3 comments

[ 4.3 ms ] story [ 20.3 ms ] thread
Passwords are a near perfect form of security for a relatively small group of people who have good cognitive function, discipline and intrinsic motive to remain secure. For those who need real security and elect to make things difficult by using 30+ character pass-phrases, and never using password managers, "something you know" will be around for a long, long time.

The "something you have" and "something you are" (biometrics) peddlers are selling to a different market. They are selling to those who enforce security upon other people (domesticated users who need convenience) and want a cheap low maintenance solution.

> After years of tantalizing hints that a passwordless future is just around the corner, you're probably still not feeling any closer to that digital unshackling.

"Unshackling" is an interesting choice of word to use in support of a system which forces you to carry around a device, perhaps physically attached to your wrist, which sites can identify the make and model of using a DRM-like system to ensure you have bought it from an approved whitelisted vendor.[0]

> The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device’s biometric or passcode lock.

So instead of supporting half a dozen whitelisted vendors, the new idea is to become dependent on just three large US-based operating system vendors (Microsoft, Apple, and Google), who will lock up all your keys and make it awkward to switch to a competitor. However, they won't be able to help you at all unless you let them scan your forehead or your right hand, and keep an encrypted record of those digital biometrics. Just make sure you check what the Terms of Service updates say, and read the National Security Letters that those companies are sent.

[0] https://research.kudelskisecurity.com/2020/02/12/fido2-deep-...