Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech

Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

Another dead Firefox release.

I already declared the death of Firefox with the release of version 57, and now they are sinking the lifeboats with version 60 replacing the last usable ESR. This will now leave Windows XP which still has 10% market share in China without a updated browser, which means developers will have to make the choice of either sacrificing 10% of their revenue or risk security holes to get that revenue. There is hope for XUL though thanks to the work on Basilisk and Waterfox, plus NPAPI plugins will be supported on these browsers so legacy web apps will continue to work. I will not be attending Firefox's funeral, as Mo$illa decided to put adverts on its gravestone.

Re:Another dead Firefox release.

[I4ko]

First, developers do not care about client side security issues, the developers will get their revenue or not, as long as they do not put functions server side that require something that the browser does not support.
Second, how much revenue can people who are still running XP produce for a website? Even in China, XP machines a handmedowns, they are consumption devices, not devices for purchases.

Re:Another dead Firefox release.

[fluffernutter]

I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.

Re:Another dead Firefox release.

[Order_66]

I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.

Slimjet is a good chromium based alternative browser.

Re:Another dead Firefox release.

[DarkRookie]

IE is not dead. It just changed its name to Edge.

Re:Another dead Firefox release.

I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow.

I'm confused. Safari has not been supported on Windows since around 2012. Or are you jumping around between platforms with this browser comparison?

Re:Another dead Firefox release.

[fluffernutter]

I have a mac and was trying to be thorough.

Re:Another dead Firefox release.

[rojash]

Try Vivaldi

Re:Another dead Firefox release.

I already declared [slashdot.org] the death of Firefox with the release of version 57

Pompous or what?

I've just declared *you* dead as of now. I'm sure that will be just as effective as your self-important declaration.

BTW I was on the verge of abandoning FF due to performance issues (on my crappy 10-year old Dell), until V57 came out and it was like having a new PC. Lots of similar reports around.

AI

[110010001000]

I think with all this new AI stuff that was invented we would have something better than typing in a string to authenticate a user. Aren't computers intelligent?

Re:AI

[plopez]

All this AI stuff is just marketing buzz words.

Re:AI

Maybe AI can help you come up with something new to post in every thread.

Re: AI

Jdhvdheuehdjshudhcsgjieuueyrhrv vzbkejbrbee!

Re:AI

What about the ball-less? Why do you discriminate so?

Time Saver

The more sites require you to login with a system like this, the less time I'll waste online.

Re:Time Saver

[DarkRookie]

Honestly, if it requires an account you must sign up for that pretty much turns me off of a service.

Re: Time Saver

Same here. I dont sign up for any accounts anymore. I have my bank and my email hosting - thats it.

Re:Time Saver

by DarkRookie [Emphasis added] ( 5030953 ) on Wednesday May 09, 2018 @03:56PM (#56583324)
Honestly, if it requires an account you must sign up for that pretty much turns me off of a service

So, tell me how you get that nice username without signing up first???

Re: Time Saver

[Archangel+Michael]

I create new EMAIL for every account I have to sign up for.

My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.

It is actually empowering taking control.

Re:Time Saver

[DarkRookie]

...pretty much...

Its not all the time. I will still sign up for some things. Just most of the time. That what pretty much means.

Re: Time Saver

Thats a neat idea, to see who's giving out your email address.
Have you found any popular sites that do it a lot?

Re: Time Saver

[jetkust]

How are you getting all these email accounts that aren't tied together?

Re: Time Saver

I would guess he's making a new user@ for each website he signs up for, all with his same domain name.

Re: Time Saver

[fahrbot-bot]

My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix).

You know that 2-digit pattern is going to bite you come y3k.

Re: Time Saver

As long as the address does not exceed 255 characters counting above 99 will not cause any issues at all. The system should outlive the universe!

Re: Time Saver

[sexconker]

You mean y21c.

Re: Time Saver

Wouldn't it just be easier to use a disposable email service like spamgourmet instead?

Re: Time Saver

[DontBeAMoran]

You know about email aliases, right?

Re: Time Saver

I create new EMAIL for every account I have to sign up for.

I don't even want people/sites to know my domain name. So, my own server email is used only for... messages.

CAP: miseries

Re: Time Saver

[ewibble]

If you own a domain you can do it easily, I would also think it is possible to register for a service where you own a subdomain. e.g. mydomain.subdomainservice.com

They can all be directed to 1 email address and you can just filter out any that you don't want

Re: Time Saver

[omnichad]

Y2.1K?

Re: Time Saver

I create new EMAIL for every account I have to sign up for.

My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.

It is actually empowering taking control.

I do something similar.
I use email aliases like "MyAccount+Netflix_2016@domain.com", which means all the emails end up in the same inbox for easy filtering. I also switch between 3 different domains I own, each of which is mapped to a folder in my email client.

My only concern with this approach is if the platform I register on detects email aliases and sends marketing emails to the base address (without "+Netflix_2016")

Re: Time Saver

[Cederic]

We should start this debate now, so that by the time it starts to matter in 2096 or so the main arguments are refined, well understood and people can skip straight to the flaming.

Re: Time Saver

[Archangel+Michael]

I do. I actually use them on occasion ;)

Re: Time Saver

[Archangel+Michael]

the +Netflix_2016 bit isn't quite an alias. Technically it is ignored by the Email Server for the domain. IT acts like an alias however. A real alias is a full email address that is delivered to another primary email box. The former can be removed in transit, as you indicated, a true alias cannot.

Re: Time Saver

[Archangel+Michael]

outlook.com
yahoo.com
gmail.com
mail.com

Mail.com has a number of other domain names you can use.

Re: Time Saver

[Archangel+Michael]

LOL, Gawd I hope so!

Re: Time Saver

[hoggoth]

I do the same. I was surprised and disappointed to find out my online stock trading account was selling my info to the most spammers out of all my accounts. Security? lol...

Re: Time Saver

[Optic7]

I do something similar, but with my own domain, using the domain name where I'm registering in the part before the @. No need to create a new mailbox or forwarder for each site, as it's a global forwarder. You can be more selective in the forwarding by requiring a specific string as part of the address in order to forward, so you don't get messages sent to random addresses in your domain.

It would end up something like this (obviously much shorter - this is just for explanation): DomainNameWhereI'mRegistering.com.customstring@myowndomain.com

You can do this either if you have domain hosting that also offers email forwarding, or I believe that there are also dedicated email forwarding services dedicated to this kind of use. I've done this for several years (through a website hosting service) and have caught a few major domains that either sold my email address or had their customer data hacked:

dropbox.com
adobe.com (known to have customer data exfiltrated)
equifax.com (back in 2011, years before their big security meltdown a couple of years ago)

Long term: Bad for the web

While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,

Re:Long term: Bad for the web

[darkain]

"rather than something in our possession" - that is EXACTLY what a Yubikey is though, a physical device that you possess, and can have multiple types authentication credentials stored on it.

Re: Long term: Bad for the web

I'd rather store important things in my brain. I wont be participating, fruitcakes.

Re:Long term: Bad for the web

Tokens are not a problem as long as no identity (even device serial numbers) can persist across sites. However, we do not want to enable a future where problematic identity tokens proliferate. Standardizing an API for token use is a necessary precondition for legislative or market action. Nobody will force these down our throats if there is no standard or widely accepted way to do so. We want market fragmentation, platform/application specific setups, custom drivers, competing standards, etc. You can bet that an anti-privacy politician will come along as soon as it becomes easy enough for every little old lady to use.

Re: Long term: Bad for the web

Wait until you need one to file your taxes or sign on to a regulated bank. After they become common, how many other sites will require one? Will credit card issuers push merchants to integrate through lower payment rates or hard platform requirements? Will news sites ban anonymous commentary to cut down on moderation costs and discourage lawsuits? Will social networks use these to authenticate people, and enable all that data exchange now making the news? People need to look at the long game. We are fighting against people who do not believe privacy is a human right. They are waiting for the day they can make this compulsory, rather than an optional convenience.

Re: Long term: Bad for the web

Its a lot like requiring all sites to be https. That way theyll be able to control whobis allowed to have a website.
It's also like digital radio, which is a plot to make all things require a subscription from a known user.

Re:Long term: Bad for the web

[Archangel+Michael]

I prefer my identity to be proven by a few factors, not just easily spoofed, guessed at, or things possessed.

Re:Long term: Bad for the web

[arth1]

The problem is that "something you know" makes a reasonable assurance of intent to authorize. "Something you have" or "someone you are" does not, and opens up for abuse, perhaps especially from those in power.

Re:Long term: Bad for the web

[darkain]

I'll just assume you've never actually USED a Yubikey then? Because it isn't easily spoofed or guessed. Plus to use certain modes on it, they're protected by pin codes, making the device itself require two factors (something you have and something you know).

Re:Long term: Bad for the web

[I4ko]

There are no yubi models protected by pin. None of them has a physical keypad. I actually have several.

Re:Long term: Bad for the web

[darkain]

Source: https://developers.yubico.com/...
This is something I use on a daily basis. It does indeed exist.

Re: Long term: Bad for the web

Digital radio is a plot? No.

There are many commercial-free, donation supported Internet radio stations out there which you are free to listen to even if you never donate a single dime to them. Some even have .pls and .m3u files so you don't need a browser to listen. I prefer Kohina, Party107 and about half the channels on SomaFM.

You are also making no sense regarding HTTPS. Anyone can get an SSL certificate for free these days, it's not like before where you needed to pay a certificate authority. Did you just step through a time warp or something? Check the year.

Re: Long term: Bad for the web

Digital radio is a plot? No.

There are many commercial-free, donation supported Internet radio stations out there which you are free to listen to even if you never donate a single dime to them. Some even have .pls and .m3u files so you don't need a browser to listen. I prefer Kohina, Party107 and about half the channels on SomaFM.

You are also making no sense regarding HTTPS. Anyone can get an SSL certificate for free these days, it's not like before where you needed to pay a certificate authority. Did you just step through a time warp or something? Check the year.

It's only free for now.
Anyone can get an ssl cert for free, until you are disallowed- it will come.
Digital sucks balls.

Re:Long term: Bad for the web

I just wanted to say that at least someone out there groks your concern and agrees. Even if "secure", these mechanisms chip away at anonymity and valid use of psuedonyms if they establish a culture of always-present secure tokens and constant reauthentication which eventually allows trojan attacks and other dark patterns.

Things like 2-factor authentication are most secure when you hardly ever do it, and treat it like an elaborate ceremony. They become less protective when you have to do them every time you scratch your nose, and eventually you live in an ambient authentication space.

Even if I have authenticated to an employer, bank, or government website using my secure citizen consumer ID, that doesn't mean I want to authenticate every time I visit that site. And it certainly doesn't mean I want to use the same identity across these and across other less significant websites. I am going to be wary of these new browser features as I am less than confident that they understand and honor my desire to remain in control.

Re: Long term: Bad for the web

[omnichad]

Digital radio requires a proprietary receiver--that's all. Whether that's DAB+ globally or HD Radio (NRSC-5-D) in the US, there is no subscription or identity required. Satellite service is different, of course, but that's true of TV broadcasts (also digital) too.

Re:Long term: Bad for the web

[hoggoth]

Yubikey is fantastic. Your identifying private keys are stored insider a secure hardware module inside the Yubikey. The login process sends a random challenge to the Yubikey, the Yubikey replies by signing the challenge with your private encryption key. The login process verifies the signed reply against your store public key.

At no time does your secret key ever leave the device, not even to your own computer.
A trojan could eavesdrop on the whole thing and not learn anything useful.

Re:Long term: Bad for the web

[hoggoth]

The Yubikey can generate a different set of keys for each participating website so separate websites can't cross-reference your identity.

Re:Long term: Bad for the web

[MassacrE]

You can use a PIN/passcode, but the client software on the computer is the UX for it - Firefox in this case, the operating system in others.

Is Two-Factor dead now?

[omnichad]

So just replace the first factor with the second one?

Re:Is Two-Factor dead now?

[Junta]

To be fair, if you are faced with endusers either doing password or doing 'something they have' and unable to reasonably require them to do both, it's probably best to let them use 'something they have'.

Biometric of course seems to be the order of the day, though I have a harder time defending the security of that sincerely.

Re:Is Two-Factor dead now?

[bws111]

Still two factors. First factor is you must have the physical device that contains the private keys, and the second factor is what you use to access those keys (PIN, password, biometrics)

Re:Is Two-Factor dead now?

[sexconker]

Nope. It's just the private key. Someone who pwns the host machine can copy the private key and reuse it later, with no need to know whatever opens the Yubikey/whatever device and no need to physically have the Yubikey/whatever device.

Unless someone is physically inspecting the "something you have" or "something you are", it's just something you're telling them, and thus it's effectively "something you know".

Re:Is Two-Factor dead now?

[viperidaenz]

Someone with access to the host machine does not have access to the private key.
The private key stays on the authentication device. Data goes in to it, signed or encrypted data comes out of it. The private key stays just that - private.

You can't replay responses either, as the data going in to the device is randomly generated by the server requesting authentication.

Re:Is Two-Factor dead now?

[omnichad]

If you use "biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID" on the device you're logging in with, then you have both together.

Re:Is Two-Factor dead now?

[hoggoth]

Wrong.

Your private keys are stored in a secure hardware module inside the Yubikey. They never leave the Yubikey not even into your own computer. The login process sends a random challenge into the Yubikey. The Yubikey responds with the challenge encrypted by your secret private key. The website can verify the response against your public key. The response is unique to that random challenge and gives an eavesdropper no useful or repeatable information.

Each website gets a different set of keys generated by the Yubikey to prevent cross-referencing your identity.

Government vs Biometrics

[Daemonik]

The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.

Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.

Re:Government vs Biometrics

[Octorian]

IMHO, the fundamental problem with biometrics is that they're a password you cannot change.

No mater how personally unique some characteristic of you may be, it ultimately has to be captured and turned into a data stream to be used for authentication. What exactly stops someone from simply capturing and replaying that data stream?

Re: Government vs Biometrics

The fundamental problem is that biometrics are identities, not secrets.

Re:Government vs Biometrics

[Mashiki]

What exactly stops someone from simply capturing and replaying that data stream?

Nothing. Now don't forget that some diseases like diabetes, lupus, MS, and so on can change the information that's used for biometrics. Retinal patterns being one of the big ones.

Re:Government vs Biometrics

[Archangel+Michael]

This is the first post that clearly states what the problem actually is.

Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.

I want my authorization, which requires an ACT on my part besides just being me (dead or alive).

Re:Government vs Biometrics

[bws111]

For something like webauthn, the biometrics data never leaves your device so there is nothing to capture.

Re: Government vs Biometrics

False, they are just a construct.

Re:Government vs Biometrics

This is the first post that clearly states what the problem actually is.

Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.

I want my authorization, which requires an ACT on my part besides just being me (dead or alive).

There is no difference between

user: John
pass: SuperSekrrit1!

and

login: JohnSuperSekrrit1!

None, whatsoever. At the network level, not counting the null between those strings, that's probably what it even looks like for most basic authentication protocols. The username is a unique key, and an index in a database of password hashes.

When your auth token is a complicated enough, unique enough, and the authorization database can be searched quickly enough, you don't need a username. The username is a known/guessable value, you shouldn't even count the entropy it theoretically provides, you should add needed entropy to the password instead. Biometrics, if they meet these criteria, shouldn't need you to type your name in. That's only a stop gap if a particular biometric algorithms are not reliable enough. It's like when you hand someone an ID, they look and ask you your name.... think about it.

Re:Government vs Biometrics

This is the first post that clearly states what the problem actually is.

Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.

I want my authorization, which requires an ACT on my part besides just being me (dead or alive).

You have something bass ackwards there, AUTHORIZATION is what the side receiving the credentials does, not the side giving them.

What you wanted to say is you want identity to be determined by something you know, instead of something you have, I think. That's fine.
Either that or an "Are you sure?" prompt to authorize the phone's authorization?

Re:Government vs Biometrics

The crucial difference is that identifiers will inevitably be published. Designing a system where the identifier must remain secret is designing a system that is not meant to be used by people or in untrusted media.

Re:Government vs Biometrics

[skids]

Actually, there is a difference on the back end and usernames are used for good reasons. The username indexes more than your password, and is usually safe to record to logs and expose to a larger code surface in the AAA infrastructure. (With logs, best practice is to only record usernames from existing accounts in case a password accidentally gets typed in the username field... but of course make sure there's no delay introduced by doing so that would allow testing which usernames are valid.)

Also in challenge based password crypto systems, with no invariant part of the secret, you'd have to hash your entire database of passwords with each nonce to have something to compare with the user's response on every auth, and that's gigantically wasteful.

Now the same thing usernames are used for can be done with PKI DNs, of course. The problem with tokens and keystores is they gather a lot of authorization privileges in one place protected usually by a single... you guessed it... password... which is usually cached to keep the store open (just like passwords if you let your users do that.) Which means the store remains available for any software compromising the client machine much longer than necessary.

Also keystores and tokens are not necessarily well designed... they may leak the public contents of a cert to anyone who can figure out what CA/attributes to challenge with rather than asymmetrically validating the server cert first. That won't grant access, but can be used to track users without their consent.

I personally hate the drive for "passwordless" systems since wetware has some pretty good security properties for those that are capable of using it and I don't think depriving those people of that tool is productive. However, if we are going to use tokens, it would be best to insist the token vendor use auditable OSS hardware/firmware like Nitrokey rather than Yubikey.

Re:Government vs Biometrics

[skids]

...unless you have an embed on the device. But then, all bets are off.

Re:Government vs Biometrics

[Cederic]

So if I create a new user account, and use the login JohnSuperSekrrit1! do I get to claim ownership of yours or should I just leech anything useful then move on?

Re:Government vs Biometrics

[jon3k]

An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest

Pro Tip: For the iPhone X to unlock you have to have both eyes opened.

Re:Government vs Biometrics

[Archangel+Michael]

Identity is not the same thing as authorization. Your new user login isn't proof of identity, nor authorization. You'd be hard pressed to be able to truly prove you are me, let alone authorized to act on my behalf.

Re:Government vs Biometrics

[Archangel+Michael]

The thing about a transaction is that it requires two authorizations to be valid. I was focusing on security, because that is largely focused on the authorization of the person who has secured something else. Someone can pick a lock, but that doesn't grant them authorization. ;)

Re:Government vs Biometrics

[Cederic]

You know this, I know this. The AC to whom I replied appears not to.

Re:Government vs Biometrics

[bws111]

So what exactly is the problem with WebAuthn then? It does not have any dependency on biometrics. All it requires is an authenticator capable of correctly signing a challenge with a private key that you have. How you protect the ability to sign the challenge, is up to YOU, the user. For some people (probably many people), possession of the device and a fingerprint may be sufficient. For others, a PIN or password may be required. Maybe the really paranoid want to type the challenge into a battery operated PC with secure crypto hardware and no external connections inside a faraday cage in a room with Fort-Lnox like protection and a loud white noise generator running, and then copy the response off the screen. ALL of which are better than having someone else be responsible for the safe-keeping of your password.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Awkrad abbreviation...

[Junta]

I would have guessed WebAuth to be a bit smoother...

Re:Awkrad abbreviation...

[viperidaenz]

Perhaps they don't want to confuse authentication with authorisation.

Authn sounds more like authentication than authorisation.

No thank you

[AuMatar]

So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.

Re:No thank you

[jawtheshark]

I agree. A password manager with different complicated long passwords gets you a long way.

Re:No thank you

[LubosD]

I assume advanced users will be able to use something like SSH keys.

Re:No thank you

[denis-The-menace]

Meanwhile, they do not mention anything about the "Logins API" needed for Add-Ons like "password-exporter" (https://github.com/fligtar/password-exporter) to work.

The security review still has not happened (https://bugzilla.mozilla.org/show_bug.cgi?id=1357856)

Re:No thank you

FWIW, I saw this ad from Yubico recently:
https://www.youtube.com/watch?v=wl479T2t6eo

So, there is at least some idea of being able to address those issues.

Still no, mozilla....

"Pocket" is a no-go, no matter how much you try to sugar-coat that turd...

Also, now with ads

Yes, ads. Apparently they still have too many users.

Re: Also, now with ads

Advertising has no place on the internet. These people are vile.

Re:Also, now with ads

[preflex]

FFS!

about:config

extensions.pocket.enabled = false
browser.newtabpage.activity-stream.sections.highlights.includePocket = false browser.newtabpage.activity-stream.sectionOrder = "topsites"

Re:Also, now with ads

[preflex]

Oops! i missed a line break.

browser.newtabpage.activity-stream.sections.highlights.includePocket = false
browser.newtabpage.activity-stream.sectionOrder = "topsites"

Re: Also, now with ads

[viperidaenz]

Advertising on the internet has been around for longer than the internet.
https://tech.slashdot.org/stor...

Re: Also, now with ads

[DontBeAMoran]

What you said is illogical. You can have advertising about something before that something exists, but you cannot have advertising on something before that something exists.

Re: Also, now with ads

[omnichad]

It's mostly semantics. It happened on what is now called the Internet before it was called the Internet (ARPANET).

Re: Also, now with ads

...you cannot have advertising on something before that something exists.

Nonsense. Have you heard about the Unicorn Festival I'm organizing?

moz = yahoo

how do companies this bad stay in business?

noooooo Dongles!

[swschrad]

just.... no.

BIOMETRICS ARE NOT SECRETS

Almost 10 years old, and more timely than ever.

Biometrics

Re:BIOMETRICS ARE NOT SECRETS

[viperidaenz]

Just as well this is just a generic API for private key authentication then.
Any biometric part of it doesn't share the biometric data. It only uses it to unlock a private key.

PKCS#11 support?

[flink]

Does this mean we will finally be getting a browser JS API for talking to PKCS#11 devices so we can do something more interesting with them besides mutual TLS authentication? I'd love to be able to, for example, bind a web server session to a remote AD using a browser-supplied hardware token, but right now that is virtually impossible unless you've jumped through all the hoops necessary to get NTLM working.

What about the Man in the Middle

Aren't all of these technologies completely susceptible to a standard man in the middle attack? It is not at all clear how these are any better than passwords in a hostile environment.

Re:What about the Man in the Middle

[sexconker]

Yes, of course they are.
They aren't better than passwords, unless you're trying to sell them as a "solution".

Re:What about the Man in the Middle

[viperidaenz]

If the man in the middle has stolen the private key of the servers certificate or has managed to obtain a trusted certificate for the domain and hijacked your DNS.

Even then, the man in the middle would not obtain access to the credentials, they would only have access to an authenticated session.
If you were using a password, the man in the middle would get the password too.

Re:What about the Man in the Middle

[scdeimos]

You've ignored that man-in-the-middle doesn't have to steal the origin server's private key - they just have to be able to sign a certificate with the same Subject or Subject Alternative Name using any CA Root or ICA in your trusted certificates store.

Certificates are only as strong as the weakest CA which is why Apple, Google and Mozilla created a big song-and-dance act about StartSSL/Start.com allegedly (and never actually proven, mind you) being owned by China-based Qihoo 360 Group.

One could argue that it's easier to game the Mozilla-promoted Let's Encrypt certificates.

Re:What about the Man in the Middle

[viperidaenz]

You missed the bit where I said "or has managed to obtain a trusted certificate for the domain"

You're also ignoring the point where if that happens, the credentials do not get compromised. The attack can only happen while the MITM is in the middle to initiate the session.

If you were building a service that required high security, you'd also make any secure actions require a new authentication to be performed.
I had a bank once that sent out hardware tokens. You needed a code from the token to login. You also needed to enter a challenge number into the token and then enter the response if you did any action that could lose you money - transfer to external accounts, set up direct debit authorities, change personal details, etc.

There was no password ever entered in to their website, only a hardware token and PIN number for the token.

This is basically the same thing, except instead of me entering the numbers into the token and typing them in the browser, it's an API, where I still give physical authorisation for each request.

Re:What about the Man in the Middle

[MassacrE]

It has a prerequisite of TLS, so it is as susceptible as TLS is. If the browser accepts a fraudulently issued certificate, that fraudulent site can coordinate with the legitimate site to MITM you. This is a common weakness of TLS, and one of the reasons the browser/OS vendors have been ratcheting up their requirements for CA processes and certificate transparency.

The individual public key credentials which are issued as part of webauthn are basically scoped to the relying party website, so paypalonline.com has little hope to get a credential usable on paypal.com.

It does leverage a newer feature of TLS called token binding. With this, you can "bind" sessions cookies, oauth tokens, etc to the browser TLS. Even if the cookies/tokens accidentally leak to a malicious party, they won't be able to be used since they can't duplicate the TLS session.

Re:GAY NIGGERS OF THE WORLD UNITE

MODDOWN! ; creimer spam post again!

creimer wants you to click on his youtube channel, then click on his stupid amazon affiliate link spam on Youtube. There is nothing of value on creimer youtube channel. Only creimer click-bot goes there.

The tests we ran on Chris have shown that Chris has the intelligence of an ameba:
https://en.wikipedia.org/wiki/...

So, technically, he is able to conceive some kind of agenda but it will be silly or impossible to follow on a human scale.

For example, Chris had an agenda to post anything he felt like on Slashdot which did not work well because it was based on his false beliefs that he had an infinite number of karma points as he wrote here several times.

Several people here explained to Chris that karma maxed out at some level like 50 or so but Chris kept on insisting that his python script had confirmed that he had millions of karma points!

Oh well, as I wrote before: "It isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody."

For the valuable /. users that might already have read the following, please note that there is an important update.

IMPORTANT UPDATE:
Special Education for the Santa Clara County Office of Education has invested money to buy Chris a new chair:
http://www.keynamics.com/image...

Information about Christopher Dale Reimer and autistic people:

Autistic people have obsessions about things normal people don't care. For example, one of our autistic patient went haywire when he realized that there was a penny missing in his pocket change.

To calm him down, one of our educator pretended to have found it on the floor and gave a penny to him.

The autistic patient condition went even worse because he realized it wasn't the same penny!

Chris has an obsession with budgeting every penny. He doesn't understand that most people do not budget to the penny and have a flexible amount they allow for miscellaneous items.

I am Nancy Guerrero and I am Director of Special Education for the Santa Clara County Office of Education. We use Chris' (a.k.a. creimer,cdreimer) picture in our document because he is the hardest case we have ever had to handle:
http://www.sccoe.org/depts/stu...

Our artists were inspired by the low carb diet that Christopher follows scrupulously for the small lunch box and by the picture linked below for the rest. I am sure that you will notice the similarities such as the bump on the side of his chest and more:
https://ibb.co/gVad65

Please be easy on Christopher although, I am aware that some of our staff handling Chris post joke comments here and obvoiusly, the Santa Clara County Office of Education disapprove that behavior vehemently:
http://ibb.co/mRVSaG

But it isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody.

Thank You dear users,
---
Nancy Guerrero
Director
Special Education
Santa Clara County Office of Education

Mark of The Beast - we're racing towards it now

It should be interesting to see which tech is finally decided upon by TPTB.

Biometric identity proof?

Having biometric information is in no way proof of an identity.

Re:Biometric identity proof?

[sexconker]

Nor is presenting it, or a hash of it, proof of having the corresponding biology.
It's just a password at that point, and one the legitimate user has no direct control of. If they lose a finger, fuck up their eye with diabetes, get a scar on their face, etc. they're fucked. If an attacker can spoof their biometrics (or the hash a biometric reader puts out), the legitimate user can't easily reset their biology.

Re:Biometric identity proof?

[skids]

...not to mention you won't be able to approach any device without a ski mask on for fear of accidentally logging into something you don't want to log into.

What the Fuck

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

Is the person who wrote this a moron, or did they just suffer a stroke? If a fake Web site can coax you to type in credentials, why can't it coax you to use your Yubikey or fingerprint scanner? Then, how does it cure the problem of using a single password on multiple sites to have a single piece of hardware or meatware serve as your login on multiple sites?

Re:What the Fuck

[viperidaenz]

Because the fake website also needs to present a trusted certificate for the domain the credentials are associated with. They also don't get given the credentials either. They get given a signature.

The hardware stores different certificates for each site. The private keys aren't required to be exported anywhere.

When you register your hardware device with your account, you're only sharing the public key of a new unique private/public key pair..

Re:So, a couple years late and not as integrated..

[viperidaenz]

For this use case Smart Lock is just a password manager.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Passwords

Can't be replaced if you want security.

When intel has all the spectre bugs fixed

When all the zero days are cleaned up
When all the snoopy alphabet agencies obey the laws

When Linux goes six months without a kernel update

When there are no more russian hackers

When there are international cyberwarfare treaties

Then get back to me about my password hygiene

JUST STOP IT

[XSportSeeker]

Man, I'm f*cking tired of this shit.

Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
What passwords provides is fundamentally different from what biometrics can offer.
If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.

It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.

For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.

Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.

And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.

Biometrics instead of passwords?

[Trogre]

Yeah, because something you have is better security than something you know, right?

msmash, you might be an asshole

"Firefox Moves Browsers Into Post-Password Future"
"We're still a long way away from a post-password future..."

Nothing wrong with password

There is nothing wrong with passwords. On all the many servers I administer the number of attempted password hacks is almost zero.

There are constant attempts by numerous actors to scare everybody into assuming that something needs to be done. Nothing needs to be done.

In fact, something needs to be done about all of those actors attempting to scare everyone into adopting their technology.

Re:Nothing wrong with password

Indeed, and the worst thing that can happen to me is to be locked out from my own stuff. I'm not admining servers and stuff but I lost my long standing Yahoo email - even though I changed my password a few times when they were severe publicly known breaks and even someone seemingly taking my account over once (I don't know if that's really true. I once see I received a spam email from myself, which was just spoofing)

At worst, two-factor is something you know and something that can be lost.

PaleMoon

[gosand]

It's been working very well for me.
If for some reason it went away, I would reluctantly go back to FF.