Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 10 Update Will Support More Password-Free Logins (engadget.com)

Posted by msmash on from the up-next dept.

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.

14 of 66 comments (clear)

  1. Something you have and something you know by Hasaf · · Score: 3, Informative

    From the summary it looks like they are reverting to only using something you have, which is, normally, a lower level of security.

    1. Re:Something you have and something you know by gravewax · · Score: 4, Interesting

      For the average home user that reuses passwords with names and birthdays or simple repeated phrases it is a massive security improvement. For someone that understands the consequences of bad password management, password strength and reuse it is a decrease. The reality is for decades we have all tried to teach password health and for decades users have failed to learn, not sure if it is us IT people to blame or the users, either way it means passwords are very very weak security for a large percentage of the population.

    2. Re:Something you have and something you know by DontBeAMoran · · Score: 2

      Computers are to blame. What used to be good enough is now easy to bypass because of increasing computer power. You think your random 64-characters password is safe? Wait until quantum computers become commonplace.

      --
      #DeleteFacebook
    3. Re:Something you have and something you know by Anonymous Coward · · Score: 5, Informative

      You think your random 64-characters password is safe?

      Not just the number of random characters... I've recently found a few websites that ignore password case altogether so it would be even easier to brute force a password now than it should be. I would hope that they look for brute force attacks but since they go so far as to ignore password case I wouldn't be so sure.

      I'm looking at you americanexpress.com

    4. Re:Something you have and something you know by taustin · · Score: 2, Funny

      Because you like licking your computer? You don't know who else has licked it, you know. It's like you're licking everyone who has ever used that computer.

      I'm gonna go set up a Kickstarter for tongue condoms. I'll be rich!

    5. Re:Something you have and something you know by Calydor · · Score: 2

      It's neither the users nor the IT people. The IT people taught the lesson, many users learned it.

      The thing is that typing a STRONG password with seemingly random lower and upper case characters, numbers, and signs, all while effectively blindfolded, is hard. Do it wrong a couple of times? Congrats, now you're locked out. Oh, and you have to do it a dozen or more times a day.

      Is it any wonder people settle for a good-enough password that they can easily remember and actually feel if they're typing it wrong, eg. the name of a pet?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    6. Re:Something you have and something you know by skids · · Score: 2

      If your system is using the right algorithms, your random 64-bit character password should be as safe as a random 32-bit password was pre-quantum. Quantum computers have theoretical limits.

      --
      Someone had to do it.
    7. Re: Something you have and something you know by Anonymous Coward · · Score: 2, Funny

      Yes, but some sites like Slashdot are better. Passwords typed out in the comments section are starred out, for example: My password is ************.

    8. Re: Something you have and something you know by Junta · · Score: 3, Funny

      you can go hunter2 my hunter2-ing hunter2

      Even the name is relevant.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    9. Re: Something you have and something you know by DontBeAMoran · · Score: 2

      Reference
      http://bash.org/?244321

      --
      #DeleteFacebook
  2. Oh... by the_skywise · · Score: 2

    We've rediscovered java rings I see...
    https://www.javaworld.com/arti...

  3. Remember, kiddies! by Locke2005 · · Score: 2, Funny

    OTHER parts of your anatomy can also be used for "fingerprint" login! (Unless you are Trump, it which case your "Little Donny" is far too small!)

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  4. Re:So... by dog77 · · Score: 2

    What is new is that many companies got together and created a standard protocol for general purpose authentication. If adopted, it will allow the authentication to happen where the user decides it is convenient and safe (e.g. secure password manager device). Right now, the general state of things is that authentication typically takes place in the application and in a manner that the application decides. You have to trust that the application was designed in a safe manner and that it will not leak your secrets. Think of this as what the SSL standard did for encrypted communications. SSL makes it easy for a application to do encrypted communications in a secure manner. FIDO makes it easy for a application to do authentication in a secure manner.

  5. Re: What is safer by c6gunner · · Score: 2

    How about a duress password/etc that loads in "fake/misleading data" mode? You could have eg a drive with two encrypted partitions, password silently selects which one gets loaded, other one remains hidden (and encrypted).

    Congrats, you just described TrueCrypt.