Slashdot Mirror
Android Is Helping Kill Passwords on a Billion Devices (wired.com)
The FIDO Alliance -- a consortium that develops open source authentication standards -- has been pushing to expand its secure login protocols to make seamless logins a reality for several years. Today, it has hit the jackpot: Google. From a report: On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning that the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser instead of laboriously typing in your password every time you want to log in. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.
Biometrics can be stolen or faked. But there's no way for the legitimate owner of that body to replace them when that happens.
(posting this on the day my office is forcing a periodic password change on me)
How about you design your FIDO2 thing to automatically type passwords into regular password fields instead of asking the whole web to change for your new special feature?
#DeleteFacebook
No, because your iPhone works with regular login forms.
Which is, of course, the proper way to do it.
#DeleteFacebook
A technology that has been supported by all major browsers since the beginning of time itself.
They want me to trust an Android phone to authenticate all my logins? Are they high?
Switch to KeePass and family. Create a database with a keyfile and a master password. Distribute the database using I switched to KeePass and family a couple years ago, and it was the best thing I ever did. Use a master-password plus a sneaker-net distributed keyfile to protect the database. You can share the database with something like SyncThing, that has end-to-end encryption you control just for added safety but really you could share the database publicly with complete safety at that point.
Don't get me wrong, I like Android. But Google has been in the NSA's back pocket from the beginning. Not that Assange is one of my favourite people, but he did make a compelling case for Google being essentially an arm of the US government. Which is one reason why China had it out with them (we may get on Huawei's case for back-doors, but we did it to them first with Google and Windows).
I didn't read the article because WIRED happens not to be part of my current subscription package. But based only on the quoted paragraph, I see two practical problems likely to arise.
The first is the requirement of "Android 7 or later". that last I checked, phones were still being sold multiple major versions of Android behind because newer versions of Android require more CPU and RAM than fit in the bill of material for a budget prepaid smartphone. Which entry-level phone ships with 64-bit Android 7 or later?
The second is that some major websites won't let the user set up 2-factor authentication through U2F or TOTP without first setting up 2-factor authentication through SMS. One example is Twitter, which 1. requires the user to set up SMS before setting up TOTP, 2. sends SMS on every login attempt even after TOTP has been set up, and 3. removes TOTP if the user removes SMS.
A requirement of SMS before U2F or TOTP causes problems in three situations I can think of. The first is people managing business accounts who may not have a cell phone at all at the office, instead relying on the office landline. The second is people on a pay-as-you-go plan, particularly in the United States where PAYG carriers charge for each incoming voice minute or SMS message. The third is people who know SMS isn't a reliable third factor because of the documented cases where a social engineer convinced the carrier to transmit some other subscriber's service to a new SIM without the subscriber's authorization, and then preceded to use that SIM to unlock the victim's email and other accounts.
200 Million Biometric credentials stolen in Security breach.
It is inevitable.
Corrected headline - Android is helping to spread pervasive tracking.
User name and password is "something you know", and as such is not something that can be used without your explicit consent. Seamless login is "something you have", and since it is part of your phone, it doesn't require your explicit consent to be checked.
Make no mistake, this is about removing what little anonymity is left from the Internet. FIDO standard is effectively a Real Name Only policy disguised as progress.
Earlier hackers needed to crack one site at a time. Now, thanks to innovation and advances, all they have to do is to crack android.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I don't want to be dependent on a given device or ecosystem for using a website or an app, and I don't necessarily want to tie it to my identity via biometrics. I can make passwords arbitrarily complex, yet easy to remember, and even write them down in a little book (kind of hard to hack remotely).
Password-less authentication isn't about security -- it's about control and LACK of security. Google wants to hold the keys to the city.
First it was fingerprints, then it was the face. While the question where it will end exists, does anyone notice that they are just scanner our bodies part by part, and selling the information?
https://www.youtube.com/c/BrendaEM
I'm a little shocked to see an article on FIDO without even a mention of Steve Gibson's competing Secure Quick Reliable Login.
Although I'm not an expert on this, most reports I've heard is that SQRL, is what FIDO was trying to be.
One key feature of SQRL is that it only does one of Authentication and Authorization, so it can be used for anonymous login, which would be better for many purposes, such as blog comments where you only need to verify that some response belonged to the same author as some other so nobody could impersonate someone else. Though it looks like FIDO may also do this.
Signatures are a waste of bandwi (buffering...)
One big difference between client certificates and U2F keys like this is that compared to a web browser's client certificate store, a U2F key is somewhat more hardened against attempts to copy out the private key. This lets a U2F key pass more tests for being "something you have."
The other is that TLS client authentication have been a usability nightmare, particularly for non-technical users, in "all major browsers since the beginning of time itself."
Browser publishers haven't prioritized improving client certificate UX because of the low user base of client certificates. I've seen them on only two sites: StartCom (a defunct TLS CA) and Kount (an e-commerce fraud risk assessment platform).. But browsers could improve this UI in a few ways:
But good luck getting browser publishers to devote any time==money to this.
*A "registrable domain" is a public suffix, as defined by Mozilla's Public Suffix List, plus one name part. If "co.uk" is a public suffix, for example, then "ebay.co.uk" is registrable.
Especially since they are around $50 and not free.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
Umm... the browser on the iPhone stores credentials for you and automatically authenticates using Face ID or Touch ID if you have it configured.
I'm not sure why wouldn't configure such a feature if available. Any decent password that's worth a damn (mixed case, numbers, punctuation, more than 8 characters) would be a pain in the ass to type on a mobile device keyboard.
This (no requirement to always automatically trigger any system but for safety). If users want it then go build it and sell it or give it away.
The only time the government should block that is if they're like China ("dissention is evil"). Otherwise we should be able to call them out and build a system to fight it.
Otherwise it's just a monetary issue. Said company won't let you so go reimplement or figure out a public health reason to have the government regulate them into submission. If they won't then shame the government for said collusion.
I have used three iPhone models so far. None had a finger scanner.
Yes, I'm still using an iPhone 4 in 2019. If you have a newer model to give me for free, I'll take it.
#DeleteFacebook
If only they would apply 2FA policies to device authentication. Using their BLE token , you should not be able to unlock your device without your token and a finger print or password.
As others have mentioned, finger prints can be faked, passwords can be guessed, but none of that matters when the phone is stolen if you are missing the token attached to someone's keychain.
Google accounts online can be protected by 2FA, but your Google device is the weak link, because it has access to all your photos and drive documents without authentication once your device is unlocked.
Technically yes, but with this method attackers have to compromise each device locally in order to get that kind of data. I could also see authentication 'partitions' being used such that if there were a compromise it takes multiple points of knowledge to unlock different partitions. If one were so inclined you could also use an external device as the authentication method that would also need to be compromised and even hold some of this information on different devices so that in no instance are all eggs in one basket.
After reading up on the standard I am actually a fan of the design. Lets face facts, passwords have been outdated for some time.
Anyone who read the news about the NSA leaks, still has all the alarm bells go off, whenever he hears the name "FIDO".
It was synonymous with "backdoored, as required".
I hardly think this got any better.
Sorry, the NSA is in one category with China, the FSB, Mossad, GCHQ and maybe less evil than North Korea but far more powerful and anti-American to be frank.
I have used three iPhone models so far. None had a finger scanner.
Yes, I'm still using an iPhone 4 in 2019. If you have a newer model to give me for free, I'll take it.
That didn't seem to stop you from authoritatively trying to explain how new iPhones sold in the last 8 years work. Explaining in a completely incorrect way I might add.
The difference here is that you are giving your passwords to Apple and have to trust them to secure it. With the Android solution, you don't have to trust Google.
I'm not sure what you mean? FIDO is a standard, they aren't actually selling anything. It also actually removes some of a user's information from being under the control/protection of the online services...
How does that thing even turn on any more?
With the power button, as always.
#DeleteFacebook
You say I'm incorrect but a lot of posters say it works exactly that way. So either we're all wrong, or you are.
#DeleteFacebook
And how is that different than "works with regular login forms" exactly?
#DeleteFacebook
Unless it's my finger, in which it works maybe once a year. I turned off fingerprint unlocking because it isn't saving me any time or hassle and while turned on there's a bare possibility that someone could turn on my iPhone when I don't want them to.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Smart cards have enabled [signing communications off the main CPU] for at least a dozen years and counting. They also happen to cost four times less than current USB sticks.
Even when you include the cost of a smart card reader that connects to one of the ports on the outside of a smartphone, tablet, or laptop computer? On my laptop, counterclockwise from top left, these are power, HDMI, USB, microSD, audio, USB, and USB. Last I checked, Square was charging $35 for a smart card reader that connects to a TRRS audio port, and I imagine that Square's might support only EMV application, not TLS application. If a consumer product computing device does have an ID-000 sized smart card slot, it's probably intended solely for authenticating to a cellular carrier, not to a particular website. Replace it with the card containing your bank's TLS certificate, and you no longer have Internet access through your device's cellular radio.
As you've probably guessed: I have no experience with ISO/IEC 7816 smart cards other than using the EMV chip on my credit card at merchants and inserting a SIM into a phone.