Slashdot Mirror
Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech (cnet.com)
Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
First, developers do not care about client side security issues, the developers will get their revenue or not, as long as they do not put functions server side that require something that the browser does not support.
Second, how much revenue can people who are still running XP produce for a website? Even in China, XP machines a handmedowns, they are consumption devices, not devices for purchases.
All this AI stuff is just marketing buzz words.
putting the 'B' in LGBTQ+
While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,
So just replace the first factor with the second one?
The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.
Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.
Honestly, if it requires an account you must sign up for that pretty much turns me off of a service.
The millennial that doesn't like most of the stuff designed for millennials.
Comment removed based on user account deletion
I would have guessed WebAuth to be a bit smoother...
XML is like violence. If it doesn't solve the problem, use more.
So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.
I still have more fans than freaks. WTF is wrong with you people?
just.... no.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I create new EMAIL for every account I have to sign up for.
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.
It is actually empowering taking control.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Does this mean we will finally be getting a browser JS API for talking to PKCS#11 devices so we can do something more interesting with them besides mutual TLS authentication? I'd love to be able to, for example, bind a web server session to a remote AD using a browser-supplied hardware token, but right now that is virtually impossible unless you've jumped through all the hoops necessary to get NTLM working.
...pretty much...
Its not all the time. I will still sign up for some things. Just most of the time. That what pretty much means.
The millennial that doesn't like most of the stuff designed for millennials.
How are you getting all these email accounts that aren't tied together?
I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.
Slimjet is a good chromium based alternative browser.
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix).
You know that 2-digit pattern is going to bite you come y3k.
It must have been something you assimilated. . . .
FFS!
about:config
extensions.pocket.enabled = false
browser.newtabpage.activity-stream.sections.highlights.includePocket = false browser.newtabpage.activity-stream.sectionOrder = "topsites"
Oops! i missed a line break.
browser.newtabpage.activity-stream.sections.highlights.includePocket = false
browser.newtabpage.activity-stream.sectionOrder = "topsites"
You mean y21c.
Yes, of course they are.
They aren't better than passwords, unless you're trying to sell them as a "solution".
Nor is presenting it, or a hash of it, proof of having the corresponding biology.
It's just a password at that point, and one the legitimate user has no direct control of. If they lose a finger, fuck up their eye with diabetes, get a scar on their face, etc. they're fucked. If an attacker can spoof their biometrics (or the hash a biometric reader puts out), the legitimate user can't easily reset their biology.
For this use case Smart Lock is just a password manager.
Advertising on the internet has been around for longer than the internet.
https://tech.slashdot.org/stor...
Just as well this is just a generic API for private key authentication then.
Any biometric part of it doesn't share the biometric data. It only uses it to unlock a private key.
Comment removed based on user account deletion
If the man in the middle has stolen the private key of the servers certificate or has managed to obtain a trusted certificate for the domain and hijacked your DNS.
Even then, the man in the middle would not obtain access to the credentials, they would only have access to an authenticated session.
If you were using a password, the man in the middle would get the password too.
Because the fake website also needs to present a trusted certificate for the domain the credentials are associated with. They also don't get given the credentials either. They get given a signature.
The hardware stores different certificates for each site. The private keys aren't required to be exported anywhere.
When you register your hardware device with your account, you're only sharing the public key of a new unique private/public key pair..
You know about email aliases, right?
#DeleteFacebook
What you said is illogical. You can have advertising about something before that something exists, but you cannot have advertising on something before that something exists.
#DeleteFacebook
Man, I'm f*cking tired of this shit.
Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
What passwords provides is fundamentally different from what biometrics can offer.
If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.
It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.
For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.
Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.
And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.
Yeah, because something you have is better security than something you know, right?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
If you own a domain you can do it easily, I would also think it is possible to register for a service where you own a subdomain. e.g. mydomain.subdomainservice.com
They can all be directed to 1 email address and you can just filter out any that you don't want
I have a mac and was trying to be thorough.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Try Vivaldi
Y2.1K?
It's mostly semantics. It happened on what is now called the Internet before it was called the Internet (ARPANET).
Someone had to do it.
We should start this debate now, so that by the time it starts to matter in 2096 or so the main arguments are refined, well understood and people can skip straight to the flaming.
You've ignored that man-in-the-middle doesn't have to steal the origin server's private key - they just have to be able to sign a certificate with the same Subject or Subject Alternative Name using any CA Root or ICA in your trusted certificates store.
Certificates are only as strong as the weakest CA which is why Apple, Google and Mozilla created a big song-and-dance act about StartSSL/Start.com allegedly (and never actually proven, mind you) being owned by China-based Qihoo 360 Group.
One could argue that it's easier to game the Mozilla-promoted Let's Encrypt certificates.
I do. I actually use them on occasion ;)
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
the +Netflix_2016 bit isn't quite an alias. Technically it is ignored by the Email Server for the domain. IT acts like an alias however. A real alias is a full email address that is delivered to another primary email box. The former can be removed in transit, as you indicated, a true alias cannot.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
outlook.com
yahoo.com
gmail.com
mail.com
Mail.com has a number of other domain names you can use.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
LOL, Gawd I hope so!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I do the same. I was surprised and disappointed to find out my online stock trading account was selling my info to the most spammers out of all my accounts. Security? lol...
- For the complete works of Shakespeare: cat
It's been working very well for me.
If for some reason it went away, I would reluctantly go back to FF.
My beliefs do not require that you agree with them.
I do something similar, but with my own domain, using the domain name where I'm registering in the part before the @. No need to create a new mailbox or forwarder for each site, as it's a global forwarder. You can be more selective in the forwarding by requiring a specific string as part of the address in order to forward, so you don't get messages sent to random addresses in your domain.
It would end up something like this (obviously much shorter - this is just for explanation): DomainNameWhereI'mRegistering.com.customstring@myowndomain.com
You can do this either if you have domain hosting that also offers email forwarding, or I believe that there are also dedicated email forwarding services dedicated to this kind of use. I've done this for several years (through a website hosting service) and have caught a few major domains that either sold my email address or had their customer data hacked:
dropbox.com
adobe.com (known to have customer data exfiltrated)
equifax.com (back in 2011, years before their big security meltdown a couple of years ago)
You missed the bit where I said "or has managed to obtain a trusted certificate for the domain"
You're also ignoring the point where if that happens, the credentials do not get compromised. The attack can only happen while the MITM is in the middle to initiate the session.
If you were building a service that required high security, you'd also make any secure actions require a new authentication to be performed.
I had a bank once that sent out hardware tokens. You needed a code from the token to login. You also needed to enter a challenge number into the token and then enter the response if you did any action that could lose you money - transfer to external accounts, set up direct debit authorities, change personal details, etc.
There was no password ever entered in to their website, only a hardware token and PIN number for the token.
This is basically the same thing, except instead of me entering the numbers into the token and typing them in the browser, it's an API, where I still give physical authorisation for each request.
It has a prerequisite of TLS, so it is as susceptible as TLS is. If the browser accepts a fraudulently issued certificate, that fraudulent site can coordinate with the legitimate site to MITM you. This is a common weakness of TLS, and one of the reasons the browser/OS vendors have been ratcheting up their requirements for CA processes and certificate transparency.
The individual public key credentials which are issued as part of webauthn are basically scoped to the relying party website, so paypalonline.com has little hope to get a credential usable on paypal.com.
It does leverage a newer feature of TLS called token binding. With this, you can "bind" sessions cookies, oauth tokens, etc to the browser TLS. Even if the cookies/tokens accidentally leak to a malicious party, they won't be able to be used since they can't duplicate the TLS session.