There needs to be a law that forbids mandating cellphones and creditcards for ordinary business transactions. My apartment started requiring an app to enter the premises and use another app so wash and dry your cloth and then required an app to enter the place you wash your cloth. I came home one day after a series of missed and delayed flights, tired and sleepy at 3am after waiting eons for uber at the airport when my phone finally died and at 3am I could not enter my own apartment because my phone was dead and there is no one else at that time to open the hate for me.
In these cases, technology is creating not solving problems.
Ask yourself this: As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
I would even go so far as to say cash and physical paper should be supported by any business and government department.
> As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
It's an even more dire question: do you want a future where you're required to carry that cellphone on your person at all times?
And for the slippery slope: do you want a future where it's legal to arrest people until their phones can be verified? To prevent impersonation, maybe chip people like dogs so that they can be reliably matched to their phones, and make it a crime (maybe "attempted impersonation") to tamper with the chip or to help someone tamper with the chip?
It's even worser, tons of applications are not working properly if your phone is rooted (so if you put there proper adblocker etc.) or without google apps.
This is a false statement that one can bypass root detecting in just one or two more steps. Anyone saying this might not know implications of Google Safety Net. And, popular tools like magisk have been defeated repeatedly. It is a cat and mouse game.
Magisks have stopped providing patches to games that helped to bypass root detection.
But I pretty much don't. I hoped that it will be as easy as disabling cortana on windows 10, but degoogling your phone is super user-unfriendly and something that almost has to become your hobby.
But for people thinking about it, its still worth it, with Afwall+ to not have ads in any app, newpipe to have functionality of youtube premium and barinsta to make sure you are not dragged into endless reels recommendations on instagram, its magic.
Barinsta got DMCAed or something, F-Droid page is up [1] but the GitHub (linked from there) isn't, and the F-Droid package is still from last summer 2021.
I use a Pi-Hole in my LAN, and Wireguard to it. Low latency so works very well, and given it has a killswitch my connection is always secure -- public WLAN or WAN be damned. The downside is my device and all apps have access to my LAN. Although some of my devices are on a DMZ, and the Pi-Hole works from there as well but the rest of the LAN not.
Adding to that, smartphones can also be extremely distracting. If you'll be effectively unable to put away your phone for longer periods of time because almost everything requires that you interact with it, that can't be good for your mental health.
It's only a fallacy when there are no valid reasons to think that the events will actually progress the way you claim they are.
In this case, there is a clear government and/or corporate motive in increased data mining and social control, so the only thing restricting them is they need to make people accustomed and not consider it too intrusive in non-totalitarian societies.
Things like "contact tracing" or "preventing terrorism" or "think of the children" are among the ways that the powerful actors at the top are convincing the populus that such a measure would be necessary (and beneficial), and the majority of the population does not seem to care much about this to do anything. Hence, it is reasonable to believe that the claimed event (phone being required at some level) is going to happen at some point.
I think that using a single source for authentication/authorization of any kind is stupid: be it a smartphone, a password, a certificate or anything of the sort. Multiple sources should always be used, such as logging it with a username/password and getting an e-mail/SMS/TOTP code to enter, though even those can be compromised if people don't use randomly generated passwords for all of their sites/e-mail accounts/apps.
But on topic of the questions in this discussion, allow me to offer an unpopular opinion, just because it sounds like an interesting thing to think about.
> As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
Required to purchase one? How about given one instead? In my country, we have eID cards, which can be used for digitally signing documents and can serve as methods of authenticating against a government site - due to legislation, now everyone gets one, much like people got passports. And yet, nobody questions needing these cards or passports, even though technically if you lose yours, you do have to pay for a new one because "it's government property".
Alternatively, if people would still have to purchase one, force the manufacturers to be open about their production costs and profit margins, mandate certain specs of devices not to exceed certain pricing - much like Chromebooks have already taken over education in many places of the world due to their relatively simplistic nature, i don't see why we couldn't have basic spec Android devices in abundance either.
Better yet, protect phones and being able to use them like one would treat the likes of eID cards and similar:
- all phones need security updates for 5-10 years from the manufacturer
- all phones need certain levels of battery life: if a new Nokia 105 can last for a week, i don't see why you couldn't cut down the standby modes of Android phones to do the same
- all phones need their batteries to be replaceable by the user, should they want to do so, no phone can be sold without them as available replacement parts for purchase
- all phones need proper permission setups: a passcode for installing apps, and full control over network requests, similar to NetGuard https://netguard.me/
- all phone OSes need to be open source and open to modification, no more locked bootloaders or other stuff like that (might need a confirmation with the user's code first)
- all phones need their hardware drivers and all documentation pertaining to those be open source
- all phones must support custom apps being written, installed and run by the owner, much like a *nix machine doesn't constrain you
- all phones must support third party app stores, should the user choose to use them, e.g. FOSSHub/Fossdroid
- to fight malicious usage of the above, have a LED indicate whether a custom ROM is or isn't being loaded and have a checksum or something show up during boot with info about any digital signatures of the ROM
Edit: perhaps the term "phone" here should be replaced with something like "gov-compatible-phone" or whatever one could come up with - i don't doubt that dumb phones would still have their uses. Technically, all of the above should have been achievable on something like the Symbian OS as well.
Who knows, maybe eventually the majority of phones would once again become more blocky and more of them would be IP-68 certified, or something like that. In my mind, phones should be dependable computing devices, more like a Raspberry Pi/Arduino with a sturdy case in your pocket, rather than dainty status symbols. Think along the lines of these:
> It's an even more dire question: do you want a future where you're required to carry that cellphone on your person at all times?
I already do, so nothing would change for me. I cannot imagine leaving a phone at home, much like i cannot imagine spending a day without Internet (this is probably a controversial statement, should lend itself to some discussion about how people live nowadays, especially the younger generation). Doing so would be depriving myself not only of a means to communicate and navigate, but also of the ability to look things up, like tutorials, or information about something that i'm interested in. Some might extend those arguments to things like note taking, audio notes included, as well as entertainment. Alternatives exist, of course, but they're rather unwieldy - who wants to drag a notepad, a map and a compass, as well as a voice recorder, maybe a dumb phone or a walkie talkie with them separately?
Edit: probably interesting to compare this with carrying a wallet around - since it has money/bank cards and quite possibly ID and other pieces of information as well. Which could be replaced by a phone. And it's not like you could use it after stealing/robbing it off of someone, since it would be behind a passcode or additional lock mechanisms.
> And for the slippery slope: do you want a future where it's legal to arrest people until their phones can be verified?
I have no illusions about this not being abused if that were ever the case, which kills argumentation in favor of anything like it from the onset. Similarly to how there were various "tests" put in place before voting in US, many of which targeted ethnic minorities. I bet similar excuses could be made about officers "failing" to validate a phone/identity due to "technical issues" and thus depriving people of their freedoms.
That said, i am in favor of means to identify people that actually work for a change - you should not be allowed to start a company on someone's behalf after presenting pieces of information that could easily be found out, like someone's name and any sort of a national identifier. My country basically had the same problem - a national identification number for each person, which many sites still asked for during signup. Due to this value ever leaving the confines of something that holds and uses it as necessary, it's no longer reasonable to rely upon. Consider the eID cards instead - it stores a private key and can only be used to sign things with PIN codes that the user must know/store themselves. The certificates never leave the physical device. We need more of that approach. PII leaking would suddenly become a less harmful thing, because it's not like you could actually do anything with that information.
> To prevent impersonation, maybe chip people like dogs so that they can be reliably matched to their phones, and make it a crime (maybe "attempted impersonation") to tamper with the chip or to help someone tamper with the chip?
Pretty dystopian, admittedly. Some people already do, to enjoy the benefits of RFID chips. Personally, for the most part, i'd prefer to stick with fingerprints for opening biometric locks with phone apps and such acting as alternatives. Then again, if i were writing a dystopian novel (you know, more dystopian than real life, where every action that we take online is catalogued and can be looked up by the powers that be) it'd be curious to explore the benefits and drawbacks of having everyone have chips in them. If the society were ruled by a benevolent AI? Probably less crime and strong application of the law. If the society were ruled by regular people? Probably blackmailing and discrimination like you cannot even imagine.
(note: none of these views are exactly held strongly, just something fun to ramble about)
I myself am a "single source for authentication/authorization" and i dont think it is stupid at all.
It is just hard to tell it to a machine. So i am ok to use a token for that.
The trouble for me are the instances, that want to certify, that i am me. I dont need them, but they are there. The middleman, who wants to have a say, to allow or deny.
I have no problem to tell a token, that it is me. I am pretty happy to self-certify myself.
Actually it is - while you provide for yourself and that may be fine, if you have dependents, having daddy be the single source of authentication for everything is pretty damn stupid. You might have accounts for your kids but they need to actually access those accounts.
If you end up in a coma in the hospital, again, having yourself as the single source of authentication for medical purposes is pretty dumb, too.
If you have any group of people dependent upon a thing, having yourself as the single source of authentication is pretty damn stupid. Look up how nuclear missiles are/were protected, if you want a real world tech example.
This thing where people assume they are the only thing in the world so whatever they want is fine for everybody else, that the real fucking stupid thing.
Well, that's the crux of the problem, isn't it? We need a way for you to confirm that it's you and not someone else who has stolen your credentials. Multiple factors of authentication generally work well enough against this. Same for physical devices, be it those eID cards or something like YubiKey or whatever.
> I am pretty happy to self-certify myself.
Well, that's how GPG/PGP works - as long as you give your public key to other people by yourself, be it in person or otherwise. Then you can manage the private certificates for signing stuff yourself however you wish - be it keeping them in a cloud account somewhere (hopefully not), on a local HDD, a USB stick, or printed on a piece of paper where you'd re-type it as necessary (just a silly example).
The problem is that people want a central authority for certain cases, such as interacting with the government - with the appropriate set of software and middleware built around it, so less technically literate people could just put the card in a reader, input a few codes in some official software and be on their way, rather than trying to figure out what the hell a keychain is.
> My apartment started requiring an app to enter the premises and use another app so wash and dry your cloth and then required an app to enter the place you wash your cloth.
This shit has got to stop. I ran into similar doing a mortgage... They "only accepted the escrow payment through ${RANDOM_APP}." Yea right, y'all can take a check, and they did.
I'm quite sure _all_ the app does is process the payment.:rolleyes: /s No way they collect/sell any info I send through it. Oh, and I'm sure they'll be super upfront whenever their database that my info sits in for eternity with 'admin:admin' protecting it gets popped.
The similar shit with electronic payments should stop too. Here in the US, many stores demand that you pay in EXACT CHANGE or card. However, the system used to calculate prices after taxes is such that no ordinary person is able to know how much they'll have to pay in advance without resorting to some sort of tax calculator. Cash is our last defense against mass surveillance, and we need to cherish it.
This is unusually, and I agree with you: I hope it never catches on.
That said, my previous workplace has offered entrance with cellphone, as well as entrance by regular key fob. Over time, I have seen people switch more and more to cellphone method, and either returning the keyfobs or leaving them at home.
Also, a nitpick: you don't necessarily have to purchase a cell plan for your phone. For example the scheme discussed in the article will work over WiFi just fine. And if you are in front of your computer trying to login, the chances are, you have WiFi as well. So while old cellphone is less convenient that keyfob (needs charging, bigger, heavier), it is still pretty usable.
I think many people enjoy the option of using their phone, but don't like that they HAVE to use it. For example for most occasions you have your phone on you, but for example when it is broken or empty not having an alternative would be really annoying.
> I could not enter my own apartment because my phone was dead
Whenever I hear about "smart" devices as a replacement for something that is safety/security critical (like a lock), the question of what happens when the internet and/or power fails is rarely even considered. Does the lock fail open or closed? Does the door open if there is a fire in the building that damages the internet/power wiring? If it fails open, does that mean someone can bypass the lock by simply cutting the network/power cables outside the building?
There might be reasonable answers to these questions at a large business building that can afford fallback options, but I'm not sure there are good answers for e.g. residential situations.
Residential smart locks I've seen are wireless, with batteries and a keypad, so any networking (zwave, zigbee) or lack thereof doesn't affect that basic operation. And egress is never blocked by anything.
If the batteries die and you need to get inside, you need to have a physical key or an alternative ingress.
This kind of thing dawned on my once when going shopping. I was walking into a supermarket, checked my phone and saw that it had a low battery. I wasn't carrying cash, and I suddenly realised that my "money" could run out of battery and I'd have no way to pay. It's one part of why I buy physical books now (mostly second-hand online) - so I don't even have to think about recharging my book.
Paula: "...what's that?"
Blank Reg: "It's a book!"
Paula: "Well, what's that?"
Blank Reg: "It's a non-volatile storage medium.
It's very rare. You should have one."
Let us not forget how all so secure cell phones are!
I had a broker request a switch from a printed card with challenge responses to a cell phone based system. Rejected with prejudice. Never ever will I do banking or trading with a cell phone.
This exists in China right now. You need a phone to show you've not been in close contact with covid cases. Many places only accept WeChat/Alipay for payment. A phone is a necessity.
Yeah. Partial list of things you currently cannot do in China without a phone (at least, where I live):
- Go to the supermarket (you can ask a friend with a phone to help you order online)
- Take a taxi (usually, depends on the driver)
- Eat at a restaurant
- (Basically, enter any place of business)
- Go to the hospital
- Travel to another province
- Visit any scenic area or large public park
- Get a Covid test
- Visit your friend’s apartment (usually)
What if your battery dies? Super-reliance on cell phones means this is a solved this problem: it’s trivial to rent a charger anywhere there’s a convenience store.
To be clear, I also see this as an anti-pattern. The presence or absence of an expensive connected device should not restrict what a person can do in meat space. A person not carrying a mobile phone is still a person.
But I don’t see how you actually do contact tracing at scale without this. In the beginning of the pandemic, entering a supermarket meant writing your contact info (including ID number!) on a paper ledger at the entrance. Fuck that.
Not really, they're just inconvenienced for part of a day. As long as your phone number is linked to your national ID, it's easy to get another SIM card, and you can just ask a friend for help buying another phone.
The person who smashes their phone, on the other hand, would be totally screwed. Ubiquitous surveillance means that cell phone theft is basically not a thing anymore because the thief is pretty much always caught.
> Ask yourself this: As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
No, I don’t. So it’s a good thing you can already use FIDO authentication without a phone using e.g. a Yubikey!
As far as I can tell, these credentials are no different from existing WebAuthn credentials. So yes, you should be able to use any authenticator that implements the protocol, including the Yubikeys that already exist. This isn't like OAuth where each company has their own separate login flow that sites have to implement.
The parent poster that ryukafalz replied to had an anecdote regarding being locked out of their apartment because their cellphone died, that was the essential cause of their antipathy, and the quoted text mentioned 'enjoy shelter' as one of the things you might need a cellphone to purchase in the dystopian future.
We all remember when facebook.com became unreachable and they had to use a saw to get to the server? Buildings couldn’t be accessed, phone calls couldn’t be made, and emails couldn’t be sent because facebook.com was unreachable. That was just a DNS problem, imagine that happening everywhere.
“[The data centers are] hard to get into… [T]he hardware and routers are designed to be difficult to modify even when you have physical access to them. So it took extra time…”
It's amazing how quickly Golden Krishna's TED-circuit profile faded and everyone forgot the critical UX lesson that he built his brand on: The best UI is no UI. The corollary being that if a one-step action now requires you to unlock your phone, you've added at least one additional step (probably more) and your "smart" IoT solution is a downgrade, not an upgrade.
This is usually mostly circumvented by demanding "EXACT CHANGE" though. In most states, there are sales tax at several levels that don't apply uniformly, so it is nearly impossible or too time-consuming to use cash, because you simply don't know how much you'll have to pay.
We need a law that impose AVOIDING mandatory "smartphones" usage for anythings, starting from banks OTPs IMPOSING offline time-based classic OTPs or SSL certificates or SSH-based auth (never seen outside IT but very nice indeed) or classic matricial cards. IMPOSING open APIs.
That's before discovering we can't be cured after an car crash because our smartphone can't properly identify ourselves with emergency care smart systems, or we can't enter our hose due to an e-ID vulnerability of our connected door.
Princess (and I imagine any other Carnival cruise line) wants that future for you. With their new Medallion system, they want all passengers to carry an Android or iOS smartphone, or be treated as a second-class citizen.
Some sports stadiums are going cashless, so you must have phone apps or credit card… the workaround for a cash acceptance requirement? they have automated kiosks on-premises that convert cash to MasterCard
> do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
This seems like a slippery slope argument. Almost everyone purchasing these products has a phone and service. Cash is expensive to accept. (And makes zero sense for online-only services, which a cash-mandating law incentivises.)
Everyone having a phone already is orthogonal to whether or not it is a good idea to require phones to function in society.
I don't see it as a slippery slope argument because almost everything will eventually move to being online-based, and if "having a phone" becomes the standard for authN, then someone without a phone is excluded from participating in all of those things.
> Ask yourself this: As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
I’d be fine with this, so long as there’s a safety net of some sort to provide cheap/used phones to anyone who now needs one. Computers make lots of things easier, and forcing every business to accommodate the additional complexity of non-electronic access sounds like a bad idea.
That said, I do agree that something should be done about “use this app to open your apartment door” and “use this app to do your laundry”. I think the emphasis should be on interoperability. So you as a business can’t require the use of a specific piece of software, but you can specify a protocol, preferably one that’s already in use.
As for “my phone lost charge at 3am and I got locked out”. I see this as equivalent to “I lost my keys at 3am and got locked out”; unfortunate, but ultimately either your fault or bad luck. Time to call a locksmith (or digital equivalent, a hacker?).
Seeing how often I've needed to crack some customer's mail client or wifi, or etc ... [*] I think we're already mostly there. (Though it's not always a dark and stormy night)
[*] Obviously after confirming it's really theirs and/or they have the requisite authority. The usual disclaimers apply.
ugh, no. an out of power phone is not the same thing as lost keys. in decades of traveling i never once lost my keys, but my phone is out of power almost every time after i spend a day away from home or office.
If you knew that you needed phone charge to enter your apartment I bet you'd bring a spare battery pack when you went out. You could fit in the space you save by not needing keys!
I'll have you know that I read all of my posts out loud several times before submitting them. Otherwise I wouldn't be sure if they were up to HN's high standards.
Having not read UBIK, I'm not sure what exactly you were going for by comparing having to keep your phone charged to "a deeply unsettling existential horror story, a nightmare you'll never be sure you've woken up from"[0].
I genuinely do not see how being required to manage a phone's battery is any more onerous a requirement to place on someone than keeping track of a key. People are used to doing both already, and of course I'm not suggesting that it would be acceptable to remove existing fallback measure like resetting locks in the event of a lost key/phone.
The door refused to open. It said, “Five cents, please.”
He searched his pockets. No more coins; nothing. “I’ll pay you tomorrow,” he told the door. Again he tried the knob. Again it remained locked tight. “What I pay you,” he informed it, “is in the nature of a gratuity; I don’t have to pay you.”
“I think otherwise,” the door said. “Look in the purchase contract you signed when you bought this conapt.”
In his desk drawer he found the contract; since signing it he had found it necessary to refer to the document many times. Sure enough; payment to his door for opening and shutting constituted a mandatory fee. Not a tip.
“You discover I’m right,” the door said. It sounded smug.
From the drawer beside the sink Joe Chip got a stainless steel knife; with it he began systematically to unscrew the bolt assembly of his apt’s money-gulping door.
“I’ll sue you,” the door said as the first screw fell out.
Joe Chip said, “I’ve never been sued by a door. But I guess I can live through it.”
― Philip K. Dick, Ubik
I genuinely do not see how being required to manage a phone's battery is any more onerous a requirement to place on someone than keeping track of a key.
really?
you can predict how much you use your phone during the day? my key will never loose power, people calling me is something i can't control.
and control is the problem here. i can control that i will not loose my key. just as i can control that i will not loose my phone. and while i know that usually i can get through the day with a single charge, i can't predict that one day a year where that charge won't be enough. so just because of this unpredictability i have to go out carrying a backpack just so i can carry a powerbank. because my phone fits in my pockets, an extra powerbank requires me to have some kind of bag, in summer when i want to go out with shorts and a t-shirt. oh and what about my off-grid weekend trips where i don't get an opportunity to charge my phone for two days?
also, what about my kids who are to young to have a phone on their own?
requiring a phone severely affects my lifestyle in ways that i just don't want.
but i just realized what the solution to the power management is: every door that requires a phone needs to have a charger station right next to it. only that would really solve the problem of being able to make sure i can have a charged phone when i need to enter.
that still doesn't solve the other problems, but at least i can leave the powerbank at home now
It seems you think that having a phone, on you at all times and charged is easier/better than a key/fob. I honestly don’t see how one can think that is a better solution. This solution REQUIRES that I can’t leave my house with my (charged) phone!!! That’s a massive restriction!
You could fit in the space you save by not needing keys!
i have yet to find a powerbank that small. though if such a powerbank existed it would actually help because it would not be able to carry more charge than what is needed to unlock the door. it wouldn't be useful for much else.
That’s not the point. No matter what prep you make, the question of “do we really want to rely so much on new tech to run everything in our life?” Is a valid question.
Yeah, this is a very reasonable position. Metal keys require no electricity, preparation, or maintenance. Newer RFID keys receive power from the building itself. Phones are strictly worse; they require the phone to have a charge, and they require a mobile app that is well-tested on a wide range of devices. I've never seen a mobile app that interacts with hardware that actually works, so I just don't think the state of the industry is good enough here.
RFID seems like the perfect building access system to me. You can disable individual key fobs (whereas with metal keys you have to rekey the locks each time someone moves out) and they're cheap to replace.
I definitely wouldn't mind having the option to use my phone, but it just isn't a good single point of failure. Software is nice and everything, but not nice enough to control access to my home.
I simply won’t use any service that requires a phone and doesn’t allow other options. I am opposed to a future in which phones are a necessity of life rather than merely a convenience.
And to the people who say “but desktops/laptops are already a necessity of life” - yes, and that’s a problem. We need to be actively thinking of ways to roll things back, rather than allowing technology to become more and more integrated into life.
I strongly disagree. Personal computers are here to stay, and will only become more integrated into daily life due to the conveniences they afford. The fight now isn’t to keep computing out of daily life. Rather, we ought to be fighting to ensure that people have control over the computers in their lives.
There are two ways this ends up:
The future where everyone has to carry around a black box computing device controlled by its manufacturer and the privileged creators of the apps you’ve been allowed or compelled to install on it. The present state of iPads/iPhones and to a lesser extent Android phones make this future feel incredibly close.
But the future where everyone carries around an incredible communication and calculation tool that acts as an agent for them and expands every individual’s capabilities feels only just slightly out of reach.
The line dividing the two futures is thin and technical in nature. This leaves us with a tricky situation where most people wouldn’t be able to distinguish which they’re headed towards, or even which they’re living in. All I can do is hope that either legal tides go my way and grant users control over their computers (phones) by force, or that somehow tech literacy rises and people demand control.
I don’t really disagree. I’m not a luddite and I don’t advocate for turning off the internet. Computers are certainly here to stay. It’s an extremely complex issue, and I don’t have all the answers, or even know how to phrase all the questions.
I do think society needs to take a proactive role in deciding how it wants to interact with technology though. There’s a certain laissez faire, almost defeatist attitude that you see from a lot of the tech crowd, that goes something like “technology will do what it does, and it will change our lives how it sees fit, and we are powerless to stop it.” But if that was the case, we couldn’t have gun control laws, or environmental protection laws, or restrictions on nuclear technology. Technology may continue to develop, but it’s still up to us how we choose to use it.
> technology will do what it does, and it will change our lives how it sees fit, and we are powerless to stop it
I too see this attitude from technical people. To be clear: I do not hold it. Like you say, I favor regulation in the vein of gun control, environmental protection, etc. Left alone the tech market will consolidate and rob users of as much power as possible; it is simply the most profitable way of doing business.
To be more specific: I am a proponent of bills like S.2710 - Open App Markets Act (https://www.congress.gov/bill/117th-congress/senate-bill/271...), which among other things requires operating systems to "... allow and provide readily accessible means for users of that operating system to ... install third-party apps or app stores through means other than its app store". Though I would also want additional provisions, like not allowing OSes to reserve special privileges for first-party or blessed third-party apps, eg iOS restricts third-party apps from running JIT code, preventing browser competition on the platform.
The problem is that people want short term gain and don't see the long term loss.
Regulation won't happen for technology, the government doesn't really have an incentive.
They are already spying on anyone so they don't need anything else.
Gun control regulations are great to make people more reliant on the government and environmental protection laws are great for charging extra taxes; what would a "less technology" regulation accomplish? Nothing, it would be counterproductive.
The government wants you to ping you every phone cell you go nearby to.
There's absolutely nothing technical about this. It's entirely political, there's no technology that needs to be developed for this. All you have to do is create laws (or allow monopolies and cartels to impose "standards") that require people to carry their cellphones at all times. Make physical doorknobs illegal (as a security threat, and lack of accessibility for the disabled.) Done.
You don't even need cellphones. Just issue people hard to forge documentation and set up checkpoints. It's the difference between a fence and a shock collar.
Your dream seems to be to set up the infrastructure for universal command and control, then expect it to choose to regulate itself.
> Your dream seems to be to set up the infrastructure for universal command and control, then expect it to choose to regulate itself.
I don't think I said anything of the sort. Just because something is electronic doesn't mean it's centralized and restrictive. My dream is one where technology is an empowering tool accessible to anyone and I'm all for regulation to prevent monopolies or cartels from imposing self-serving "standards" that block out competitors and force people into walled gardens. You seem mostly concerned about authoritarianism. I propose that so long as users are in control of their computers then computer ownership will have a net-positive impact on general freedom. If users do not control their computers then they will have a net-negative impact on freedom. So the crucial aspect is not whether or not phones/computers become required for daily life, but whether users have control over them.
I applaud that goal, but currently I see no trend pointing in that direction - on the contrary, the rise of highly locked down smartphones and IoT devices has shown to everyone interested just how much control you can take away from users without serious complaints, let alone actions.
Even moreso, there are a growing number of stakeholders and even entire business segments, which require locked-down devices for their activities: The entire business of streaming services only works because they get to place an opaque black box in users' homes and can dictate arbitrary rules and constraints for playback.
The entire app ecosystem is only economically viable because the devices make it impossible (iOS) or really inconvenient (Android) to install apps without paying for them. Also, the devices give the user no way to modify the apps, so developers can implement whatever hostile logic they want and users have to put up with it. The ability to do that is a major appeal locked down platforms have for businesses.
(IMO, the imagination of far too many people in the industry is already running wild with all the kinds of crazy rules, restrictions and "business models" you can implement on locked down devices.)
I think we should reverse this trend and install some actual computer literacy in larger parts of society before we make computers mandatory for everyday life - otherwise, the whole thing will end in a dystopia.
I think you need to define personal compute as including mobile phones/tables for that to be true. I've had several even highly technical colleagues with no non-work 'computer' - they use an iPad or whatever, because that's sufficient for their non-work use of one.
I didn’t realize that my usage if the term was unclear, but to clarify: an iPad is a personal computer. A smartphone is a personal computer. Even modern game consoles are personal computers. They’re all general-purpose computers owned by an individual. However, they have software locks placed on them that prevent their owners from controlling them. In the post above when I’m talking about personal computers that we carry around I primarily mean phones. I will update the post to clarify.
> “but desktops/laptops are already a necessity of life”
No they're not! You need either a desktop or a laptop or a tablet or a smartphone, but you don't need more than one.
I'm okay living in a world where everyone needs access to some type of computer, in the same way that everyone probably needs access to some type of writing utensil. However, people should be able to choose the form factor that lets them live their best life.
This is not a form factor result, it's a result of a function.
If you want to have internet access without being near internet AP, you have to accept surveillance. This applies equally to phone, or tablet with SIM card, or laptop with external 3G modem.
If you are OK with only accessing internet in specific location, you can turn off cell subsystem in your phone -- this functionality is present in every phone I have seen.
(Same applies to bluetooth, wifi and other ways to track device remotely)
Mobile phones could be open systems like PCs are. But they aren't. So we should oppose this movement to use phones for everything until the situation changes.
Not to mention that old people is suffering (at least here in Spain) a lot because services push everyone into apps etc.
I cancelled my fathers bank account for this very reason and moved him to a credit union. It was painful but their customer support was so awful that it was worth it.
The last straw was that they told him he couldn't do a money transfer from his local office but he had to use a mobile app. He called me to help him with that. That got me angry.
I agree. However, phones are also uniquely addictive, which IMO is a strong case for dropping them if they interfere with your life. We should at least make sure it is possible to drop them.
(I don't love using the word "addictive" here because phones are not chemically addictive, but any other term makes the point less clear.)
> If you want to have internet access without being near internet AP, you have to accept surveillance. This applies equally to phone, or tablet with SIM card, or laptop with external 3G modem.
That is true in practice, but not true in theory. There are urban WiFi networks that already operate without spying on the users. Nothing prevents mobile networks from being applied in the same way on a technical level.
In fact when you're using a mobile network, you are near an internet AP in the form of a cell tower. Taking 5G NR, you even have to be nearer to it than you would be to your WiFi AP.
Surveillance is not a result of form factor or function, it's a result of social organization.
I'm sure plenty of people would have appreciated never having to learn to read to fill out paper forms in the past either.
This has gone off on a weird tangent; the article is about how a new standard can greatly simplify account passwords, the very hardest and frustrating thing about modern life on the web.
Changing that into "we shouldn't have any rich if we don't want to" is a strange reaction to making tech more accessible. But perhaps if one wants to eliminate tech from people's lives then making tech as bad and painful as possible might be one way to do that; but it seems like a foolish way to pursue that goal.
> Changing that into "we shouldn't have any rich if we don't want to" is a strange reaction to making tech more accessible.
I am 100% in favor of giving people the option to log in with their phone instead of a password, if they want to. If that's all the article meant, I stand corrected.
But, I got the impression that the people quoted in the article were working to eventually remove passwords as a method of authentication. That's not cool, because it requires users to have a secondary device.
I don't think my impression was entirely unreasonable, because we're already seeing it in the number of websites forcing users to set up two factor authentication. Note that many of these so-called "two-factor" solutions allow the user to reset their password using only their phone (which is what really makes SIM-swapping such a problem), which means your password is effectively optional, but a phone is required.
I grew up without any of this mobile or home computing technology, and I don't see anything essential today that I cannot do without it. It's all about convenience.
The article does not fully explain it, but the proposal is about using FIDO to sign in to services. The article simplifies this as signing in by unlocking your phone, but that is just one way to do FIDO (and possibly the most common way). If you prefer not to use your phone, you can also use a YubiKey or similar on your desktop/laptop; pushing FIDO as a standard would probably make it possible to use a YubiKey with much more services than today!
FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password). Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.
Having something you know (a password) is more secure because something in your memory that you don't share can't be taken from you by any means. Passwords aren't perfect (you can be tricked into sharing it, or tortured into giving it up) but there are solutions for being forced to hand over a password, and neither tokens or biometrics solve the problem of people being tricked.
No one can murder you in an alley, and drag your lifeless corpse to an ATM and clean out your bank account because the murderers have your face, and fingerprints, even your cell phone, but not your pin. Good security should always require a secret that you know.
Not having a password would be fine for logging into low risk sites like this website, where at worst someone might get your account banned or post comments under your username, but any site or transaction where the risk is greater should just always require a password.
>FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password).
Not necessarily. The specific implementation being talked about in the article is to use your phone as your FIDO device, and your phone has to be unlocked. So the "something you have" is your phone, and to unlock it, you can either use "something you are" (biometrics via face ID or fingerprint), or you can have a PIN/password on your phone to make it "something you know".
I wouldn't be surprised (and I would hope) that the FIDO app or feature on phones would also come with the ability to restrict it via PIN/password even if your phone unlocks via biometric.
I agree there are implementations that would be more secure, but they'd still require a password (even a weak version of one via 4 digit pin) and at that point we might as well just unlock our phones and click on the icon for a password manager.
The dream of a life without passwords sounds great, but I don't think FIDO can get us there and if it can't, we have to think about whether or not the extra convenience we can get from FIDO is worth what it would cost us in terms of all the data and control we'd be handing over to 3rd parties.
Preface: I've been busy as shit this week and haven't really read up on FIDO. I don't know that I have a position on it yet.
> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.
Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.
A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.
I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security
> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager).
Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.
I stand corrected on some of my phrasing, thank you for the correction. However...
>Services do not need a copy to validate your password, and should never store one.
"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.
Users don’t know how a site implements FIDO either.
With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.
All authentication schemes offer benefits only if implemented correctly.
> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.
True, and better security systems take advantage of that by combing all three.
For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.
As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.
> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.
> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).
Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.
"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.
Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.
True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).
Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.
FIDO is quite old, and a huuuuuuuge upgrade over a password based system in terms of both security and in terms of user convenience.
It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.
If there is an article that explains what's different about passkey under the hood, I've yet to find it. That's not entirely surprising as it's brand new. Still it's mighty frustrating when google searches just page after page of re-writes of fido/google/microsoft press releases, all saying little more than "hey! passkey replaced passwords (and it somehow involves phones and bluetooth)".
Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.
Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???
And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?
But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.
First thing that comes to my mind is “What happens if your phone is suddenly dead”? Will this FIDO alliance guarantee alternative means of access or that they will send someone down to your house to identify you positively and restore access to your online mail and documents?
That's true today if you use a password manager, no? And it's true of any site that uses 2FA (unless the site supports multiple authenticators and you have a backup token).
The better analogy if your driver’s license/ID it passport.
If you leave these, you likely can’t travel or be admitted into specific establishments, etc.
Ever since I somehow managed to lose my driver's license between the private car that dropped me off at the airport and the door to the airport, I always use another government ID I don't actually need for anything (Global Entry) while going through security.
I also usually carry my passport as a backup though that probably won't work if I need to rent car--and on that particular trip it was a last minute overnighter so I didn't throw in my backup documents and cards folder. It took me about half an hour to convince the hotel to let me check in.
In general, I hate traveling with things that you really can't afford to lose and can only mitigate against loss to some degree.
Identification systems on computers are already abused to extremes. There is no way a putting a identifiction system inside your body is not going to result in tremendous abuses on the long run, with much more terrible social consequences since it will be linked to individuals and hard to disable or remove.
The simple fact there no guaranty of safety that can be made about such a system despite its obvious consequences about tracking, power and control should alone be a red flag.
When I read such a comment, I can't help but think school should make kids read more science fiction. Many authors covered why something like this is a dangerous idea.
I'd go even farther, but I would reach the Goodwin point.
But it's always possible to get a new passport, even if you've lost every other type of identification. What happens if I loose my Yubikey and all of my backup codes?
It so happens that I have a great solution to this tough problem, which has served me well for years.
I have a password manager, protected by a strong, unique, randomly-generated master password that I took the time to commit to memory. I cannot ever loose this password, and as long as I have it, I can get into my vault. As long as I can get into my vault, I have access to my other passwords.
An increasing number of web services have decided this is insecure, and are forcing me to use secondary devices in order to authenticate myself. This does very little to increase my security, while putting me at risk of getting locked out of essential resources.
I'm all for alternate options, but please don't take this setup away from me!
Sorry, that may have been poorly worded. I wanted to preempt the objection of “well, you say you don’t want to be dependent on smartphones, but then you’ll just be dependent on some other type of computer”. I wanted to make it clear that the problem is about rethinking our relationship with computing in general, not just with smartphones.
The problem is not with the technology itself. The problem is that technology is increasingly trying to control you and not vice versa. Humans are becoming slaves of a system, that has only "profits" in its mind.
The 10th Mountain Cavalry Reconnaissance Troop of the 10th Mountain Division, while not designated as U.S. Cavalry, conducted the last horse-mounted charge of any Army organization while engaged in Austria in 1945. An impromptu pistol charge by the Third Platoon was carried out when the Troop encountered a machine gun nest in an Italian village/town sometime between 14–23 April 1945.
anyway the point is not to go back to soldiers riding horses, but to not reduce the authentication options, because it also reduces security.
After all we still use keys to unlock doors and not our phones (because it would be stupid)
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
...
"even in 1942 he still struggled for the horse, requesting Marshall for "an immediate increase in horse cavalry."
...
"He enforced a formal policy that any increase in mechanized forces must be preceded by a proportional increase in horse cavalry; as a result the 7th Cavalry Brigade remained the only mechanized unit until 1940. Later, he had to admit the rising power of armor, but was just as unwilling to dismount his troops.
After the outbreak of World War II Herr followed the European campaigns through attaché reports that reinforced his belief in superiority of cavalry tactics. His chief of staff Willis D. Crittenberger pre-screened these reports and jotted "cavalry mission" in the margins to attract Herr's attention.[16] Herr's own interpretation of the intelligence was biased in favor of the horse. He believed that the Wehrmacht relied on horses because of German operational doctrine when, in fact, it was a purely economic decision.[6] He wrote that other Western European armies dismissed the horse because of shrinking horse and forage stocks; the American situation, according to Herr was more akin to Poland or the Soviet Union, which still kept sizable horse formations.[15] He assessed blitzkrieg as a "typical cavalry mission" and suggested expanding the 7th Cavalry Brigade along German panzer division standards, under full Cavalry control.[17] The proposal, delivered at the War College in September 1939, was bundled with the demand that new armored units should be formed from scratch rather than converted from horse troops.
In the first half of 1940 Herr embraced the concept of "horse-mechanized formations" and called for expansion of cavalry brigades into divisions. He alienated George Marshall by insisting that mechanization should be an expansion of existing cavalry troops, rather than their replacement.[19] He publicly rallied for more horse units through Cavalry Journal publications,[15] and brought further tension inside his troops by asking each cavalry officer to choose his side: either for horse cavalry, or for mechanization. According to Bruce Palmer Jr., the request forced officers of all grades to "cut their throats professionally": they had to bet their careers on obsolete war technology, or risk immediate repercussions from their Chief."
That purpose wasn't doing pike-and-lance charges into panzer lines. Just like most motorized units, WWI and WWII cavalry didn't fight from horseback - it would use horses to get to where they were going to fight, and dismount to fight.
The Eastern Front had a lot of terrain that was not conductive to wheeled travel.
Cavalry is also far more cost-efficient at hunting down partisans, and terrorizing civilians. It doesn't need petrol, you can just steal horsefeed directly from the people you are occupying.
Not so much by the US Army; perhaps by other armies. See my sibling comments about Maj Gen John Herr who was side-lined then forced into retirement because of his views of cavalry during WW 2.
> Reminds me of the US General who, in WW II, insisted cavalry still had a place in warfare. Can’t remember his name.
Cavalry still had a huge role to play in WW2. You didn't ride them into battle (you didn't do that in WW1 either), but they were used for transport. Germany and Russia used 6 million of them.[1]
1 point by TedDoesntTalk 7 minutes ago | root | parent | next | edit | delete [–]
It was Maj Gen John Herr:
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
This is potentially a bad idea, and I can explain an actual use case that happened a few weeks ago.
My neighbour had dropped her phone in some water, it was a Samsung S21, and the screen was messed up. The moment you tried to activate the screen, lines would appear across it. It was unusable.
Thankfully she had a spare phone available to use, but she needed to get a bunch of things setup on there (Google Mail, NHS for the Covid pass as she was travelling abroad).
She ran into an issue authenticating her Google Mail account - the password. She didn't remember it, so we tried the "Forgot Password" user flow.
For reasons unknown, the user flow insisted on sending a notification to her Samsung S21, even though we had swapped the SIM card from that phone into the new phone, and we had no way to swipe the notification on the S21 due to the screen being broke.
Somehow, we managed to trigger sending a text message with a code, and thankfully she got access to her Gmail account and other items.
But it was not a simple process, and there's no way your everyday person would have a clue how to deal with such cases (it confounded me and I'm a developer!), so I hope that someone with UX and QA chops is able to cater for scenarios like someone's phone screen being busted and knows how to provide alternative options that your everyday folk can get to grips with.
Just turn the phone off. That’s what Apple has you do when you need to turn off Find My iPhone but your phone is on and unable to be used. Even without the sim the device is still trusted, and as long as it’s connected to the internet it will try to authenticate with it. Also trusted contacts are also now a thing. https://support.apple.com/en-us/HT212515
Gotta love HN. OP talks about phone useflows that in "no way your everyday person would have a clue how to deal with such cases" on a Samsung phone. They get a reply about a hack about apple phones when unusable.
While it isn't helpful for this person, I'm happy that I read it so at least I know the "correct" solution to this problem now should I ever encounter it.
It's worth a shot though, and it kind of makes some sort of logical sense. Samsung and Apple have copied each other since the beginning, so it stands to reason this might work.
It’s not a hack, it’s expected behavior. Go to an Apple store with a broken screen, and this what they will have you do. If I remembered the title of the support article I would have given it to you.
This is one of those ideas which is completely the opposite of the way I want to do things, but which will probably gain enough traction that I'll be forced to accommodate it after several years of frustration, grumbling, and workarounds.
I can see that perspective, but I don't think that will happen. Companies jump at any chance to steal each others customers, so the necessity threshold has to be very high for something like this to be adopted across the board.
While I would rather use a password manager myself to keep accounts separate and not reliant on a single big tech account, I’m sure your average user would love the convenience of this and its overall security benefit would be a positive
It's much more likely for the average user to forget their password than have their account banned deliberately. This would, overall, reduce friction when logging in.
As far as I can tell this doesn't actually require a "big tech account".
I am imagining this working like OTPs that are generated on phones. The actual standard will be open and the implementations do not require a specific platform or any kind of "account", but most people will run it on their phone with Android or IOS because it's handy for them.
I also don't think it's going to require running on a phone, just like OTPs. I can generate OTPs for 2FA purposes on my desktop system running Linux and it works great!
If it does end up working like that, I think it's a great idea.
It doesn't require one from a technical perspective as you've pointed out, but every business incentive is to lock people in to accounts. It makes it easy to collect data on the users, to enforce payment by locking accounts, etc.
I too prefer offline-first tools, but the market doesn't, and people are trained to sign up with an email account and password so for the masses "this is just how it is".
I don't want to be a pessimist, but examples of user respecting systems are mainly commonplace in certain corners of the highly technical FLOSS world, it's certainly not the experience of the average person.
The villain is locked in in a room which requires a retinal scan from the guard to leave. So he proceeds to stab the eye globe of the guard with a pen to be able to unlock the door.
As such I tend to prefer cloneable credentials. Everything that is unique (cellphone, ...) would imply that access credentials could be stolen (as in, actually stolen, not copied), which could imply the threat of violence to succeed.
I would much rather someone attempt to steal my phone irl, as opposed to someone on the other side of the globe cloning my method of accessing my accounts without me even being aware until it's too late.
To clarify, this wasn't meant as an attempt at a "tough guy" acting. If someone tries to coerce my phone out of me irl by threats of violence, they will get the phone. But this being done irl at least has much easier path to being able to trace the criminal, actually prosecute them, and to minimize the damage to my accounts.
Not even mentioning that it is much more risky for them to attempt, given it would have to be done somewhere around a public place with other people and law enforcement around. Meanwhile, some guy from an eastern european country cloning my access credentials to compromise my accounts will almost certainly never be traced, and 100% won't get prosecuted (and that's on top of me not being able to be aware of that happening until after the fact).
I really hate that we truly think and market smartphones as some sort of secure device. To me the whole thing looks like creating massive single point of failure. A single device have big enough vulnerability and essentially everything is lost. Including all the usual recovery options from email, phone calls to SMS messages.
As security person I prefer much more old school options, like that I can still use single use passwords with my bank. But I fear that this will go away one day...
The companies realised that "security" is a great way to persaude, so they market that way while spreading paranoia and FUD about everything else. They've already been fighting right-to-repair with the same talking points. In reality it's just a power-grab from Big Tech and the security they're really desiring is security against the user (and ostensibly attackers, which includes users in their thinking, since they don't want to let users do things they don't approve of...)
The alternative right now is people using the same pot password everywhere, and/or writing it down on post it noted next to their computer. We need far better solutions for the majority.
I dearly wish that security keys (Yubikey etc) were cheaper. The average person needs two keys so that they can store one as a backup. The average person needs keys that support NFC (or similar) so that they can easily use one across multiple devices. But the average person is not going to pay $50 for a pair of keys, regardless of the security or convenience benefit. It's not until you hit the $5/key range that people will use them without being strongly deterred by the cost.
Even if every service supported it, ~$50 is a tough sell. For half of the population in the US, that's a minimum of 3 hours of work! Anything short of an "impulse buy" price is too much for most people, given the nebulous security/convenience benefit. But have them cheap enough to be sold at a discount store? That's enough to make it palatable. It's enough that tech folks can recommend them to virtually anyone without reservation.
At the current price, it's hard to recommend them to people I know. Even to those who still suffer in a world of post-it notes, reused passwords, and unclear knowledge of which device they own has saved what. The sort who live by the "forgot your password?" link. I've recommended password managers to them, but the recomendee is usually put off by the hassle of installing one and creating an account. Oddly enough, this hassle comes off as more surmountable if it's part of making a physical object work properly. There's something about the sunk cost of having already spent money, the natural value associated with a physical object, and the sense that they've already begun the process that makes the hurdle feel smaller.
Surely hardware keys (like Yubikey) are the easiest security factor to use? Nothing to remember, and it works just like a physical key, so nothing much to learn.
Post it notes at home aren't so bad. It is not like you couldn't steal a phone if you have physical access. Maybe finger print is bit hard, but learning pass code or using face unlock when person is sleeping...
Post its at home can be stolen, or photographed, while I'm out of the house. My phone plus my face? Without me noticing either? Not as easy.
I still keep printed one-time recovery codes locked up and hidden to not be completely surrendered to my phone, but i don't really like them since they can be copied without notice, only comfort is that usage of them will trigger notification, yubikeys feel like a better middle ground.
"Passkeys" appears to be another name for FIDO Multi-Device.
FIDO previously took the position that the private keys should never leave your
hardware token (or phone). Because that's the most secure position.
That position appears to be out the window.
They provide a rather longish obscure FAQ entry explaining, yeah, we said your private key shouldn't leave your token (or phone), but times are a' changing.
From the FIDO Alliance website:
"FIDO Alliance has previously stated that user authentication credentials never leave the device. Has that changed?"
"FIDO Alliance’s mission is to help reduce the world’s over-reliance on passwords. It is true that some relying parties (and their users) get value out of hardware-bound credentials, and the FIDO standards still support this type of deployment.
But for many relying parties, the fact that FIDO’s approach required users to enroll each new device presents some customer usability challenges, and also limits their ability to replace passwords (as passwords frequently serve as a means to verify new authenticator enrollment).
As such, replacing the password with a challenge-response protocol based on asymmetric cryptography is a huge step forward in security, even if those cryptographic keys aren’t bound to hardware – as this helps RPs thwart the constant threats of phishing, credential stuffing and other remote attacks."
Isn't that kind of against the whole "FIDO" thing that I've been personally trying to deploy company wide as much as possible. That you have in your person some actual physical object, what ever it is: YubiKey, SmartCard, a laptop with a TPM chip, a phone.
And your personal private key inside that specific physical object is your "password" that only you can access by PIN or biometric identification.
If you lose access to that physical object, you lose access to the services also. That's the whole point! You can replace it, but then you go through the whole "enrollment" process again. That's another very important point also.
Sounds like a requirement from governments or LEOs. They need access to your private keys and it's much simpler if it's not bound to a physical object anymore. From now on it's just a plain text file on some server, when you backup your phone to the cloud.
Cell phones cannot be secured or trusted. You have no access to secure them either. Using them for anything private is already a terrible idea. This is just one more way for companies to take more of your data and insert themselves as a middleman in another aspect of your life that they can then control. A "feature" like this will only put your security at greater risk.
Not true. Depending on your OS (sorry Windows users) your OS isn't collecting your personal data at every opportunity, and hopefully doesn't allow 3rd parties to push code to your devices without notice to you about what's been changed, and without any option for you to opt out of those changes.
You must have zero trust in a device where 3rd parties have full access to change whatever they want at any time and for any reason without your knowledge or consent. That's not happening for the linux server in my closet. It's probably happening for the windows 10 system in the living room, and it's absolutely the case for the phone next to me.
The same things that make your privacy vulnerable make your devices vulnerable.
It's currently impossible to secure a consumer cell phone. They were explicitly designed to collect and leak your data. When 3rd parties have access to all your data you can't secure it. When 3rd parties can push code to your device without any notice to you, at some point a bad actor will do the same. If you aren't allowed to see what your device is doing you can't see when it's being used by an attacker. If you don't even have permissions to the most important parts of your own hardware/software you can't do anything about it once you are compromised.
Cell phones are not private and they aren't secure and that makes them the worst kind of device you could insist on people using to replace their passwords.
You are concluding things from a false premise. Just because mobile phones are not zero trust devices (note that there is no such thing anywhere!) doesn’t mean they are not secure against malware. While iphones have a really good security and privacy story, I may get that with sufficient tinfoil hat-layers one might choose not to trust apple (though the only target vector would be a deliberate malware created and pushed by apple itself)
But there is also the Graphene project which runs on the Pixel phones, where you have complete control over the software. But the hardware will always be somewhat proprietary so you can’t have complete trust in that either. (And no, pinephone and alia just put closed firmware into the hardware not even allowing updating it, which is strictly worse than having it patchable)
Nonetheless, both of these options are orders of magnitudes safer than desktop OSs, as per my original statement.
No they're not. And if you're going to assert something (especially something that absurd) you should at least justify it with an argument.
I'm sure you're thinking something along the lines of "Android has an SELinux sandbox that prompts for permissions." You can run this on normal desktop Linux too though (I forget the command, it's a python script in the SELinux tools (or so) repo.) No one bothers because the distro repos are relatively free of malware and installing non-free software requires a small amount of understanding. This is, of course, considered "bad UX" for non-free software but that is in practice where most of the malware comes from on other OSes. (On Linux most f it comes from sloppy language specific package managers with a free-for-all mentality like node.js or PyPi but no amount of OS design can fix stupid devs without making their work impossible.)
SELinux is not a sandbox, and is just one part of the picture. Android also runs every app under a different user — and that is where SELinux can properly uphold its security barriers. Most linux distros even if they have SELinux enabled (e.g. Fedora) will run every user process under your user and UNIX’s default permissions are pretty much useless. So it is only security improvement for services.
You running npm install can potentially delete everything in your home directory, but a buggy application (even if opensource and made with good intention) can be exploited by evil data just as well. Just because your, say, PDF reader is open source it can be used to exploit your computer with an evil pdf file. So yes, linux desktops are orders of magnitude less safe than either Android or ios.
To avoid lockout, you need multiple ways to get into your more important accounts.
A phone is one way, and it's pretty good. A Yubikey is another good way. A third way is a printout of secure backup codes, kept with your important papers.
At that point you're pretty safe. (Although, if your phone and Yubikey are both lost while traveling, you might not be able to get in until you get home.)
Some services like Github and Google actually support this, but it's not that common yet.
The other lockout risk is access denied due to a policy violation (which could be a false positive) and adding authentication schemes won't help there; you need backups.
So it's great that this FIDO initiative lets people use their phones, but what's it going to take to make sure everyone has multiple, reasonably secure ways to get in?
I can only speak for myself and my own personal preferences but I will not do business with anyone that requires this. I've been cutting ties with businesses that have intrusive practices. I have also been migrating to a bank that gave me the option to make everything online read-only. The only remaining business is Amazon but I have recently found a local business that will drive into a big city once a week to transport items from big box stores so maybe I can nix Amazon at some point. I am in a very remote area. My personal goal is to reach a point where I can power off my flip phone and leave it in a drawer for months at a time.
Individual migration is a very temporary solution.
When the bank you just migrated to becomes a bit bigger -- it's the next target. Or some new law like digital ID's / one world currency make the migration irrelevant.
You could be right but in my specific use case the bank I moved to will quite intentionally remain small. It serves a specific small community and has no intention to grow outside of this community. If that changes some day I will move again. Moving banks is simple. This community will not comply with digital currency laws and we would make our own mesh networks. The hardware and fiber is already in place to do so.
I feel this approach has the potential to increase the number of successful attacks. According to the article, users would merely need to unlock their phones to complete the sign-in process.
Most people tend to automatically unlock their phones without a second thought.
I had a problem with a broken phone token recently.
My phone screen broke (turned black), so I wasn't able to log in to my business bank account, not even through the web portal on my laptop. Web login on the laptop requires confirmation via the phone app, but with a black screen I couldn't figure out how to confirm. (It also needs the phone camera to read a QR code, so I guess it would have been a problem if the screen worked but the camera stopped working.)
I phoned the bank and said, surely there must be another way to authenticate in these situations. Or perhaps I could just use bank services over the phone?
Their answer was no, the only option to access any bank services was to purchase another smartphone, move my SIM over, call the bank to activate the new device, and then video myself reading some text. Then I would be able to use the new phone to login to my account on the web on my laptop.
As a result I wasn't able to access the bank account for several days to make payments, until my new phone arrived.
Then similar fault occurred on the new phone a few weeks later (identical model, bought used in a hurry, see above). This time I had just caught Covid so I wasn't going to rush out to local shops for a third phone.
During all this, the original phone was acting as a Google 2FA token for a client Google work account (unrelated to the bank account). Logging in to that Google account required confirmation on the phone, and it had to do something Googley, it didn't accept third party 2FA apps. I never did figure out how to to transfer that token over, but that Google account isn't needed any more so I no longer care.
> Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.
and Google ignores the authentication question and just assumes a new, charged phone follows every human being wherever they go (and presumably the same goes without saying for backup codes):
> Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
I don't understand why so many websites insist on using valid email/phone and password at the same time.
Just implement login via email/sms and that's about it.
Now when it comes to this "phone" authentication, I'm not sure that I like this idea. I have good control over my phone number. I have good control over my domain and email (that's not true for most users, but they have the option). But making all my digital life depending on Apple or Google: that I don't like.
The problem isn't folks like us that use password managers. The problem is all the other folks that have the same 8 character password they reuse across all their services.
Regular people also have their phones stolen, lost, damaged or bricked on a regular basis. I suspect passwords will remain as a backup mechanism for a while.
Also funnily enough most recovery mechanisms are tied to that same phone... And then what happens when they don't update their device every 2 years like good consumers and there is some massive vulnerability...
I quite like the "phone as hardware token" via Webauthn as 2FA.
However, I've never used "Sign in with Google" and the likes because I don't want all the sites I'm using to get my "real" email address.
So I really hope Google et. al. will offer some kind of email address cloaking like Apple do with their private relay stuff.
Knowing Google, they sure as heck won't, though.
It's depends on the site that uses OpenID Connect federated sign-in if they ask for your email address from the identity provider.
An application/site can optionally request the "email" scope during OpenID Connect sign-in, but if it is not requested (only the "openid" scope instead) then the provider must not return an email address in the ID token, or an OAuth access token which is authorized for an API method which returns the user's email address (OpenID Connect Core 1.0 section 5.4 - "Requesting Claims using Scope Values").
I didn't know the details about different scopes and had always assumed the sites would obtain at least the name and email address, because all I ever saw was the prompt "To continue, Google will share your name, email address, language preference, and profile picture with <site>."
One question I am unable to answer from all of these recent discussions: will I ever be able to use my phone as a cross-platform compatible FIDO/U2F hardware key?
I don't want a vendor-specific or identity-provider specific integration like Google using Chrome and Android for MFA with Google accounts. I mean could my Android or iOS phone connect to a laptop via bluetooth or USB and act as a hardware key just as if I used a yubikey or titan key, and be visible to Firefox or any other software that knows how to talk to U2F or other smartcards to enroll with new websites and identity providers that have nothing to do with Google nor Apple accounts?
This is one of the main topics of the agreement discussed in the article - an agreement on how to use a phone as a cross-platform compatible authenticator and a commitment to do so.
The mechanism is already available on chrome and android if you select the option to add an android phone - iPhones and iPads have a developer preview feature flag you can enable to work with this as well, and to have a Mac display a similar option when using the platform level support (aka Safari or certain native apps).
Hmm, the closest thing I saw to this is the "caBLE" cloud-assisted bluetooth. Reading more on this, it does not sound exactly like what I am seeking. It seems completely tied to the platform vendors and interactions over the internet.
I wish for a completely local mechanism where a phone with a hardware security module could act like a token via completely local communication with the browser, both for enrollment and later login with any relying parties. For general users, I do like the idea of being able to backup/restore the token seeds to allow replacement of hardware without manually re-enrolling redundant keys with all relying parties.
But, I don't see why the cloud-assist should interpose between the user agent and the security device, nor why a cloud-assist should interpose between the user agent and the relying party. How is this cloud-assist different than the other vendors like Duo and Okta, interposed in enterprise client login attempts and organizing MFA options which can include authenticator apps on phones?
I feel like platform vendor lock-in has been gratuitously introduced into this plan. Couldn't a token backup/restore service be offered to users without interposing anything new service between the phone-as-token, the user agent communicating with the token, and the relying party service? Or, couldn't the token standards be amended with some sort of web-of-trust concept to allow a token to announce additional peer/backup token keys during enrollment. so that one enrollment task can simultaneously enroll the present token and offline backup token(s) with the same relying party?
There’s no technical reason why your phone couldn’t do what you describe. But the goal here isn’t to maximize security or privacy, it’s to maximize convenience for the sort of person who already uses the same weak password everywhere for the sake of convenience. Plugging in their phone with a wire is too much to ask.
Personally I think this is a huge breakthrough that brings huge phishing resistance to billions of people's accounts.
While it's good to be suspicious of something so critical like authentication, particularly coming from a big tech alliance, what about the positives?
Consider the number one issue for most people is still phishing, and under this system there's no password to be phished anymore. Also consider that this system is likely using Bluetooth for the PC to phone challenge/response, avoiding current issues with passwordless MFA apps (i.e. Microsoft's right now) where the user could be still be social engineered to confirm a logon by a remote attacker. The Google smart lock app works like this today using BT and FIDO, so we know it works.
Plus the core tech is from what I can tell, just tried and tested asymmetric crypto, with the private key on your phone. The public key is on registered on every web service you want to use it on. Second factor is the phone PIN/Biometric. Sure, Apple will let you store the key in iCloud, but we aren't talking standard iCloud backup here, this is iCloud Keychain where it's protected by your device passwcode which Apple does not know. And if none of this is for you, just use a Yubikey, it's the same tech. And if you do choose to use it, while you are at it, add several Yubikeys as backups to every service, that's standard practice and how it works now.
I understand that passwordless auth is better UX. But it seems like a step backwards in security from two factor authentication. Why are all these major players pushing passwordless auth but not allowing a password in conjunction with a FIDO2 token? I feel like I’m missing some important detail.
The missing important details: for reasons I do not completely understand, FIDO uses very non-obvious definitions of the words password and PIN. To them a password is a text string provided to an online service for authentication purposes and a PIN is a text string provided to a physically near hardware device to authenticate to that hardware device, after which that hardware device can sign challenges that can be used to authenticate to an online service. When they talk about passwordless they are not precluding the use of a PIN. The PIN gets you your second factor without being stored on a bunch of different services, and with hardware assisted protection from exfiltration and brute force cracking.
Relying parties (aka online services using FIDO protocols) have a lot of freedom to define exactly how restrictive they want to be by making choices about which devices they accept. Through choosing which devices they accept they can choose to require any combination of token, PIN, biometric, and password.
>Relying parties (aka online services using FIDO protocols) have a lot of freedom to define exactly how restrictive they want to be by making choices about which devices they accept.
For anything consumer facing (vs employee/contractor facing), the expectation is that a relying party site accepts everything, or supports a set with a clear industry-defined set of limitations (e.g. must have gone through certification and achieved a certain level such that they meet our security regulations).
The set of limitations which you can set during an authentication request are pretty minimal, on purpose - so you will typically have more prompts and more user errors if you decide to try and limit consumer choice.
Other than that, the expectation is that you do not block end users if they e.g. are using one vendor or the other. You may still ask them to perform additional authentication steps, but the goal is that people do not get conflicting requirements across relying parties that leads them to have to carry a key ring of different vendor USB authenticators in order to be able to do their business.
Then don't provide the attestation. No sites I've used (Facebook, GitHub, login.gov, Google, and so on) require attestation. It's unfortunate that the WebAuthn standard requires it be possible for them to ask, but you can just say "No" and I do.
Once you use them as the gatekeeper for auth ans identity, it becomes that much harder to delete that Facebook or switch phone brands. Not to mention much deeper insight into your activity everywhere.
So does this system not require that I set a password for my account?
Everything I have read about this approach seems to imply that passwords are still used, only perhaps not as often.
For instance, there's this quote from the article:
"Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password."
Yes, of course this protocol can't somehow prevent sites from having a password (as a last ditch backup, or for any other reason) but it's intended to be used without passwords and, if you choose and have a more capable device, even without usernames.
Well, I hope you're right that passwords are essentially remnants of previous authentication schemes and not something implicitly required by this new scheme.
I could see us ending up in a world where we need a password to access the device on which the key is stored and more passwords for account recovery and access to key backups.
The issue with any FOSS solution is that FIDO requires an attestation private key, which must be shared between a batch of at least 100,000 security keys. Using a DIY or cli app solution (application running on the host) will likely mean you'll be generating that private key yourself, this makes you identifiable across registrations.
Some sites (Cloudflare) may reject the use of attestation keys which are not found on the Fido Alliance Metadata Service. This precludes the use of any DIY solution.
At least in the US, the 5th amendment protects against revealing our passwords to the government (and we can always go with "I forgot what it was"). I don't believe the same is true for biometrics and such, is it?
I have literally had financial institutions reject my password for being "too long" or containing "wrong special characters".
Quite recently, my bank site was having a fit and I couldn't log in, with only cryptic errors. The first line of help didn't understand a thing and wrote back to IT to find out more. Apparently if you don't hand type / PW manager autotype your password, you are a hacker now; they are actively hostile towards PW managers. Great yet incomprehensible way to push people towards bad passwords. This was at a small bank that uses third party software, also used at another small bank I use. So it will have propagated to who knows where overnight.
Now we want to get rid of passwords altogether, so phishing is a simple as [remotely] watching someone distracted unlocking their phone in the coffee shop, and there is a good chance you can get them to swipe right when they should go left. Idiocracy.
I mean, I do understand the appeal of using strong crypto over using passwords. I also understand why one would roll this out on phones first (even though phones are obviously less secure than many other ways of doing this). At its core, a model of identity would be to create a keypair for each account and require that key sign each login request.
That said, I agree with everyone's fears and frustrations with the actual real world circumstances around phones. I do not trust my phone and I don't really trust the most popular projects to make phones more secure. I suppose you could keep a separate device whose only exposure to networks is to verify access over a limited protocol - but ofc due to the baseband and other requirements you would still be vulnerable. Very frustrating.
> I also understand why one would roll this out on phones first
This is Web Authentication/FIDO 2. We've had security keys like Yubikeys to do this for years.
This is about committing to have computing devices also have the functionality of these security keys built in, to synchronize those credentials within a platform ecosystem, and to support cross-platform usage such as an android phone letting you into a site on a windows desktop browser.
The hope is that much higher user availability will cause much higher site adoption.
> At its core, a model of identity would be to create a keypair for each account and require that key sign each login request.
That is exactly how it works. Web Authentication declares a javascript API for site access, and the request and signed authentication response formats/processing.
> That said, I agree with everyone's fears and frustrations with the actual real world circumstances around phones. I do not trust my phone and I don't really trust the most popular projects to make phones more secure.
There is about eight years of hardware in the market you can use rather than your phone. In addition to security-opinionated end-users, it is expected that some portion of enterprises and governments will require a separate hardware key for employee/contractor access - and may even require specifically the one that their IT hands to the person.
> This is Web Authentication/FIDO 2. We've had security keys like Yubikeys to do this for years.
Yes - doesn't the article suggest that this would use FIDO? "According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices"
I was pointing out that this model - FIDO or some other version - does make sense. Even if the drawbacks of forcing people to use it on phones are obvious.
> There is about eight years of hardware in the market you can use rather than your phone.
If there are dedicated hardware solutions that's great! It seemed from the article like they were requiring phones - which was the source of my concern.
I am really concerned about people with disabilities with this approach, if it becomes the main way to log in, and the options are there but super painful to set. In fact, all the minorities that for some reason or another can’t or it’s too hard to use a touchscreen smartphone.
Typically you set up many devices that can be used for authentication - your android phone and windows desktop, as well as a USB key in your safe for emergency access into bank accounts and the like.
Account recovery is a pretty well-known space as well. If the person does not have any authentication mechanisms left, you can send an email link or go through identity proofing depending on your security requirements.
And then banks will decide that it's not secure having multiple devices and actively prevent you from doing that.
Right now my bank requires my phone to get a 2fa code for anything important. I can only have a single device at a time, if I lose my phone, I can of course reset it if I'm in the country and go to a branch. Of course with Covid that was difficult when I last lost my phone, so I had to download a form sign it and fax it to be able to set up my 2fa on my new phone. It took 2 weeks before I could access my bank account.
> And then banks will decide that it's not secure having multiple devices and actively prevent you from doing that.
IMHO based on current policies, it is more likely that they will have one device on your account, like a combined USB and NFC hardware authenticator, that you can request from them and becomes expected for higher security interactions like large money transfers.
If you count that as part of phone-as-password cure, that makes the cure worse than the disease, in my opinion. Now I need to maintain and regularly test a recovery path. (Much like backups, if you don't test them, you literally don't even know they work. Other device needs good working order, perhaps subject to OS patching and data loss--pay attention, or your supposed backup plan might not work at all)
The main problem I see (based on the screenshot in the article) is that it still allows the attacker to initiate the auth flow from the outside, and the clueless user would in doubt just unlock for them. I don't see how the proposed scheme would prevent this phishing attack. It seems to be worse than the SMS 2FA part where one would at least have to enter the SMS code into some suspicious website.
My method of choice would rather have been what is established now for 2FA with time-based one-time passwords (TOTP). Here the attacker can't initiate the auth flow from the outside.
I'm already in the auth approval hell working as consultant with multiple separate corporate customer and all the 2fa authentications needed in my daily activities. Including fun broken flows that mean I get notification that I don't even need, because I need to use different account...
In the end this likely only leads to training people to automatically approve anything as every little piece of software on their machines needs approval once a day or more often at worst...
I think that for the cases where you're authenticating on one device in order to allow access on another device, this is done by bluetooth communication between the devices, and as a result you have to be within bluetooth range of the auth device to initiate the auth flow.
I commented on another thread about this FIDO thing. I really don't get what benefit this has fir me.
I use keepassxc, so I'm not reusing passwords. I'm currently forced to use less secure SMS OTPs for some sites because they won't allow me to use TOTP in keepassxc.
Now I'm expected to tie everything to one device that could be easily lost, stolen, or damaged, and back up my secure key to some random cloud store just in case that happens?? Cloud storage in control of companies that at a whim could lock you out.
To describe security benefits, we use threat modeling. If there's a threat that's prevented by system A but not by system B, and all threats prevented by B are covered by A, then A is colloquially "more secure" than B.
Here are some threats that are prevented by FIDO and not by TOTP:
- An attacker compromises DNS infrastructure and makes a web page that looks 100% identical to the one you're expecting, hosted on the same URL. They wait for you to log in and use the TOTP you send to authenticate to the real site's servers as you. FIDO prevents this threat (phishing via MITM) entirely, TOTP provides little protection. KeepassXC if you don't use your clipboard to paste TOTPs provides limited protection but the matching is DNS-based, not cryptographic like FIDO is.
- A hacker compromises your computer while it's on and keepassxc is unlocked. With keepassxc TOTPs, they now have your TOTP secret and can impersonate you at any point in the future. With FIDO on a separate non-key-extractable token, they haven't gained anything. Sites can verify that the FIDO authenticator you're using disallows key extraction as part of the protocol, and can even blacklist known-compromised second factors without your intervention.
- A hacker is able to guess exactly 1,000,000 passwords in one minute. They have stolen your password but don't have your TOTP secret. They guess the TOTP using their ability within 999,999 attempts, since that's all TOTP with its default six-digit generator provides. With FIDO, the secret is 128 bits, and they'd be guessing for thousands of years.
I'm not saying FIDO/U2F is "better" than TOTP. They're just different. But you, as a security-conscious user, do get concrete advantages (in the form of protection against particular threats) using a FIDO credential over using TOTP.
Additionally, FIDO doesn't requiring storing a secret key per site; TOTP does.
Ok I can see some points there, though I don't store TOTP in the same place as my passwords.
Can you be potentially tracked across the internet with your single public key in the FIDO system. If my understanding is correct you have a private key no one knows and you provide the public key to authenticate yourself. If you only have one private key and one public key surely your open yourself up to tracking/privacy related stuff? I might be wrong due to my ignorance.
No, each web site has its own public/private key pair, they're just derived from the same original seed (plus scoping information like the user and site IDs). You can't determine if two different users are using the same identifier, although you can determine if they're using hardware tokens from the same manufacturer and batch. U2F's mechanism to check the token is from a "safe" manufacturer provides some information about the token, but not its exact serial number or other unique ID.
I'd be a bit worried about this from a digital hygiene standpoint: the default device for storing your passkey will be your phone, and every unlock is temptation to get sucked into the world of notifications and social apps.
It's really, really bad digital hygeine to use social media apps – anything with "doom scrolling" – on the phone at all. I don't think most people agree with that, but if you eliminate all such things on your phone, it can be no problem to open a phone and use it.
I don't check email on my phone, unless I absolutely have to. I don't have any social media on it except for signal. I don't open the web browser. My phone is mostly used for maps, reading books, and video chatting.
I look forward to a world where people genuinely view social apps and related addictive software the way we do harmful drugs. Something to be avoided, and if you can't avoid them, there should be pressure to seek help.
Of course, you already are if you use a password manager. (ADDED: As noted elsewhere, password managers can also be accessed from other devices so not the same.)
I agree with your basic point though. Smartphones are the default for doing more and more things. And when traveling, I try to have reasonably backups for maps, itineraries, etc. But I'm hardly religious about it and my phone breaking or getting lost/stolen when traveling would be a major hassle.
But I don't want my phone to serve as my "root" authority. I'd rather have a separate pair of fobs used to seed all my other devices. Then put one of those fobs somewhere safe.
When the USA finally gets smart and implements postal banking, I'd love for the USPS to offer safe boxes. Maybe even other fob related services. Kinda like a notary public, but for credentials.
--
Late 90s, shortly after W3C's P3 failed to catch on, a buddy and me cobbled together a SSO POC for browsers. Our catchy name was "Credendity", a failed portnameau evoking credentials and identity. One of our core motivators was "faceted identity", negotiated per account, to only share partial PII, to thwart data aggregators. So naive; big data deanon always wins.
Our POC was just turrible. Embarrassing. Ditto every SSO implementations I've used since, whether standards-based, vendor, or bespoke. In hindsight, it's too bad our sense of integrity and esthetics prompted us to abandon our effort.
I have lost my phone 3 times and countless times I needed to login and my phone battery had just died. Also I don't want to safeguard my phone like my life depends on it. Imagine cops get your phone and boom 99% access to everything you have got online.
I feel happy sad, in 2017 I applied to YC with this idea, and got rejected. I even called it exactly what they are calling it, mutlipass. I solved the problem of losing your phone. I also had it where you can have multi factor if you wanted, so you can still use you password which makes sense for much secure sites. I experimented with NFC rings where you could have a ring and your phone so if someone takes your phone away from you, they won't be able to use your phone. All the big corps trying to do this want to lock you into their ecosystem, this is a problem that should be solved by an org that has no other products to sell but security.
My government required everyone to carry a cell phone to enter any store.
The app had both location and Bluetooth tracking, when they uploaded your Bluetooth data they do they download everything then do the filtering on the survey.
Then can say your data is stored on your device, we only access it for a specific location, but they do the filtering on the server side..
The app had a QR code using a auth protocol called relating to the future of digital identity, I forget the name. DAT by memory.
The token has your plain text name, DOB for anyone to see, ask for, require on entry.
Last time I checked 60% of people still have it installed collecting Bluetooth data of other people with that app.
The point is your phone is going to replace more than your passwords.
Can someone explain to me how this is a better approach than, say, a password manager and TOTP 2FA?
I can think of a few downsides: 1) in the US at least, being compelled to provide biometric identification for all accounts, 2) single hardware device point of failure, on top of that being the most often lost, stolen or damaged hardware device. And all the benefits I can see with it are already served by password managers and TOTP, which the manufacturers can just ship by default if they want to, the tools are there already. And I can back it up in whatever way I choose, securely.
What happens when you lose/break/get stolen, or app bugs out? You are SOL? There are utopian theories. And I've watched enough hunger games to know this will only end with someone breathing poison.
Wonder what these means for those folks who find smartphones too confusing and difficult to use. I have a couple of friends in their late 70's who simply can't use them; I fear they will be left behind.
To some extent, they are probably already being left behind; it’s just that it’s a more gradual thing than if smartphone becomes a hard blocker to a something that’s essential in life.
Nope. 2FA is already terrible enough and does not provide any meaningful security that can’t be provided conventionally. Making it become “only FA” eg password-less is an unimaginably disastrous idea.
Does anyone else think it's crazy that in order to participate in modern life you have to have an account with one of two massive American companies - Google or Apple.
No, because this is simply not true. I am not sure what "participate in modern life" means for you, but I have no personal Apple devices, so no Apple account for me; and I use Fastmail as my primary email.
Granted, there are some groups which use Google Docs or such to coordinate, so I still have to have a Google account, but this is somewhat optional. And Google Play is pretty nice if you have a cellphone -- but on the older Android tablets I keep them account-less and use F-droid/random APKs from the web instead.
A much concerning thing IMHO is a Facebook requirement -- I am missing a number of events when I tell people I don't use Facebook. Hopefully it will change one day, but I am not holding my breath.
(And re the original article, you only need Google/Apple account if you want to use cloud sync. I am not quite sure how the system will work, but I suspect that with Android, you might either have alternative clouds (like Samsung's cloud), or may be able to use your own service, or sync via wired cable to PC)
All these claims about how FIDO prevents phishing seem very suspect to me. AFAICT the phishing protection is specific to U2F, which is only one of many interrelated (and IMO very poorly described) FIDO specs. Absent U2F, it seems like most forms of phishing are still entirely possible. Am I missing something? Is the operative definition of "phishing" much more limited than how a normal person would interpret it?
I mean, FIDO itself doesn't care about the web, and so doesn't care about phishing. But, in the context of the web you'd use WebAuthn, which replaced U2F (because it's an actual W3C standard with multiple implementations) and yes that's protected from phishing.
Specifically, FIDO binds credentials to a "Relying Party ID". For WebAuthn that's effectively the DNS name of your server, which is why it's protected from phishing.
The W3C publishes the entire WebAuthn spec. so if you care you can read it and see how it works.
If you're using FIDO in some other context (e.g. smartphone apps can do this via Android or iOS APIs) your RPID is based on that context, so e.g. the real Hacker News Android phone app (if such a thing existed) can't be impersonated by a dozen third party knock-off "Hack-a-News" and "News for Hackers" apps.
I need to get past the press releases and read up, but is this using my phone to authenticate to an IDp (ie google) who then oks me with the relying party (example.com) or am I directly signing up with example.com (ie my phone has a key pair in its secure enclave for google only, for for hundreds of sites I visit
(from memory this will need much bigger storage in the secure enclaves - thousands of accounts is quite feasible)
You sign up directly with the relying party and are authenticating to a hardware device which then OKs you to the relying party. Each relying party gets a different public key. The corresponding private keys can be stored inside the secure enclave (this setup is called resident keys), or they can be stored in a "key handle" that the relying party stores and provides every time you attempt a login. The key handle would contain the service-specific private key encrypted with a key held inside the secure enclave.
I know this is far from the main discussion, and that it's something that happens all the time, but I can't help feeling offended that this is called FIDO which nameclashes with a part of pre-internet history, FidoNet.
The additional options discussed in this article are are to:
1. use a platform feature to have the TPM or Secure Enclave in the device itself work as an authenticator as an alternative to a hardware dongle.
2. synchronize across devices within an ecosystem (e.g. all Apple devices) using a mechanism on top of the platform account (aka AppleID + iCloud Keychain).
3. allow a phone to be used to authenticate to a desktop, even across ecosystems.
The previous way would be to use a hardware key like a yubikey. If your platform supports #1, most sites _should_ support user management of a set of appropriate authentication mechanisms, and may even prompt on a windows desktop "would you like to use Windows Hello to sign in more quickly in the future?"
A version of Windows has support for #2 might let you instead have that credential be added to every windows desktop or laptop on your account.
Due to the variability of Linux, my suspicion is that each browser will fill some of the gaps there as well.
Thanks for the reply. I work both at home and at the office and I have separate workstations I keep sync'd. I also have a personal desktop computer and travel work laptop. A dongle sucks because I'd always having to be moving between computers and guaranteed I'll forget it one place, while I'm at another. The different computers run different OS, so I can do a universal sync like with apple. So I need to get creds on each computer in a way that its secure and can not be erased if I clear browser storage (unless I want that).
Just say you wish everyone was required to be chipped at birth with a NFC private key, Big Tech. I'm only being half sarcastic. There's a lot of outlandish conspiracies around this idea, but I think we all know it's heading in that direction, unless we continually reject it.
I, for one, want the chip in my hand rather than my forehead.
It is so much less humiliating to put my hand on the sensor than when I have to touch my head to the cash register each time I want to pay for something.
Many of the replies here are "but what if I lose my phone|my battery dies|my phone is destroyed?" and they are all valid concerns. The next logical improvement to this is an authN device that cannot be lost, forgotten, or easily destroyed. One that is even more secure than biometrics.
FIDO needs to improve their communications and marketing if they hope to gain adoption, if they can't even get to the HN crowd. TFA also gets passwordless wrong, see As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”) But that is not passwordless as either FIDO or ZDNet describe it, it's simply OpenID Connect.
The announcement is specifically about FIDO2 adding support for two additional things:
1) The ability to share FIDO credentials between multiple devices. Previously, it was implied and alluded to, but never stated outright, that credentials would be bound to an authenticator, like a MacBook's Secure Enclave, which FIDO calls a platform authentictor, or a Yubikey, which FIDO calls a roaming authenticator. Now there's explicit support for multi-device credentials. Apple recently added this feature in what it calls "Passkeys", a name that other vendors (but not FIDO) seem to be adopting too.
This is net positive. Losing a device that was bound to a credential meant that the credential was lost forever. Now, as long as the credential resides in at least one device the user has access to, there's no recovery flow needed. Note that the vendor providing syncing services for these credentials does not have access to them. See https://support.apple.com/guide/security/secure-keychain-syn... for an example implementation
2) Expanded ability and commitment from vendors to use a roaming authenticator over Bluetooth Low Energy (this is already in the standard). And in particular, the ability to use a phone's platform authenticator as a roaming authenticator in a different device.
This does not mean, as TFA implies, that you'll need a phone to sign in to services. Rather, it means that for services that allow or require FIDO credentials to sign in, a phone is now an additional option to present those credentials. You can still use a Yubikey, TouchID or any other way you interact with your existing TPM.
I understand that people are concerned about new authentication standards backed by big corporations who have a history of locking users out of their platforms and services, but the current state of secure login is dire. FIDO2 is an incredibly well designed set of protocols to prevent phishing, credential reuse, and several common causes for account compromise. It was clearly designed with that in mind, at the expense of usability. These are notable and incremental improvements to enhance the usability of a standard that is head and shoulders better than existing alternatives like passwords, but still has some ways to go in terms of functionality. Personally, I'm very excited about FIDO and WebAuthn, and some of the improvements I'd like to see in the coming months are:
a) The ability to share passkeys across vendors, including the ability to implement a "sync fabric" as some folks in the WebAuthn working group have called it, so it's interoperable beyond the major vendors.
b) For these vendors to strengthen their own log in experience. Apple only allows their own TOTP implementation and SMS fallback to authenticate to iCloud. I'd like to use WebAuthn exclusively here, so I could back up access to my now-precious Keychain that holds all my FIDO credentials with a YubiKey.
c) A better story about backing up security keys. Implementing a) would give us that. Devices that can be initialized with a given seed like some common hardware crypto wallets would give us that, albeit not without introducing changes to the threat model -- you have to store the seed and input it somehow -- and https://www.yubico.com/blog/yubico-proposes-webauthn-protoco... would give us that as well.
d) A better story for usernameless. The current methodology to have a user initiate a usernameless login and picking the right credential is a UX mess, and I don't believe I have actually seen it implemented in a production site. I'd love to be shown an example!
When I first heard about FICO, I thought I'd be a standard that a password manager can take advantage of, where they can identify me using my phone, then autofill my credentials. Maybe not very practical. But when I learned that the purpose of FICO was to replace passwords and rely on a tech giant to allow/deny me access to my online accounts, I was disappointed. No thank you.
In these cases, technology is creating not solving problems.
Ask yourself this: As great as smartphones are, do you want a future where everyone is required to purchase one, an a cell plan to exist in society, to engage in commerce, enjoy shelter, health care and security?
I would even go so far as to say cash and physical paper should be supported by any business and government department.