they decided to use.
But then again security isn't important to them, it's all about control, and it never ends well for those who fall for the scheme. (Don't you remember "One ring to rule them all..."? Embrace your new existence as authentication wraiths.)
I'm sure anyone can implement the 180 page spec from scratch in no time at all.
Of course, it helps if you're a big company with megatons of cash and already have a head start from implementing the code as you write the spec.
All these new and improved ways to log in either involve a gadget, or or something that can't be changed when needed, like fingerprints and faces. Or gets changed because of damage to same and can't be updated because - Damage.
The problem with passwords is passwords commenced with the beginning of computers and have been working reasonably well for decades. That means some people think passwords are old and need to be replaced with something "new".
Never mind this "new" can't cover all the devices that need passwords. Different devices need different way to sign in. The have been trying to eliminate password for how many decades now? There is a reason they are still around.
My 2005 HP, with a fresh load of Linux Mint and an IBM Model M keyboard would be hard pressed for facial recognition, with no camera, led alone any fingerprint reader. It works just fine for what I need it for. Word processing, banking, web surfing, any of several web sites I frequent... All without a hassle.
Facial recognition only seems any good to me when it is used to unlock the encrypted passphrase on your device for onward use. Then you require two-factor just to make sure.
Thinking somehow a face will replace a password - when you think about it they're all just 1s and 0s sent on, it's just that for a password you know what was the exact source. It's not really a password it's all just various forms of an encryption key with different derivations.
What I don't understand is this PIN number nonsense! How is a PIN any different than a password yet MS seems to think it is?
Face recognition on my phone works great, unless I am outside working in the sun with my hat and sun glasses on, then it doesn't and I have to enter my PIN.
What's the final endgame here? Some surgically implanted technology that authenticates us to all deceives and services? (That includes some undisclosed nefarious technology?)
In the words of Timmy Turner! "What could possibly go wrong!"
So we settle on fingerprints. But there are people out there without fingerprints due to missing hands/arms (and let's not forget those with Adermatoglyphia)
Oh, so what about iris scanning? Cataracts, anyone?
And, as someone rightly said, I can change my password/physical key if it gets compromised. How do I change my biometrics?
All of you sound like you're approaching that age where nothing good can come from anything that might require you to adopt new skill sets by way of technical advancement. This is a huge boon for everybody involved. Overall the internets stand to reduce overall energy use by way of eradicating enormous amounts of bandwidth currently devoted to the goose chasing fallibility our current password processing and its logistical hoops eats up. Of course the big three stand to make a buck or two on upgrades but you'll be waxing even more nostalgia from bed by the time your arguments are archived. Until then, keep in mind FIDO was proposed by the W3C and the big 3,4,5, 8 or 9 or whomever your fear mongering monkey minds want to rage against, they ALL stand to save a serious ton of money currently spent in supporting lazy users who refuse to think creatively when it comes to adopting good technology and how to work with it rather than against it (I.e., ask your kids dishwashing buddy how he manages his fingertips and with biometric logins). You all complain too loudly only to eventually forget stashed that one piece of paper listing the 15 usernames and passwords they use for every login form they encounter. For god sakes don't keep it file on your 'tried and true' now obsolete phone that's going to die maybe tomorrow from over exhaustion. Go with the flow bro and use your heads and your time wisely. Don't ever forget your first Motorola beeper.
This post has been deleted by its author
Yes I did create an account to post. Those were the rules unfortunately. But I'm glad I did as I don't speak up enough for reasons not unlike your own pearls of wisdom that I'd be wasting time. I wasn't intending to hurt feelings as most of my commentary was in jest merely to make my point that the majority of commentary sounded (perhaps smelled) like an echo chamber in the mens room. So I smelled too. ;) At the end of the day I raise my glass.
This post has been deleted by its author
I really hope that as well as passwords we can junk using mobile devices, particularly mobile phones, as an authentication solution because of the risk of theft or SIM cloning. Still fighting so many sites that mandate a phone number as part of their security protocol.
Once again someone announces "we are doing away with passwords" but we have nothing PRACTICAL to replace them with. <YAWN!>
Fingerprints, face recog, hardware keys, 2FA, and many many others have all been tried, and all have failed the 2 tests required for universal adoption - Is it easy to use? - What happens when my authentication is compromised? 2FA is fine for anything that you only use occasionally but is a royal PITA when used multiple times per day. Fingerprints are too easy to fake, face recognition can be fooled with a decent photo although some of the newer systems would require you to 3D print a copy of the face, and hardware keys,... ooops dropped it in the loo/dog ate it/is in my wife's handbag and she has gone to NZ to visit her sister.
Reminds me of when bmw introduced the keyless ignition there were stories of people dropping off someone at an airport driving to a fuel station and discovering the “key” was in a pocket 15000 feet above them as there were driving on the other persons key and theirs was at home….
Obviously finding this out after stopping the engine.
So I was rolling out Outlook 2013 to phones and laptops a year or two ago still. Outlook 2013 is WELL aware of 2FA, yet the pissing, cocking bollocks would decide, on random users when I'd turn it on, in their account, to decide "What? 2FA? What's that then? I've never heard of that. You'll have to just give me a one time password for that user instead" so I'd have to, just for that one user, setup one time password, just for pissing Outlook 2013. Then a month or so later, another user would come along with the same issue. Their password expires, Outlook then asks for it, repeatedly fails to login & then I discover its another user where Outlook 2013 has randomly forgotten about 2FA.
So replace all of them with a single five-six digits PIN? Once you're into a personal device you can access everything? Is this an improvement?
Moreover the problem of 2FA is you need one or even multiple devices to access your systems. I already have to carry two mobiles - one for accessing work accounts, the other to access my personal ones. And no, I don't want to install my banking app on my work phone controlled by my company IT - nor my personal mailboxes. I don't even want to be forced to always carry with my phones designed to track me all the time.
When using separate tokens more than once I had to call home and ask to read the number it displayed to access company accounts - because I forgot them. Now if my phone doesn't work I can't access my banking site until I get a new one.
Every step is reducing security, not improving it.
Security is always a balance of convenience compared to actual security, which is fine, but replacing the secret, changeable part of authentication and replacing it with something that is neither secret nor changeable is nothing short of retarded. Swapping the user identifier for biometrics is fine, pair this with a password and one has an improved system. Replacing the password with biometrics always reduces the security, hell it's what we do when letting someone we know, and possibly expect, into our own home. Replacing both the user identifier and password with biometrics is fine for very low security scenarios.
Replacing the secret, changeable component of an authentication with something that is neither secret nor changeable is security idiocy all pushed by those who have absolutely no concept of security whatsoever and live in the shiny la-la land of Hollywood movies.
Biometrics can add to security, in fact they are a very good replacement for the user identifier, however they are not a replacement for the secret component.
Not exactly. It only works on this one device and never expires. I have a separate password for the account which is used for some online services which aren't connected directly to the Windows login session, but it's different to the "PIN", and expires every three months.
I mean, yes, technically all PINs function in the same manner as passwords to some degree. The fact a lot of PIN implementations limit themselves to just numbers is beside the point.
Sorry you did say - have a pint as an apology ----->
I thought exactly the same how can systems access be more secure using a numeric password with each position having 10 options than one that has 36 lower case, 36 upper case, 10 numeric and whichever special characters may be allowed - so a minimum of 82 possible options for each position.
Also how many people (general public) will just use the same 'pin' number or worse default to 1111 or 1234 (extending to the number of characters needed - i.e. six being 111111 or eight being 12345678)
Upper and lower case each with 36 characters? That's one funky alphabet you are using there :)
I set a Windows laptop up for my nephew recently, and after clicking through heinous and intrusive pages about directed advertising, I arrived at the request to create a PIN. If I remember rightly, it claimed that it increases security. I simply don't understand the logic behind PIN usage. Unless you are a complete buffoon, the PIN will almost certainly contain less entropy than a traditional password you'd create.
To be fair, I discovered that a PIN won't give you admin access, even if you are an admin; you have to elevate permissions with your full password for that. I also realise that the PIN allows access to the machine only. But in terms of mitigating the most important threats, those two measures are useless. It doesn't really matter if a PC is hacked unless your victim has sensitive docs etc. But once you are logged in, you can probably access all their internet accounts via their cached browser credentials, or the cunningly titled pa$$w0rdz.txt that you find in the 'my docs' folder.
From a security perspective that's pretty terrible, which is why I'm convinced PINs are NOT about security. Instead PIN authentication is a tactic to get you to use a Microsoft account - the PIN is a dangling carrot. If you tell Joe Public he can use a 6 digit PIN rather than a complicated bloody password that includes squiggles and numbers, and then advise it's more secure too, he'll take that carrot in a flash. The fact that he needs to set up an MS account first won't bother him at all. Hey presto, MS has access to a new user's personal information, their browsing habits, laptop login times, maybe their private conversations 'to improve Cortana' (yeah right) etc.
It's all one big con, and one that Apple has been running for years (try using a Mac without an Apple ID and see how much functionality is unavailable). Microsoft are just playing catchup. It's thoroughly depressing.
"Also, folks should be able to use FIDO authentication on their mobile devices to sign into a website or application on a nearby computer using whatever operating system or browser they're running."
Unless it's my bank's website, all the other websites can piss off about getting my mobile number or me installing some crap-app on my phone.
"The complete shift to a passwordless world will begin with consumers making it a natural part of their lives," Alex Simons, corporate vice president for identity program management at Microsoft, "
translation: "once everyone forgets that in The Old Days they weren't required to have a mobile to access Internet sites on their desktop, life will be soooo much simpler for us"
(...shakes fist at sky and mutters into beard.)
> people have a tendency to pick poor passwords
And people have a tendency to cross roads without looking. The obvious solution is to ban roads, isn't it.
This is such an obvious attempt to grab control: Once you have become the proverbial "one ring to rule them all", you totally and absolutely control the private and professional lives of everybody: They can't even step out of their homes without your consent. And you can charge for that consent as much as you want, because your offer is literally one they can't refuse.
1. Gets you to upgrade to latest and greatest software and hardware.
2. Gives them more control over when/where/how you access your data.
3. Gives them greater access to and control of your data.
4. Allows them to lock you out when you become a social media problem of any kind or are deemed unacceptable because you don't support the latest thing.
5. Allows for greater surveillance, data sharing and access enablement to law enforcement.
6. Claim it's for your own good.
A PIN is just a shitty, short password....
As for moving away from passwords and using biometric? No thanks. A password is intellectual property and can not be subpoenaed. A fingerprint or your face, however, can be.
2FA is the way to go and anything peddled as better is just dumbing down security.
That's why my phone's fingerprint authenticator runs a program thst does a 99-pass drive wipe thst can't be stopped once it starts. Go ahead, force me to "unlock" my phone with a print.
I was going to use a small bit of C4, but decided against it - it would be MY finger being used as the trigger.
Sounds like a password without a login to me. Thus (marginally) less secure than the classic login/password combo.
Remains obviously the "app manages everything for me" part, but a password manager does as much for a login/password combo, so I fail to see the obvious advantages of SQRL.
(But I admit I just had a quick look and didn't delve into the details.)
PINs are unique to the device and are, in the case of Windows today and, presumably, other sites/services/software tomorrow, connected to the TPM which includes multiple physical security mechanisms to make it tamper resistant. The TPM will be responsible for holding encryption keys for the OS and/or the hard drive if that's also encrypted. Enter too many wrong PINs trying to unlock Windows today and the device will be locked - just like mobile phones have been since forever - essentially bricking it until it can be unlocked with a full account password and probably some other 2FA verification.
If your password is compromised, on the other hand, any device or service connected to your account will also be compromised.
There are a gazillion shitty websites that I've had to create an account on over the last 20+ years. Of course I'm not going to use a different password for each [1]. On precisely none of these do I care if my details get hacked. Say the crims find I bought some questionable furniture from Ikea last year - so what? Even sites that persist credit card details still need the CVV to complete the txn.
For anyone with any sort of online life, the only options seem to be password re-use, or use a password manager [2]
[1] and, yes, I have tried password managers. Haven't found one that gives me a compelling use case yet
[2] see [1]
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
