Not only that, but now that social site is aware of your relationship with the delegating party (in this case, eBay), which I hope at least some folks realize is not in their best interests.
What's the problem with that though? Delegating authentication feels like such an obvious thing: You allow a certain party to manage your identity, and trust them with it. You don't want to trust every random website to implement proper password storage, add 2fa support, yubikey, security notifications, etc etc.
I have a problem with how OAuth2, when used for authentication, locks users into a certain provider. Wish there was a solution to that. But delegating authentication really should be taken more seriously.
(A good example actually is... ebay, the very author of this article, that despite managing entire businesses and moving tons of money around, doesn't have proper MFA, has really dumb password limitations, etc. I certainly wish ebay would let me log in with Google...)
You don’t just delegate authentication. I trust Facebook to authenticate me. That doesn’t mean I trust them with my entire web presence. Delegating authentication promotes centralisation, which is presently to be a greater systemic risk to the Internet than some kitty picture site getting hacked.
Which is why it's important to have alternatives, yes. You don't want to have to only trust Facebook, you want to have it as a choice. The OpenID "dream": Users choose between different authentication services based on their needs.
I like Google auth because I pay for Google. I trust them because they're a lot better at security than statistically almost every other service on the web. I would trust Facebook, but I don't want them to know about my web presence as you pointed out. And to keep those services in check, you have to have alternatives.
The Payment request API is a good example of what we should be seeing for authentication. Secure delegation without lockin.
> Users choose between different authentication services based on their needs
Network effects inherently promote centralization. Third-party authentication exhibits network effects. Furthermore, given nobody pays for this service, we not only have a bias towards centralization but also incumbency.
Individually weak but diversified is a more robust model than strong but centralized. That was the fundamental insight of capitalism and of the Internet. Third party authentication promotes the latter.
I’m totally fine with delegating authentication, but only to some entity I trust. (Hint: that’s not going to be Facebook or any other big company) If you are going to require me to have a Facebook account in order to be your customer, then I’m not going to be your customer.
Or, better yet, let me delegate to my own service. That was one of the great promises of OpenID: you can run your own identity provider and delegate authentication to that. Too few sites support OpenID as a relying party.
> Why would I trust some other party to manage my [money]?
You don't trust some other party, you trust the one you choose. And if you don't trust any, you can manage it yourself.
Authentication should work like banks. Now we're not quite there yet, the site owners choose for you. That's a big shame, but it's still better than trusting some actual random website to manage your authentication.
I wasn't even considering if it is good or bad. My point was just about the password: if the new model is passwordless, well, making me (an user) type some password in the own site, or in an app, or in the facebook site, well... It has passwords. Perhaps good for the IT of ebay if they can say to someone that now they don't have to worry about passwords. I will still type some password, somewhere.
How you authenticate with that third party is between you and that third party. It just so happens that passwords are extremely common, but the third party might be a passwordless site as well.
The point is to delegate to someone that does authentication better than you.
I mean, christ, eBay has some niche concerns with fraud, but this really has no place across most of the internet, whether it’s “already happening” or not.
Google already tries to profile my device and fails miserably at doing so, frequently locking me out, because Google thinks it knows how many laptops I own and have access to.
Authentic audio is a laughable idea. A: Just look at transcription, B: Replay attacks will probably be trivial, C: Vocal dopplegangers and electronic modulation are kind of easy to utilize and forge authenticity with; imitation is harder to notice than achieve.
Face authentication is not only hackable, it’s intrusive, in that I don’t want systems taking pictures of my face. Foibles aside, machines will probably miss uncanny valley deception (static sculptures, photos, video, puppets), nevermind algorithmic hacks that poke holes in training data learning gaps.
Ebay probably needs to guard against fraud, but not with some of the the laziest machine-learning hacks currently available. Using sly hacks to strengthen bold/cute assumptions doesn’t make anything more secure. These are hacks of convenience, not security.
Passwords work, and dumb users and determined adversaries will always be a plentiful problem. Can we just admit that a lot of what happens on the internet simply isn’t important, and doesn’t demand high security, and then stop treating it like the blood of one’s first-born is needed to create an account or use it?
They day eBay kills its passwords is the day I leave eBay and never come back. Is it really that hard to run a website that already has the established infrastructure to maintain user credentials? This is just colossal laziness from their devs trying to outsource basic business responsibilities.
Regarding pasting passwords, that reminds me: I signed up for one site, I think it was Paypal, which had a password limit of 20 characters. Okay, that's already pretty bad -- it's an arbitrary limit and not as secure as I'd like for a site that has access to my credit cards and bank info.
Anyway, I generated a password using KeePass with I think 60 characters and pasted them in without error or warning. Turned out that only the first 20 characters got pasted in and the rest were silently rejected.
When I tried to log in I kept getting an invalid password error. No indication that the password I was trying to use was too long.
Only when I tried to change my password and type one in manually did I notice that nothing was getting entered after the 20th character.
Glad I'm not the only one. Now, in the "confirm password" field, I always backspace the last couple of characters and type them in manually, to make sure they match with what was pasted.
Learning to never truncate text is one of my first hard-learned programming lessons. I still have flashbacks whenever I see a maxlength attribute. If the user goes over, tell them, but do _not_ remove what they typed.
I see nothing in the article other than the byline that says anything about going “password-free”.
TFA: Password-free is the future... here’s how we re-wrote our signup and authentication framework to do that same thing we’ve always done but be more buzzword compliant and also defend against bot signups with step-up captcha.
Oh yeah, and we keep long term session tokens if you install the app which you can unlock with Touch/FaceID... after you login with your password the first time.
22 comments
[ 3.2 ms ] story [ 58.3 ms ] threadSo, don't ask for passwords, ask for another site so that it asks the user for the password.
I have a problem with how OAuth2, when used for authentication, locks users into a certain provider. Wish there was a solution to that. But delegating authentication really should be taken more seriously.
(A good example actually is... ebay, the very author of this article, that despite managing entire businesses and moving tons of money around, doesn't have proper MFA, has really dumb password limitations, etc. I certainly wish ebay would let me log in with Google...)
You don’t just delegate authentication. I trust Facebook to authenticate me. That doesn’t mean I trust them with my entire web presence. Delegating authentication promotes centralisation, which is presently to be a greater systemic risk to the Internet than some kitty picture site getting hacked.
I like Google auth because I pay for Google. I trust them because they're a lot better at security than statistically almost every other service on the web. I would trust Facebook, but I don't want them to know about my web presence as you pointed out. And to keep those services in check, you have to have alternatives.
The Payment request API is a good example of what we should be seeing for authentication. Secure delegation without lockin.
Network effects inherently promote centralization. Third-party authentication exhibits network effects. Furthermore, given nobody pays for this service, we not only have a bias towards centralization but also incumbency.
Individually weak but diversified is a more robust model than strong but centralized. That was the fundamental insight of capitalism and of the Internet. Third party authentication promotes the latter.
Or, better yet, let me delegate to my own service. That was one of the great promises of OpenID: you can run your own identity provider and delegate authentication to that. Too few sites support OpenID as a relying party.
You don't trust some other party, you trust the one you choose. And if you don't trust any, you can manage it yourself.
Authentication should work like banks. Now we're not quite there yet, the site owners choose for you. That's a big shame, but it's still better than trusting some actual random website to manage your authentication.
The point is to delegate to someone that does authentication better than you.
Google already tries to profile my device and fails miserably at doing so, frequently locking me out, because Google thinks it knows how many laptops I own and have access to.
Authentic audio is a laughable idea. A: Just look at transcription, B: Replay attacks will probably be trivial, C: Vocal dopplegangers and electronic modulation are kind of easy to utilize and forge authenticity with; imitation is harder to notice than achieve.
Face authentication is not only hackable, it’s intrusive, in that I don’t want systems taking pictures of my face. Foibles aside, machines will probably miss uncanny valley deception (static sculptures, photos, video, puppets), nevermind algorithmic hacks that poke holes in training data learning gaps.
Ebay probably needs to guard against fraud, but not with some of the the laziest machine-learning hacks currently available. Using sly hacks to strengthen bold/cute assumptions doesn’t make anything more secure. These are hacks of convenience, not security.
Passwords work, and dumb users and determined adversaries will always be a plentiful problem. Can we just admit that a lot of what happens on the internet simply isn’t important, and doesn’t demand high security, and then stop treating it like the blood of one’s first-born is needed to create an account or use it?
Anyway, I generated a password using KeePass with I think 60 characters and pasted them in without error or warning. Turned out that only the first 20 characters got pasted in and the rest were silently rejected.
When I tried to log in I kept getting an invalid password error. No indication that the password I was trying to use was too long.
Only when I tried to change my password and type one in manually did I notice that nothing was getting entered after the 20th character.
TFA: Password-free is the future... here’s how we re-wrote our signup and authentication framework to do that same thing we’ve always done but be more buzzword compliant and also defend against bot signups with step-up captcha.
Oh yeah, and we keep long term session tokens if you install the app which you can unlock with Touch/FaceID... after you login with your password the first time.