While I would rather use a password manager myself to keep accounts separate and not reliant on a single big tech account, I’m sure your average user would love the convenience of this and its overall security benefit would be a positive
The villain is locked in in a room which requires a retinal scan from the guard to leave. So he proceeds to stab the eye globe of the guard with a pen to be able to unlock the door.
As such I tend to prefer cloneable credentials. Everything that is unique (cellphone, ...) would imply that access credentials could be stolen (as in, actually stolen, not copied), which could imply the threat of violence to succeed.
I would much rather someone attempt to steal my phone irl, as opposed to someone on the other side of the globe cloning my method of accessing my accounts without me even being aware until it's too late.
To clarify, this wasn't meant as an attempt at a "tough guy" acting. If someone tries to coerce my phone out of me irl by threats of violence, they will get the phone. But this being done irl at least has much easier path to being able to trace the criminal, actually prosecute them, and to minimize the damage to my accounts.
Not even mentioning that it is much more risky for them to attempt, given it would have to be done somewhere around a public place with other people and law enforcement around. Meanwhile, some guy from an eastern european country cloning my access credentials to compromise my accounts will almost certainly never be traced, and 100% won't get prosecuted (and that's on top of me not being able to be aware of that happening until after the fact).
It's much more likely for the average user to forget their password than have their account banned deliberately. This would, overall, reduce friction when logging in.
As far as I can tell this doesn't actually require a "big tech account".
I am imagining this working like OTPs that are generated on phones. The actual standard will be open and the implementations do not require a specific platform or any kind of "account", but most people will run it on their phone with Android or IOS because it's handy for them.
I also don't think it's going to require running on a phone, just like OTPs. I can generate OTPs for 2FA purposes on my desktop system running Linux and it works great!
If it does end up working like that, I think it's a great idea.
It doesn't require one from a technical perspective as you've pointed out, but every business incentive is to lock people in to accounts. It makes it easy to collect data on the users, to enforce payment by locking accounts, etc.
I too prefer offline-first tools, but the market doesn't, and people are trained to sign up with an email account and password so for the masses "this is just how it is".
I don't want to be a pessimist, but examples of user respecting systems are mainly commonplace in certain corners of the highly technical FLOSS world, it's certainly not the experience of the average person.
The problem isn't folks like us that use password managers. The problem is all the other folks that have the same 8 character password they reuse across all their services.
Regular people also have their phones stolen, lost, damaged or bricked on a regular basis. I suspect passwords will remain as a backup mechanism for a while.
Also funnily enough most recovery mechanisms are tied to that same phone... And then what happens when they don't update their device every 2 years like good consumers and there is some massive vulnerability...
I understand that passwordless auth is better UX. But it seems like a step backwards in security from two factor authentication. Why are all these major players pushing passwordless auth but not allowing a password in conjunction with a FIDO2 token? I feel like I’m missing some important detail.
So does this system not require that I set a password for my account?
Everything I have read about this approach seems to imply that passwords are still used, only perhaps not as often.
For instance, there's this quote from the article:
"Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password."
Yes, of course this protocol can't somehow prevent sites from having a password (as a last ditch backup, or for any other reason) but it's intended to be used without passwords and, if you choose and have a more capable device, even without usernames.
Well, I hope you're right that passwords are essentially remnants of previous authentication schemes and not something implicitly required by this new scheme.
I could see us ending up in a world where we need a password to access the device on which the key is stored and more passwords for account recovery and access to key backups.
Once you use them as the gatekeeper for auth ans identity, it becomes that much harder to delete that Facebook or switch phone brands. Not to mention much deeper insight into your activity everywhere.
The missing important details: for reasons I do not completely understand, FIDO uses very non-obvious definitions of the words password and PIN. To them a password is a text string provided to an online service for authentication purposes and a PIN is a text string provided to a physically near hardware device to authenticate to that hardware device, after which that hardware device can sign challenges that can be used to authenticate to an online service. When they talk about passwordless they are not precluding the use of a PIN. The PIN gets you your second factor without being stored on a bunch of different services, and with hardware assisted protection from exfiltration and brute force cracking.
Relying parties (aka online services using FIDO protocols) have a lot of freedom to define exactly how restrictive they want to be by making choices about which devices they accept. Through choosing which devices they accept they can choose to require any combination of token, PIN, biometric, and password.
>Relying parties (aka online services using FIDO protocols) have a lot of freedom to define exactly how restrictive they want to be by making choices about which devices they accept.
Then don't provide the attestation. No sites I've used (Facebook, GitHub, login.gov, Google, and so on) require attestation. It's unfortunate that the WebAuthn standard requires it be possible for them to ask, but you can just say "No" and I do.
For anything consumer facing (vs employee/contractor facing), the expectation is that a relying party site accepts everything, or supports a set with a clear industry-defined set of limitations (e.g. must have gone through certification and achieved a certain level such that they meet our security regulations).
The set of limitations which you can set during an authentication request are pretty minimal, on purpose - so you will typically have more prompts and more user errors if you decide to try and limit consumer choice.
Other than that, the expectation is that you do not block end users if they e.g. are using one vendor or the other. You may still ask them to perform additional authentication steps, but the goal is that people do not get conflicting requirements across relying parties that leads them to have to carry a key ring of different vendor USB authenticators in order to be able to do their business.
This is one of those ideas which is completely the opposite of the way I want to do things, but which will probably gain enough traction that I'll be forced to accommodate it after several years of frustration, grumbling, and workarounds.
I can see that perspective, but I don't think that will happen. Companies jump at any chance to steal each others customers, so the necessity threshold has to be very high for something like this to be adopted across the board.
I feel this approach has the potential to increase the number of successful attacks. According to the article, users would merely need to unlock their phones to complete the sign-in process.
Most people tend to automatically unlock their phones without a second thought.
Wonder what these means for those folks who find smartphones too confusing and difficult to use. I have a couple of friends in their late 70's who simply can't use them; I fear they will be left behind.
To some extent, they are probably already being left behind; it’s just that it’s a more gradual thing than if smartphone becomes a hard blocker to a something that’s essential in life.
When I first heard about FICO, I thought I'd be a standard that a password manager can take advantage of, where they can identify me using my phone, then autofill my credentials. Maybe not very practical. But when I learned that the purpose of FICO was to replace passwords and rely on a tech giant to allow/deny me access to my online accounts, I was disappointed. No thank you.
I'd be a bit worried about this from a digital hygiene standpoint: the default device for storing your passkey will be your phone, and every unlock is temptation to get sucked into the world of notifications and social apps.
It's really, really bad digital hygeine to use social media apps – anything with "doom scrolling" – on the phone at all. I don't think most people agree with that, but if you eliminate all such things on your phone, it can be no problem to open a phone and use it.
I don't check email on my phone, unless I absolutely have to. I don't have any social media on it except for signal. I don't open the web browser. My phone is mostly used for maps, reading books, and video chatting.
I look forward to a world where people genuinely view social apps and related addictive software the way we do harmful drugs. Something to be avoided, and if you can't avoid them, there should be pressure to seek help.
I simply won’t use any service that requires a phone and doesn’t allow other options. I am opposed to a future in which phones are a necessity of life rather than merely a convenience.
And to the people who say “but desktops/laptops are already a necessity of life” - yes, and that’s a problem. We need to be actively thinking of ways to roll things back, rather than allowing technology to become more and more integrated into life.
That's true today if you use a password manager, no? And it's true of any site that uses 2FA (unless the site supports multiple authenticators and you have a backup token).
The better analogy if your driver’s license/ID it passport.
If you leave these, you likely can’t travel or be admitted into specific establishments, etc.
Ever since I somehow managed to lose my driver's license between the private car that dropped me off at the airport and the door to the airport, I always use another government ID I don't actually need for anything (Global Entry) while going through security.
I also usually carry my passport as a backup though that probably won't work if I need to rent car--and on that particular trip it was a last minute overnighter so I didn't throw in my backup documents and cards folder. It took me about half an hour to convince the hotel to let me check in.
In general, I hate traveling with things that you really can't afford to lose and can only mitigate against loss to some degree.
Identification systems on computers are already abused to extremes. There is no way a putting a identifiction system inside your body is not going to result in tremendous abuses on the long run, with much more terrible social consequences since it will be linked to individuals and hard to disable or remove.
The simple fact there no guaranty of safety that can be made about such a system despite its obvious consequences about tracking, power and control should alone be a red flag.
When I read such a comment, I can't help but think school should make kids read more science fiction. Many authors covered why something like this is a dangerous idea.
I'd go even farther, but I would reach the Goodwin point.
But it's always possible to get a new passport, even if you've lost every other type of identification. What happens if I loose my Yubikey and all of my backup codes?
It so happens that I have a great solution to this tough problem, which has served me well for years.
I have a password manager, protected by a strong, unique, randomly-generated master password that I took the time to commit to memory. I cannot ever loose this password, and as long as I have it, I can get into my vault. As long as I can get into my vault, I have access to my other passwords.
An increasing number of web services have decided this is insecure, and are forcing me to use secondary devices in order to authenticate myself. This does very little to increase my security, while putting me at risk of getting locked out of essential resources.
I'm all for alternate options, but please don't take this setup away from me!
Sorry, that may have been poorly worded. I wanted to preempt the objection of “well, you say you don’t want to be dependent on smartphones, but then you’ll just be dependent on some other type of computer”. I wanted to make it clear that the problem is about rethinking our relationship with computing in general, not just with smartphones.
The article does not fully explain it, but the proposal is about using FIDO to sign in to services. The article simplifies this as signing in by unlocking your phone, but that is just one way to do FIDO (and possibly the most common way). If you prefer not to use your phone, you can also use a YubiKey or similar on your desktop/laptop; pushing FIDO as a standard would probably make it possible to use a YubiKey with much more services than today!
FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password). Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.
Having something you know (a password) is more secure because something in your memory that you don't share can't be taken from you by any means. Passwords aren't perfect (you can be tricked into sharing it, or tortured into giving it up) but there are solutions for being forced to hand over a password, and neither tokens or biometrics solve the problem of people being tricked.
No one can murder you in an alley, and drag your lifeless corpse to an ATM and clean out your bank account because the murderers have your face, and fingerprints, even your cell phone, but not your pin. Good security should always require a secret that you know.
Not having a password would be fine for logging into low risk sites like this website, where at worst someone might get your account banned or post comments under your username, but any site or transaction where the risk is greater should just always require a password.
Preface: I've been busy as shit this week and haven't really read up on FIDO. I don't know that I have a position on it yet.
> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.
Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.
A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.
I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security
> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager).
Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.
I stand corrected on some of my phrasing, thank you for the correction. However...
>Services do not need a copy to validate your password, and should never store one.
"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.
Users don’t know how a site implements FIDO either.
With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.
All authentication schemes offer benefits only if implemented correctly.
> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.
True, and better security systems take advantage of that by combing all three.
For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.
As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.
> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.
> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).
Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.
"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.
Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.
True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).
Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.
FIDO is quite old, and a huuuuuuuge upgrade over a password based system in terms of both security and in terms of user convenience.
It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.
>FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password).
Not necessarily. The specific implementation being talked about in the article is to use your phone as your FIDO device, and your phone has to be unlocked. So the "something you have" is your phone, and to unlock it, you can either use "something you are" (biometrics via face ID or fingerprint), or you can have a PIN/password on your phone to make it "something you know".
I wouldn't be surprised (and I would hope) that the FIDO app or feature on phones would also come with the ability to restrict it via PIN/password even if your phone unlocks via biometric.
I agree there are implementations that would be more secure, but they'd still require a password (even a weak version of one via 4 digit pin) and at that point we might as well just unlock our phones and click on the icon for a password manager.
The dream of a life without passwords sounds great, but I don't think FIDO can get us there and if it can't, we have to think about whether or not the extra convenience we can get from FIDO is worth what it would cost us in terms of all the data and control we'd be handing over to 3rd parties.
If there is an article that explains what's different about passkey under the hood, I've yet to find it. That's not entirely surprising as it's brand new. Still it's mighty frustrating when google searches just page after page of re-writes of fido/google/microsoft press releases, all saying little more than "hey! passkey replaced passwords (and it somehow involves phones and bluetooth)".
Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.
Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???
And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?
But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.
> “but desktops/laptops are already a necessity of life”
No they're not! You need either a desktop or a laptop or a tablet or a smartphone, but you don't need more than one.
I'm okay living in a world where everyone needs access to some type of computer, in the same way that everyone probably needs access to some type of writing utensil. However, people should be able to choose the form factor that lets them live their best life.
This is not a form factor result, it's a result of a function.
If you want to have internet access without being near internet AP, you have to accept surveillance. This applies equally to phone, or tablet with SIM card, or laptop with external 3G modem.
If you are OK with only accessing internet in specific location, you can turn off cell subsystem in your phone -- this functionality is present in every phone I have seen.
(Same applies to bluetooth, wifi and other ways to track device remotely)
Mobile phones could be open systems like PCs are. But they aren't. So we should oppose this movement to use phones for everything until the situation changes.
Not to mention that old people is suffering (at least here in Spain) a lot because services push everyone into apps etc.
I cancelled my fathers bank account for this very reason and moved him to a credit union. It was painful but their customer support was so awful that it was worth it.
The last straw was that they told him he couldn't do a money transfer from his local office but he had to use a mobile app. He called me to help him with that. That got me angry.
I agree. However, phones are also uniquely addictive, which IMO is a strong case for dropping them if they interfere with your life. We should at least make sure it is possible to drop them.
(I don't love using the word "addictive" here because phones are not chemically addictive, but any other term makes the point less clear.)
> If you want to have internet access without being near internet AP, you have to accept surveillance. This applies equally to phone, or tablet with SIM card, or laptop with external 3G modem.
That is true in practice, but not true in theory. There are urban WiFi networks that already operate without spying on the users. Nothing prevents mobile networks from being applied in the same way on a technical level.
In fact when you're using a mobile network, you are near an internet AP in the form of a cell tower. Taking 5G NR, you even have to be nearer to it than you would be to your WiFi AP.
Surveillance is not a result of form factor or function, it's a result of social organization.
I'm sure plenty of people would have appreciated never having to learn to read to fill out paper forms in the past either.
This has gone off on a weird tangent; the article is about how a new standard can greatly simplify account passwords, the very hardest and frustrating thing about modern life on the web.
Changing that into "we shouldn't have any rich if we don't want to" is a strange reaction to making tech more accessible. But perhaps if one wants to eliminate tech from people's lives then making tech as bad and painful as possible might be one way to do that; but it seems like a foolish way to pursue that goal.
> Changing that into "we shouldn't have any rich if we don't want to" is a strange reaction to making tech more accessible.
I am 100% in favor of giving people the option to log in with their phone instead of a password, if they want to. If that's all the article meant, I stand corrected.
But, I got the impression that the people quoted in the article were working to eventually remove passwords as a method of authentication. That's not cool, because it requires users to have a secondary device.
I don't think my impression was entirely unreasonable, because we're already seeing it in the number of websites forcing users to set up two factor authentication. Note that many of these so-called "two-factor" solutions allow the user to reset their password using only their phone (which is what really makes SIM-swapping such a problem), which means your password is effectively optional, but a phone is required.
I grew up without any of this mobile or home computing technology, and I don't see anything essential today that I cannot do without it. It's all about convenience.
I strongly disagree. Personal computers are here to stay, and will only become more integrated into daily life due to the conveniences they afford. The fight now isn’t to keep computing out of daily life. Rather, we ought to be fighting to ensure that people have control over the computers in their lives.
There are two ways this ends up:
The future where everyone has to carry around a black box computing device controlled by its manufacturer and the privileged creators of the apps you’ve been allowed or compelled to install on it. The present state of iPads/iPhones and to a lesser extent Android phones make this future feel incredibly close.
But the future where everyone carries around an incredible communication and calculation tool that acts as an agent for them and expands every individual’s capabilities feels only just slightly out of reach.
The line dividing the two futures is thin and technical in nature. This leaves us with a tricky situation where most people wouldn’t be able to distinguish which they’re headed towards, or even which they’re living in. All I can do is hope that either legal tides go my way and grant users control over their computers (phones) by force, or that somehow tech literacy rises and people demand control.
I think you need to define personal compute as including mobile phones/tables for that to be true. I've had several even highly technical colleagues with no non-work 'computer' - they use an iPad or whatever, because that's sufficient for their non-work use of one.
I didn’t realize that my usage if the term was unclear, but to clarify: an iPad is a personal computer. A smartphone is a personal computer. Even modern game consoles are personal computers. They’re all general-purpose computers owned by an individual. However, they have software locks placed on them that prevent their owners from controlling them. In the post above when I’m talking about personal computers that we carry around I primarily mean phones. I will update the post to clarify.
I don’t really disagree. I’m not a luddite and I don’t advocate for turning off the internet. Computers are certainly here to stay. It’s an extremely complex issue, and I don’t have all the answers, or even know how to phrase all the questions.
I do think society needs to take a proactive role in deciding how it wants to interact with technology though. There’s a certain laissez faire, almost defeatist attitude that you see from a lot of the tech crowd, that goes something like “technology will do what it does, and it will change our lives how it sees fit, and we are powerless to stop it.” But if that was the case, we couldn’t have gun control laws, or environmental protection laws, or restrictions on nuclear technology. Technology may continue to develop, but it’s still up to us how we choose to use it.
> technology will do what it does, and it will change our lives how it sees fit, and we are powerless to stop it
I too see this attitude from technical people. To be clear: I do not hold it. Like you say, I favor regulation in the vein of gun control, environmental protection, etc. Left alone the tech market will consolidate and rob users of as much power as possible; it is simply the most profitable way of doing business.
To be more specific: I am a proponent of bills like S.2710 - Open App Markets Act (https://www.congress.gov/bill/117th-congress/senate-bill/271...), which among other things requires operating systems to "... allow and provide readily accessible means for users of that operating system to ... install third-party apps or app stores through means other than its app store". Though I would also want additional provisions, like not allowing OSes to reserve special privileges for first-party or blessed third-party apps, eg iOS restricts third-party apps from running JIT code, preventing browser competition on the platform.
The problem is that people want short term gain and don't see the long term loss.
Regulation won't happen for technology, the government doesn't really have an incentive.
They are already spying on anyone so they don't need anything else.
Gun control regulations are great to make people more reliant on the government and environmental protection laws are great for charging extra taxes; what would a "less technology" regulation accomplish? Nothing, it would be counterproductive.
The government wants you to ping you every phone cell you go nearby to.
There's absolutely nothing technical about this. It's entirely political, there's no technology that needs to be developed for this. All you have to do is create laws (or allow monopolies and cartels to impose "standards") that require people to carry their cellphones at all times. Make physical doorknobs illegal (as a security threat, and lack of accessibility for the disabled.) Done.
You don't even need cellphones. Just issue people hard to forge documentation and set up checkpoints. It's the difference between a fence and a shock collar.
Your dream seems to be to set up the infrastructure for universal command and control, then expect it to choose to regulate itself.
> Your dream seems to be to set up the infrastructure for universal command and control, then expect it to choose to regulate itself.
I don't think I said anything of the sort. Just because something is electronic doesn't mean it's centralized and restrictive. My dream is one where technology is an empowering tool accessible to anyone and I'm all for regulation to prevent monopolies or cartels from imposing self-serving "standards" that block out competitors and force people into walled gardens. You seem mostly concerned about authoritarianism. I propose that so long as users are in control of their computers then computer ownership will have a net-positive impact on general freedom. If users do not control their computers then they will have a net-negative impact on freedom. So the crucial aspect is not whether or not phones/computers become required for daily life, but whether users have control over them.
I applaud that goal, but currently I see no trend pointing in that direction - on the contrary, the rise of highly locked down smartphones and IoT devices has shown to everyone interested just how much control you can take away from users without serious complaints, let alone actions.
Even moreso, there are a growing number of stakeholders and even entire business segments, which require locked-down devices for their activities: The entire business of streaming services only works because they get to place an opaque black box in users' homes and can dictate arbitrary rules and constraints for playback.
The entire app ecosystem is only economically viable because the devices make it impossible (iOS) or really inconvenient (Android) to install apps without paying for them. Also, the devices give the user no way to modify the apps, so developers can implement whatever hostile logic they want and users have to put up with it. The ability to do that is a major appeal locked down platforms have for businesses.
(IMO, the imagination of far too many people in the industry is already running wild with all the kinds of crazy rules, restrictions and "business models" you can implement on locked down devices.)
I think we should reverse this trend and install some actual computer literacy in larger parts of society before we make computers mandatory for everyday life - otherwise, the whole thing will end in a dystopia.
> Reminds me of the US General who, in WW II, insisted cavalry still had a place in warfare. Can’t remember his name.
Cavalry still had a huge role to play in WW2. You didn't ride them into battle (you didn't do that in WW1 either), but they were used for transport. Germany and Russia used 6 million of them.[1]
1 point by TedDoesntTalk 7 minutes ago | root | parent | next | edit | delete [–]
It was Maj Gen John Herr:
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
The 10th Mountain Cavalry Reconnaissance Troop of the 10th Mountain Division, while not designated as U.S. Cavalry, conducted the last horse-mounted charge of any Army organization while engaged in Austria in 1945. An impromptu pistol charge by the Third Platoon was carried out when the Troop encountered a machine gun nest in an Italian village/town sometime between 14–23 April 1945.
anyway the point is not to go back to soldiers riding horses, but to not reduce the authentication options, because it also reduces security.
After all we still use keys to unlock doors and not our phones (because it would be stupid)
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
...
"even in 1942 he still struggled for the horse, requesting Marshall for "an immediate increase in horse cavalry."
...
"He enforced a formal policy that any increase in mechanized forces must be preceded by a proportional increase in horse cavalry; as a result the 7th Cavalry Brigade remained the only mechanized unit until 1940. Later, he had to admit the rising power of armor, but was just as unwilling to dismount his troops.
After the outbreak of World War II Herr followed the European campaigns through attaché reports that reinforced his belief in superiority of cavalry tactics. His chief of staff Willis D. Crittenberger pre-screened these reports and jotted "cavalry mission" in the margins to attract Herr's attention.[16] Herr's own interpretation of the intelligence was biased in favor of the horse. He believed that the Wehrmacht relied on horses because of German operational doctrine when, in fact, it was a purely economic decision.[6] He wrote that other Western European armies dismissed the horse because of shrinking horse and forage stocks; the American situation, according to Herr was more akin to Poland or the Soviet Union, which still kept sizable horse formations.[15] He assessed blitzkrieg as a "typical cavalry mission" and suggested expanding the 7th Cavalry Brigade along German panzer division standards, under full Cavalry control.[17] The proposal, delivered at the War College in September 1939, was bundled with the demand that new armored units should be formed from scratch rather than converted from horse troops.
In the first half of 1940 Herr embraced the concept of "horse-mechanized formations" and called for expansion of cavalry brigades into divisions. He alienated George Marshall by insisting that mechanization should be an expansion of existing cavalry troops, rather than their replacement.[19] He publicly rallied for more horse units through Cavalry Journal publications,[15] and brought further tension inside his troops by asking each cavalry officer to choose his side: either for horse cavalry, or for mechanization. According to Bruce Palmer Jr., the request forced officers of all grades to "cut their throats professionally": they had to bet their careers on obsolete war technology, or risk immediate repercussions from their Chief."
That purpose wasn't doing pike-and-lance charges into panzer lines. Just like most motorized units, WWI and WWII cavalry didn't fight from horseback - it would use horses to get to where they were going to fight, and dismount to fight.
The Eastern Front had a lot of terrain that was not conductive to wheeled travel.
Cavalry is also far more cost-efficient at hunting down partisans, and terrorizing civilians. It doesn't need petrol, you can just steal horsefeed directly from the people you are occupying.
Not so much by the US Army; perhaps by other armies. See my sibling comments about Maj Gen John Herr who was side-lined then forced into retirement because of his views of cavalry during WW 2.
First thing that comes to my mind is “What happens if your phone is suddenly dead”? Will this FIDO alliance guarantee alternative means of access or that they will send someone down to your house to identify you positively and restore access to your online mail and documents?
The problem is not with the technology itself. The problem is that technology is increasingly trying to control you and not vice versa. Humans are becoming slaves of a system, that has only "profits" in its mind.
Of course, you already are if you use a password manager. (ADDED: As noted elsewhere, password managers can also be accessed from other devices so not the same.)
I agree with your basic point though. Smartphones are the default for doing more and more things. And when traveling, I try to have reasonably backups for maps, itineraries, etc. But I'm hardly religious about it and my phone breaking or getting lost/stolen when traveling would be a major hassle.
I don't understand why so many websites insist on using valid email/phone and password at the same time.
Just implement login via email/sms and that's about it.
Now when it comes to this "phone" authentication, I'm not sure that I like this idea. I have good control over my phone number. I have good control over my domain and email (that's not true for most users, but they have the option). But making all my digital life depending on Apple or Google: that I don't like.
I am really concerned about people with disabilities with this approach, if it becomes the main way to log in, and the options are there but super painful to set. In fact, all the minorities that for some reason or another can’t or it’s too hard to use a touchscreen smartphone.
I quite like the "phone as hardware token" via Webauthn as 2FA.
However, I've never used "Sign in with Google" and the likes because I don't want all the sites I'm using to get my "real" email address.
So I really hope Google et. al. will offer some kind of email address cloaking like Apple do with their private relay stuff.
Knowing Google, they sure as heck won't, though.
It's depends on the site that uses OpenID Connect federated sign-in if they ask for your email address from the identity provider.
An application/site can optionally request the "email" scope during OpenID Connect sign-in, but if it is not requested (only the "openid" scope instead) then the provider must not return an email address in the ID token, or an OAuth access token which is authorized for an API method which returns the user's email address (OpenID Connect Core 1.0 section 5.4 - "Requesting Claims using Scope Values").
I didn't know the details about different scopes and had always assumed the sites would obtain at least the name and email address, because all I ever saw was the prompt "To continue, Google will share your name, email address, language preference, and profile picture with <site>."
Cell phones cannot be secured or trusted. You have no access to secure them either. Using them for anything private is already a terrible idea. This is just one more way for companies to take more of your data and insert themselves as a middleman in another aspect of your life that they can then control. A "feature" like this will only put your security at greater risk.
Not true. Depending on your OS (sorry Windows users) your OS isn't collecting your personal data at every opportunity, and hopefully doesn't allow 3rd parties to push code to your devices without notice to you about what's been changed, and without any option for you to opt out of those changes.
You must have zero trust in a device where 3rd parties have full access to change whatever they want at any time and for any reason without your knowledge or consent. That's not happening for the linux server in my closet. It's probably happening for the windows 10 system in the living room, and it's absolutely the case for the phone next to me.
The same things that make your privacy vulnerable make your devices vulnerable.
It's currently impossible to secure a consumer cell phone. They were explicitly designed to collect and leak your data. When 3rd parties have access to all your data you can't secure it. When 3rd parties can push code to your device without any notice to you, at some point a bad actor will do the same. If you aren't allowed to see what your device is doing you can't see when it's being used by an attacker. If you don't even have permissions to the most important parts of your own hardware/software you can't do anything about it once you are compromised.
Cell phones are not private and they aren't secure and that makes them the worst kind of device you could insist on people using to replace their passwords.
You are concluding things from a false premise. Just because mobile phones are not zero trust devices (note that there is no such thing anywhere!) doesn’t mean they are not secure against malware. While iphones have a really good security and privacy story, I may get that with sufficient tinfoil hat-layers one might choose not to trust apple (though the only target vector would be a deliberate malware created and pushed by apple itself)
But there is also the Graphene project which runs on the Pixel phones, where you have complete control over the software. But the hardware will always be somewhat proprietary so you can’t have complete trust in that either. (And no, pinephone and alia just put closed firmware into the hardware not even allowing updating it, which is strictly worse than having it patchable)
Nonetheless, both of these options are orders of magnitudes safer than desktop OSs, as per my original statement.
No they're not. And if you're going to assert something (especially something that absurd) you should at least justify it with an argument.
I'm sure you're thinking something along the lines of "Android has an SELinux sandbox that prompts for permissions." You can run this on normal desktop Linux too though (I forget the command, it's a python script in the SELinux tools (or so) repo.) No one bothers because the distro repos are relatively free of malware and installing non-free software requires a small amount of understanding. This is, of course, considered "bad UX" for non-free software but that is in practice where most of the malware comes from on other OSes. (On Linux most f it comes from sloppy language specific package managers with a free-for-all mentality like node.js or PyPi but no amount of OS design can fix stupid devs without making their work impossible.)
SELinux is not a sandbox, and is just one part of the picture. Android also runs every app under a different user — and that is where SELinux can properly uphold its security barriers. Most linux distros even if they have SELinux enabled (e.g. Fedora) will run every user process under your user and UNIX’s default permissions are pretty much useless. So it is only security improvement for services.
You running npm install can potentially delete everything in your home directory, but a buggy application (even if opensource and made with good intention) can be exploited by evil data just as well. Just because your, say, PDF reader is open source it can be used to exploit your computer with an evil pdf file. So yes, linux desktops are orders of magnitude less safe than either Android or ios.
I have literally had financial institutions reject my password for being "too long" or containing "wrong special characters".
Quite recently, my bank site was having a fit and I couldn't log in, with only cryptic errors. The first line of help didn't understand a thing and wrote back to IT to find out more. Apparently if you don't hand type / PW manager autotype your password, you are a hacker now; they are actively hostile towards PW managers. Great yet incomprehensible way to push people towards bad passwords. This was at a small bank that uses third party software, also used at another small bank I use. So it will have propagated to who knows where overnight.
Now we want to get rid of passwords altogether, so phishing is a simple as [remotely] watching someone distracted unlocking their phone in the coffee shop, and there is a good chance you can get them to swipe right when they should go left. Idiocracy.
I need to get past the press releases and read up, but is this using my phone to authenticate to an IDp (ie google) who then oks me with the relying party (example.com) or am I directly signing up with example.com (ie my phone has a key pair in its secure enclave for google only, for for hundreds of sites I visit
(from memory this will need much bigger storage in the secure enclaves - thousands of accounts is quite feasible)
You sign up directly with the relying party and are authenticating to a hardware device which then OKs you to the relying party. Each relying party gets a different public key. The corresponding private keys can be stored inside the secure enclave (this setup is called resident keys), or they can be stored in a "key handle" that the relying party stores and provides every time you attempt a login. The key handle would contain the service-specific private key encrypted with a key held inside the secure enclave.
I can only speak for myself and my own personal preferences but I will not do business with anyone that requires this. I've been cutting ties with businesses that have intrusive practices. I have also been migrating to a bank that gave me the option to make everything online read-only. The only remaining business is Amazon but I have recently found a local business that will drive into a big city once a week to transport items from big box stores so maybe I can nix Amazon at some point. I am in a very remote area. My personal goal is to reach a point where I can power off my flip phone and leave it in a drawer for months at a time.
Individual migration is a very temporary solution.
When the bank you just migrated to becomes a bit bigger -- it's the next target. Or some new law like digital ID's / one world currency make the migration irrelevant.
You could be right but in my specific use case the bank I moved to will quite intentionally remain small. It serves a specific small community and has no intention to grow outside of this community. If that changes some day I will move again. Moving banks is simple. This community will not comply with digital currency laws and we would make our own mesh networks. The hardware and fiber is already in place to do so.
At least in the US, the 5th amendment protects against revealing our passwords to the government (and we can always go with "I forgot what it was"). I don't believe the same is true for biometrics and such, is it?
The main problem I see (based on the screenshot in the article) is that it still allows the attacker to initiate the auth flow from the outside, and the clueless user would in doubt just unlock for them. I don't see how the proposed scheme would prevent this phishing attack. It seems to be worse than the SMS 2FA part where one would at least have to enter the SMS code into some suspicious website.
My method of choice would rather have been what is established now for 2FA with time-based one-time passwords (TOTP). Here the attacker can't initiate the auth flow from the outside.
I think that for the cases where you're authenticating on one device in order to allow access on another device, this is done by bluetooth communication between the devices, and as a result you have to be within bluetooth range of the auth device to initiate the auth flow.
I'm already in the auth approval hell working as consultant with multiple separate corporate customer and all the 2fa authentications needed in my daily activities. Including fun broken flows that mean I get notification that I don't even need, because I need to use different account...
In the end this likely only leads to training people to automatically approve anything as every little piece of software on their machines needs approval once a day or more often at worst...
The issue with any FOSS solution is that FIDO requires an attestation private key, which must be shared between a batch of at least 100,000 security keys. Using a DIY or cli app solution (application running on the host) will likely mean you'll be generating that private key yourself, this makes you identifiable across registrations.
Some sites (Cloudflare) may reject the use of attestation keys which are not found on the Fido Alliance Metadata Service. This precludes the use of any DIY solution.
325 comments
[ 3.4 ms ] story [ 265 ms ] threadDid you see Demolition Man? What do you think about the beginning?
As such I tend to prefer cloneable credentials. Everything that is unique (cellphone, ...) would imply that access credentials could be stolen (as in, actually stolen, not copied), which could imply the threat of violence to succeed.
To clarify, this wasn't meant as an attempt at a "tough guy" acting. If someone tries to coerce my phone out of me irl by threats of violence, they will get the phone. But this being done irl at least has much easier path to being able to trace the criminal, actually prosecute them, and to minimize the damage to my accounts.
Not even mentioning that it is much more risky for them to attempt, given it would have to be done somewhere around a public place with other people and law enforcement around. Meanwhile, some guy from an eastern european country cloning my access credentials to compromise my accounts will almost certainly never be traced, and 100% won't get prosecuted (and that's on top of me not being able to be aware of that happening until after the fact).
And those big tech companies are free to lock you out from your account for no reason with no recourse.
I am imagining this working like OTPs that are generated on phones. The actual standard will be open and the implementations do not require a specific platform or any kind of "account", but most people will run it on their phone with Android or IOS because it's handy for them.
I also don't think it's going to require running on a phone, just like OTPs. I can generate OTPs for 2FA purposes on my desktop system running Linux and it works great!
If it does end up working like that, I think it's a great idea.
I too prefer offline-first tools, but the market doesn't, and people are trained to sign up with an email account and password so for the masses "this is just how it is".
I don't want to be a pessimist, but examples of user respecting systems are mainly commonplace in certain corners of the highly technical FLOSS world, it's certainly not the experience of the average person.
TOTP being a notable exception.
Just let Password Managers do their job easily.
There's an easy way to make passwords usable only by people with password managers: instead of letting the user set a password, generate it for them.
Everything I have read about this approach seems to imply that passwords are still used, only perhaps not as often.
For instance, there's this quote from the article:
"Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password."
I could see us ending up in a world where we need a password to access the device on which the key is stored and more passwords for account recovery and access to key backups.
I still use a flip phone and don't want apps. I want a phone only.
Relying parties (aka online services using FIDO protocols) have a lot of freedom to define exactly how restrictive they want to be by making choices about which devices they accept. Through choosing which devices they accept they can choose to require any combination of token, PIN, biometric, and password.
This, in my view, is the problem with FIDO.
They shouldn't be able to make that choice.
For anything consumer facing (vs employee/contractor facing), the expectation is that a relying party site accepts everything, or supports a set with a clear industry-defined set of limitations (e.g. must have gone through certification and achieved a certain level such that they meet our security regulations).
The set of limitations which you can set during an authentication request are pretty minimal, on purpose - so you will typically have more prompts and more user errors if you decide to try and limit consumer choice.
Other than that, the expectation is that you do not block end users if they e.g. are using one vendor or the other. You may still ask them to perform additional authentication steps, but the goal is that people do not get conflicting requirements across relying parties that leads them to have to carry a key ring of different vendor USB authenticators in order to be able to do their business.
Most people tend to automatically unlock their phones without a second thought.
Next year: EU government force big tech phone OS manufacturers to enable identity portability
FIDO2 is an open standard, you can use security keys or TPMs or whatever you want.
Fortunately it looks like security keys such as https://cloud.google.com/titan-security-key can be used instead.
I don't check email on my phone, unless I absolutely have to. I don't have any social media on it except for signal. I don't open the web browser. My phone is mostly used for maps, reading books, and video chatting.
I look forward to a world where people genuinely view social apps and related addictive software the way we do harmful drugs. Something to be avoided, and if you can't avoid them, there should be pressure to seek help.
And to the people who say “but desktops/laptops are already a necessity of life” - yes, and that’s a problem. We need to be actively thinking of ways to roll things back, rather than allowing technology to become more and more integrated into life.
I also usually carry my passport as a backup though that probably won't work if I need to rent car--and on that particular trip it was a last minute overnighter so I didn't throw in my backup documents and cards folder. It took me about half an hour to convince the hotel to let me check in.
In general, I hate traveling with things that you really can't afford to lose and can only mitigate against loss to some degree.
This could be resolved using a FIDO enabled NFC sub-dermal implant.
The simple fact there no guaranty of safety that can be made about such a system despite its obvious consequences about tracking, power and control should alone be a red flag.
When I read such a comment, I can't help but think school should make kids read more science fiction. Many authors covered why something like this is a dangerous idea.
I'd go even farther, but I would reach the Goodwin point.
I have a password manager, protected by a strong, unique, randomly-generated master password that I took the time to commit to memory. I cannot ever loose this password, and as long as I have it, I can get into my vault. As long as I can get into my vault, I have access to my other passwords.
An increasing number of web services have decided this is insecure, and are forcing me to use secondary devices in order to authenticate myself. This does very little to increase my security, while putting me at risk of getting locked out of essential resources.
I'm all for alternate options, but please don't take this setup away from me!
Having something you know (a password) is more secure because something in your memory that you don't share can't be taken from you by any means. Passwords aren't perfect (you can be tricked into sharing it, or tortured into giving it up) but there are solutions for being forced to hand over a password, and neither tokens or biometrics solve the problem of people being tricked.
No one can murder you in an alley, and drag your lifeless corpse to an ATM and clean out your bank account because the murderers have your face, and fingerprints, even your cell phone, but not your pin. Good security should always require a secret that you know.
Not having a password would be fine for logging into low risk sites like this website, where at worst someone might get your account banned or post comments under your username, but any site or transaction where the risk is greater should just always require a password.
> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.
Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.
A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.
I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager). Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.
>Services do not need a copy to validate your password, and should never store one.
"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.
With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.
All authentication schemes offer benefits only if implemented correctly.
True, and better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.
As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.
> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.
As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.
Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.
Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.
Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.
It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.
Not necessarily. The specific implementation being talked about in the article is to use your phone as your FIDO device, and your phone has to be unlocked. So the "something you have" is your phone, and to unlock it, you can either use "something you are" (biometrics via face ID or fingerprint), or you can have a PIN/password on your phone to make it "something you know".
I wouldn't be surprised (and I would hope) that the FIDO app or feature on phones would also come with the ability to restrict it via PIN/password even if your phone unlocks via biometric.
The dream of a life without passwords sounds great, but I don't think FIDO can get us there and if it can't, we have to think about whether or not the extra convenience we can get from FIDO is worth what it would cost us in terms of all the data and control we'd be handing over to 3rd parties.
Passwordless is better because you aren’t storing a phishable password on a server.
Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.
Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???
And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?
But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.
No they're not! You need either a desktop or a laptop or a tablet or a smartphone, but you don't need more than one.
I'm okay living in a world where everyone needs access to some type of computer, in the same way that everyone probably needs access to some type of writing utensil. However, people should be able to choose the form factor that lets them live their best life.
Especially when one particular form factor leads to surveillance of your location.
This is not a form factor result, it's a result of a function.
If you want to have internet access without being near internet AP, you have to accept surveillance. This applies equally to phone, or tablet with SIM card, or laptop with external 3G modem.
If you are OK with only accessing internet in specific location, you can turn off cell subsystem in your phone -- this functionality is present in every phone I have seen.
(Same applies to bluetooth, wifi and other ways to track device remotely)
Not to mention that old people is suffering (at least here in Spain) a lot because services push everyone into apps etc.
I cancelled my fathers bank account for this very reason and moved him to a credit union. It was painful but their customer support was so awful that it was worth it.
The last straw was that they told him he couldn't do a money transfer from his local office but he had to use a mobile app. He called me to help him with that. That got me angry.
(I don't love using the word "addictive" here because phones are not chemically addictive, but any other term makes the point less clear.)
That is true in practice, but not true in theory. There are urban WiFi networks that already operate without spying on the users. Nothing prevents mobile networks from being applied in the same way on a technical level.
In fact when you're using a mobile network, you are near an internet AP in the form of a cell tower. Taking 5G NR, you even have to be nearer to it than you would be to your WiFi AP.
Surveillance is not a result of form factor or function, it's a result of social organization.
Some people don't want any technology at all. What happens to them in your future?
That's a shame. They must get very cold in the winter without the ability to build a fire.
This has gone off on a weird tangent; the article is about how a new standard can greatly simplify account passwords, the very hardest and frustrating thing about modern life on the web.
Changing that into "we shouldn't have any rich if we don't want to" is a strange reaction to making tech more accessible. But perhaps if one wants to eliminate tech from people's lives then making tech as bad and painful as possible might be one way to do that; but it seems like a foolish way to pursue that goal.
I am 100% in favor of giving people the option to log in with their phone instead of a password, if they want to. If that's all the article meant, I stand corrected.
But, I got the impression that the people quoted in the article were working to eventually remove passwords as a method of authentication. That's not cool, because it requires users to have a secondary device.
I don't think my impression was entirely unreasonable, because we're already seeing it in the number of websites forcing users to set up two factor authentication. Note that many of these so-called "two-factor" solutions allow the user to reset their password using only their phone (which is what really makes SIM-swapping such a problem), which means your password is effectively optional, but a phone is required.
I grew up without any of this mobile or home computing technology, and I don't see anything essential today that I cannot do without it. It's all about convenience.
I basically need to port this number to a cheaper carrier and cover the cost…forever
There are two ways this ends up:
The future where everyone has to carry around a black box computing device controlled by its manufacturer and the privileged creators of the apps you’ve been allowed or compelled to install on it. The present state of iPads/iPhones and to a lesser extent Android phones make this future feel incredibly close.
But the future where everyone carries around an incredible communication and calculation tool that acts as an agent for them and expands every individual’s capabilities feels only just slightly out of reach.
The line dividing the two futures is thin and technical in nature. This leaves us with a tricky situation where most people wouldn’t be able to distinguish which they’re headed towards, or even which they’re living in. All I can do is hope that either legal tides go my way and grant users control over their computers (phones) by force, or that somehow tech literacy rises and people demand control.
I do think society needs to take a proactive role in deciding how it wants to interact with technology though. There’s a certain laissez faire, almost defeatist attitude that you see from a lot of the tech crowd, that goes something like “technology will do what it does, and it will change our lives how it sees fit, and we are powerless to stop it.” But if that was the case, we couldn’t have gun control laws, or environmental protection laws, or restrictions on nuclear technology. Technology may continue to develop, but it’s still up to us how we choose to use it.
I too see this attitude from technical people. To be clear: I do not hold it. Like you say, I favor regulation in the vein of gun control, environmental protection, etc. Left alone the tech market will consolidate and rob users of as much power as possible; it is simply the most profitable way of doing business.
To be more specific: I am a proponent of bills like S.2710 - Open App Markets Act (https://www.congress.gov/bill/117th-congress/senate-bill/271...), which among other things requires operating systems to "... allow and provide readily accessible means for users of that operating system to ... install third-party apps or app stores through means other than its app store". Though I would also want additional provisions, like not allowing OSes to reserve special privileges for first-party or blessed third-party apps, eg iOS restricts third-party apps from running JIT code, preventing browser competition on the platform.
The problem is that people want short term gain and don't see the long term loss.
Regulation won't happen for technology, the government doesn't really have an incentive.
They are already spying on anyone so they don't need anything else. Gun control regulations are great to make people more reliant on the government and environmental protection laws are great for charging extra taxes; what would a "less technology" regulation accomplish? Nothing, it would be counterproductive.
The government wants you to ping you every phone cell you go nearby to.
You don't even need cellphones. Just issue people hard to forge documentation and set up checkpoints. It's the difference between a fence and a shock collar.
Your dream seems to be to set up the infrastructure for universal command and control, then expect it to choose to regulate itself.
I don't think I said anything of the sort. Just because something is electronic doesn't mean it's centralized and restrictive. My dream is one where technology is an empowering tool accessible to anyone and I'm all for regulation to prevent monopolies or cartels from imposing self-serving "standards" that block out competitors and force people into walled gardens. You seem mostly concerned about authoritarianism. I propose that so long as users are in control of their computers then computer ownership will have a net-positive impact on general freedom. If users do not control their computers then they will have a net-negative impact on freedom. So the crucial aspect is not whether or not phones/computers become required for daily life, but whether users have control over them.
Even moreso, there are a growing number of stakeholders and even entire business segments, which require locked-down devices for their activities: The entire business of streaming services only works because they get to place an opaque black box in users' homes and can dictate arbitrary rules and constraints for playback.
The entire app ecosystem is only economically viable because the devices make it impossible (iOS) or really inconvenient (Android) to install apps without paying for them. Also, the devices give the user no way to modify the apps, so developers can implement whatever hostile logic they want and users have to put up with it. The ability to do that is a major appeal locked down platforms have for businesses.
(IMO, the imagination of far too many people in the industry is already running wild with all the kinds of crazy rules, restrictions and "business models" you can implement on locked down devices.)
I think we should reverse this trend and install some actual computer literacy in larger parts of society before we make computers mandatory for everyday life - otherwise, the whole thing will end in a dystopia.
Although I agree with you, it is not realistic.
Do you think kids who are 3 right now will feel the same when they are your age?
Reminds me of the US General who, in WW II, insisted cavalry still had a place in warfare. Can’t remember his name.
Cavalry still had a huge role to play in WW2. You didn't ride them into battle (you didn't do that in WW1 either), but they were used for transport. Germany and Russia used 6 million of them.[1]
[1]: https://en.wikipedia.org/wiki/Horses_in_World_War_II
It was Maj Gen John Herr:
1 point by TedDoesntTalk 7 minutes ago | root | parent | next | edit | delete [–]
It was Maj Gen John Herr:
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
https://en.wikipedia.org/wiki/John_Knowles_Herr#Chief_of_Cav...
anyway the point is not to go back to soldiers riding horses, but to not reduce the authentication options, because it also reduces security.
After all we still use keys to unlock doors and not our phones (because it would be stupid)
"In 1945 Herr wrote that conversion of cavalry to armor was a mistake, an act of "robbing Peter to pay Paul": expansion of armor was necessary, but not at the expense of horse units."
...
"even in 1942 he still struggled for the horse, requesting Marshall for "an immediate increase in horse cavalry."
...
"He enforced a formal policy that any increase in mechanized forces must be preceded by a proportional increase in horse cavalry; as a result the 7th Cavalry Brigade remained the only mechanized unit until 1940. Later, he had to admit the rising power of armor, but was just as unwilling to dismount his troops.
After the outbreak of World War II Herr followed the European campaigns through attaché reports that reinforced his belief in superiority of cavalry tactics. His chief of staff Willis D. Crittenberger pre-screened these reports and jotted "cavalry mission" in the margins to attract Herr's attention.[16] Herr's own interpretation of the intelligence was biased in favor of the horse. He believed that the Wehrmacht relied on horses because of German operational doctrine when, in fact, it was a purely economic decision.[6] He wrote that other Western European armies dismissed the horse because of shrinking horse and forage stocks; the American situation, according to Herr was more akin to Poland or the Soviet Union, which still kept sizable horse formations.[15] He assessed blitzkrieg as a "typical cavalry mission" and suggested expanding the 7th Cavalry Brigade along German panzer division standards, under full Cavalry control.[17] The proposal, delivered at the War College in September 1939, was bundled with the demand that new armored units should be formed from scratch rather than converted from horse troops.
In the first half of 1940 Herr embraced the concept of "horse-mechanized formations" and called for expansion of cavalry brigades into divisions. He alienated George Marshall by insisting that mechanization should be an expansion of existing cavalry troops, rather than their replacement.[19] He publicly rallied for more horse units through Cavalry Journal publications,[15] and brought further tension inside his troops by asking each cavalry officer to choose his side: either for horse cavalry, or for mechanization. According to Bruce Palmer Jr., the request forced officers of all grades to "cut their throats professionally": they had to bet their careers on obsolete war technology, or risk immediate repercussions from their Chief."
https://en.wikipedia.org/wiki/John_Knowles_Herr#Chief_of_Cav...
That purpose wasn't doing pike-and-lance charges into panzer lines. Just like most motorized units, WWI and WWII cavalry didn't fight from horseback - it would use horses to get to where they were going to fight, and dismount to fight.
The Eastern Front had a lot of terrain that was not conductive to wheeled travel.
Cavalry is also far more cost-efficient at hunting down partisans, and terrorizing civilians. It doesn't need petrol, you can just steal horsefeed directly from the people you are occupying.
I agree with your basic point though. Smartphones are the default for doing more and more things. And when traveling, I try to have reasonably backups for maps, itineraries, etc. But I'm hardly religious about it and my phone breaking or getting lost/stolen when traveling would be a major hassle.
Just implement login via email/sms and that's about it.
Now when it comes to this "phone" authentication, I'm not sure that I like this idea. I have good control over my phone number. I have good control over my domain and email (that's not true for most users, but they have the option). But making all my digital life depending on Apple or Google: that I don't like.
> SSH auth + Git commit/tag signing using a key stored [on your device]
> turns your [...] device into a WebAuthn/U2F Authenticator
So I really hope Google et. al. will offer some kind of email address cloaking like Apple do with their private relay stuff. Knowing Google, they sure as heck won't, though.
An application/site can optionally request the "email" scope during OpenID Connect sign-in, but if it is not requested (only the "openid" scope instead) then the provider must not return an email address in the ID token, or an OAuth access token which is authorized for an API method which returns the user's email address (OpenID Connect Core 1.0 section 5.4 - "Requesting Claims using Scope Values").
Google implement this (https://developers.google.com/identity/protocols/oauth2/open...), by returning only a unique numeric user ID in the returned id_token. I haven't checked other OpenID Connect providers.
I didn't know the details about different scopes and had always assumed the sites would obtain at least the name and email address, because all I ever saw was the prompt "To continue, Google will share your name, email address, language preference, and profile picture with <site>."
You must have zero trust in a device where 3rd parties have full access to change whatever they want at any time and for any reason without your knowledge or consent. That's not happening for the linux server in my closet. It's probably happening for the windows 10 system in the living room, and it's absolutely the case for the phone next to me.
Cell phones are not private and they aren't secure and that makes them the worst kind of device you could insist on people using to replace their passwords.
Nonetheless, both of these options are orders of magnitudes safer than desktop OSs, as per my original statement.
I'm sure you're thinking something along the lines of "Android has an SELinux sandbox that prompts for permissions." You can run this on normal desktop Linux too though (I forget the command, it's a python script in the SELinux tools (or so) repo.) No one bothers because the distro repos are relatively free of malware and installing non-free software requires a small amount of understanding. This is, of course, considered "bad UX" for non-free software but that is in practice where most of the malware comes from on other OSes. (On Linux most f it comes from sloppy language specific package managers with a free-for-all mentality like node.js or PyPi but no amount of OS design can fix stupid devs without making their work impossible.)
You running npm install can potentially delete everything in your home directory, but a buggy application (even if opensource and made with good intention) can be exploited by evil data just as well. Just because your, say, PDF reader is open source it can be used to exploit your computer with an evil pdf file. So yes, linux desktops are orders of magnitude less safe than either Android or ios.
Quite recently, my bank site was having a fit and I couldn't log in, with only cryptic errors. The first line of help didn't understand a thing and wrote back to IT to find out more. Apparently if you don't hand type / PW manager autotype your password, you are a hacker now; they are actively hostile towards PW managers. Great yet incomprehensible way to push people towards bad passwords. This was at a small bank that uses third party software, also used at another small bank I use. So it will have propagated to who knows where overnight.
Now we want to get rid of passwords altogether, so phishing is a simple as [remotely] watching someone distracted unlocking their phone in the coffee shop, and there is a good chance you can get them to swipe right when they should go left. Idiocracy.
(from memory this will need much bigger storage in the secure enclaves - thousands of accounts is quite feasible)
Oh wait, example.com sends me a encrypted key, that I decrypt and then use? That sounds ... odd.
I mean, why not just keep the same encrypted data on my local phone ? The attack surface seems much smaller.
https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...
has a clear description in the "Allowing for Inexpensive U2F Devices" section.
For webauthn, they don't use key handle terminology anymore, but the same fuctionality is provided by the "Credential ID":
https://www.w3.org/TR/webauthn-2/#credential-id
My method of choice would rather have been what is established now for 2FA with time-based one-time passwords (TOTP). Here the attacker can't initiate the auth flow from the outside.
In the end this likely only leads to training people to automatically approve anything as every little piece of software on their machines needs approval once a day or more often at worst...
As long as there’s a command-line app that I can use instead of my phone (which I will never do), I’m good with this!
I’d be willing to help develop such an app.
- https://github.com/google/OpenSK <- DIY solution
- https://solokeys.com/
- https://www.nitrokey.com/
The issue with any FOSS solution is that FIDO requires an attestation private key, which must be shared between a batch of at least 100,000 security keys. Using a DIY or cli app solution (application running on the host) will likely mean you'll be generating that private key yourself, this makes you identifiable across registrations.
Some sites (Cloudflare) may reject the use of attestation keys which are not found on the Fido Alliance Metadata Service. This precludes the use of any DIY solution.
https://fidoalliance.org/metadata/
https://support.cloudflare.com/hc/en-us/articles/44068890480...