Slashdot Mirror
Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech (cnet.com)
Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,
The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.
Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.
So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.
I still have more fans than freaks. WTF is wrong with you people?
I create new EMAIL for every account I have to sign up for.
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.
It is actually empowering taking control.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix).
You know that 2-digit pattern is going to bite you come y3k.
It must have been something you assimilated. . . .
FFS!
about:config
extensions.pocket.enabled = false
browser.newtabpage.activity-stream.sections.highlights.includePocket = false browser.newtabpage.activity-stream.sectionOrder = "topsites"
Nor is presenting it, or a hash of it, proof of having the corresponding biology.
It's just a password at that point, and one the legitimate user has no direct control of. If they lose a finger, fuck up their eye with diabetes, get a scar on their face, etc. they're fucked. If an attacker can spoof their biometrics (or the hash a biometric reader puts out), the legitimate user can't easily reset their biology.
Someone with access to the host machine does not have access to the private key.
The private key stays on the authentication device. Data goes in to it, signed or encrypted data comes out of it. The private key stays just that - private.
You can't replay responses either, as the data going in to the device is randomly generated by the server requesting authentication.
Man, I'm f*cking tired of this shit.
Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
What passwords provides is fundamentally different from what biometrics can offer.
If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.
It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.
For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.
Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.
And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.
If you own a domain you can do it easily, I would also think it is possible to register for a service where you own a subdomain. e.g. mydomain.subdomainservice.com
They can all be directed to 1 email address and you can just filter out any that you don't want