Silicon Valley Legends Launch 'Beyond Identity' To Eliminate All Passwords

SecurityWeek editor wiredmikey shares new that Jim Clark and Tom Jermoluk (past founders of Netscape, Silicon Graphics and @Home Network) "have launched a phone-resident personal certificate-based authentication and authorization solution that eliminates all passwords."

Security Week reports: The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications). It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new. The biometric access ties the phone to its user, and the Beyond Identity certificate authenticates the device/user to the service provider, whether that's a bank or a corporate network...

"When this technology was created at Netscape during the beginning of the World Wide Web, it was conceived as a mechanism for websites to securely communicate, but the tools didn't yet exist to extend the chain all the way to the end user," commented Jermoluk. "Beyond Identity includes the user in the same chain of certificates bound together with the secure encrypted transport (TLS) used by millions of websites in secure communications today...."

With no passwords, the primary cause of data breaches (either to steal passwords or by using stolen passwords) is gone. It removes all friction from the access process, takes the password reset load off the help desk, and can form the basis of a zero-trust model where identity is the perimeter.
Though they're first focusing on the corporate market, their solution should be available to consumers by the end of 2020, the article reports, which speculates that the possibility of pre-also installing the solution on devices "is not out of the question."

Too bad I don't carry a phone.

[Mal-2]

I refuse to pay to carry around a tracking device at all times. If someone insists that I do so, they can pay for both the phone and the contract. This already causes problems with certain services -- Yahoo mail, my bank -- who keep pestering me for a cell number and "I don't have one" is not an option.

Re: Too bad I don't carry a phone.

[Anonymouse Cowtard]

Mal-2, we need to verify your ID before approving this post. Please present for anal-scan in t-minus 15 minutes!

Re:

[Chris Mattern]

Don't you mean, Mal-R-2, citizen?

Re: Too bad I don't carry a phone.

[Way Smarter Than You]

Both of you, please report to the food vats immediately for your next opportunity to serve The Computer.

Thank you.

Re:Too bad I don't carry a phone.

[backslashdot]

Me too. I don't ever use the internet either. Never have, never will.

Re:

[NFN_NLN]

How come this, and almost all other Slashdot posts are a 1/3 of the size of the "Claim That Covid-19 Came From Lab In China Completely Unfounded Scientists Say" post?

Does "Beyond Identity" not have pockets as deep as the CCP?

Re:

[Corbets]

I believe the phrase is ‘Whoosh!"

Re:Too bad I don't carry a phone.

[Darinbob]

I refuse to pay to carry around a tracking device at all times. If someone insists that I do so, they can pay for both the phone and the contract. This already causes problems with certain services -- Yahoo mail, my bank -- who keep pestering me for a cell number and "I don't have one" is not an option.

I like certificates, vastly superior to passwords. But, two factor authentication has a major flaw - you have a device you can lose, forever. What's the backup for when you drop your phone in the river by mistake? I've got to use two factor at work, and it's very annoying to pull the phone out 10 times a day just to give approval. But if I lose it, I have an IT department to figure out how to get back in. (it's unclear how the system works for those without phones)

Also - top notch security is NOT needed for the vast amount of stuff that's on the internet. Most of it is fluff. So what if someone steals my slashdot account, it's much less important than my bank account. So my more complicated passwords are for the bank, and the dumb passwords for those sites that demand that I register before I can look at it. When the highest security is needed for fluff sites, then users will start treating security like an inconvenient bother; that's why so many re-use passwords because so many sites require them to register so that they can be monetized.

I doubt people pushing for two factor here are concerned about the users as much as they just want more users to register more often and more conveniently so that more ads can be served up to target them.

Re:

[ShanghaiBill]

What's the backup for when you drop your phone in the river by mistake?

You go to the service provider (T-Mobile in my case), present a physical ID card, and tell them your security code. Then they sell you a new phone with the same phone number. Then you set up new certificates on your new phone.

Re:

[Darinbob]

So the cert has the phone number on it? Good for easy tracking across all your apps and web sites so that you get served up the right ads.

Re:

[ShanghaiBill]

So the cert has the phone number on it?

Of course not. Why would it?

Re:

[Darinbob]

Then to keep your credentials with a new cert you need to know what they are, and they'll be credentials not tied to a phone. If it's just your account name, then that varies with every site (unless people use their email everywhere and never change emails or use fake throwaways).

Re:

[knorthern knight]

Oh boy... sim-jacking version 2.0.

Re:

[ShanghaiBill]

Oh boy... sim-jacking version 2.0.

Sim-jacking would only get you the phone number, not the certs.

If your old phone had a cert from your bank, you will still need to authenticate yourself to your bank to get a new one. The obvious way to do this is to go to a branch and authenticate with 3 factors: Your physical ID card with a photo that matches your face (something you are), your ATM PIN (something you know), and your phone (something you have).

Sim-jacking would only get you 1 out of 3.

Additional factors could also be used. My bank has a

Re:

[arglebargle_xiv]

The technology used is not new, being based on X.509 certificates

So in other words it's failed before it even started.

Sheesh, this is exactly what certificates were supposed to do in X.509v1 in 1987. We've been trying for over thirty years to get these things to work for this purpose and failed every time, what makes them think it'll magically work now?

Re:

[AmiMoJo]

The certificates are not the problem, managing them is. To make this practical they need to have come up with a practical, easy way to manage certificates, which is what they are claiming to have done.

They aren't the first. Google had this sorted a few years ago. Certificate stored on your phone, uses Bluetooth to talk to your computer, log in by unlocking your phone and tapping a prompt that automatically appears. The certificate is managed as part of your Google account and synced with all the devices you

Re:

[Darinbob]

They're vastly superior to pre-shared keys. The infrastructure for trusted CAs is the hard part. So public certificate authorities can be iffy, and the IT guy who annually forgets to renew is inevitable. But we have a private set of CAs for devices and customers and it provides good security.

Re:

[AmiMoJo]

This doesn't use CAs.

Re:

[UnderCoverPenguin]

I like certificates, vastly superior to passwords.

True, but still need a master password. Biometrics have their own problems. You can be forced to scan your fingers, face, eye, whatever. Even if courts decide evidence obtained that way is inadmissible, bad guys will still do it.

Granted passwords are subject to "$5 wrench" cracking, but that requires more effort on the part of the bad guys.

Re:

[Darinbob]

No, master password either if used right. You can do an entire security system based around it. Each new device has to both acquire a new certificate of trust and then trust the cert strongly. it's not the same necessarily as what's done on the web now.

Re:

[AmiMoJo]

2 factor auth should provide you with a set of backup codes. The idea is you save them once somewhere secure, like a safe in your house or well backed up and encrypted password manager. If you ever lose your second factor you can use those codes to get into your account and set up a new one.

The codes are long enough as to be impractical to brute force.

For work they should set you up with something more convenient. With Android you can use Bluetooth on your phone to avoid having to copy/paste codes. Even bet

Re:

[RespekMyAthorati]

It seems to me that this problem is already solved, as has nothing to do with passwords.
All of my important accounts (Amazon, Paypal, my password manager..)
use hardware 2FA in the form of a FIDO key.
You can have as many as you want, so losing your phone won't lock you out.

Re:

[Darinbob]

Any employer checking facebook before hiring someone is not worth working for.

Re:

[gweihir]

I do carry a phone sometimes, but why would I be so insane as to trust it?

Re: Too bad I don't carry a phone.

[BAReFO0t]

I found that there are two types of co conspiracy theorists.

The regular kind.
And the kind, whose conspiracy theory it is, that everyone mentioning anything sneaky and evil or merely just going against their god, the comforting nice big brother, must be a conspiracy theorist.

I call the second ones "anti-conspiracy theorists" (mind where the gap goes), or simply blackeyers.

Just like the regular kind is gullible and susceptible to ridiculous claims against the establisment, this kind here is gullible and susce

Erratum:

[BAReFO0t]

I did not mean to write "co conspiracy". Just ignore the "co".

Heh

[Rockoon]

Lose your phone... lose your identity...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[michelcolman]

And I hope they'll include a way of de-authorizing a phone for all services at once if it gets stolen and the thief forces you to give the passcode. Otherwise they'll have perpetual access to everything.

Re:Heh

[lgw]

Or if your phone gets hacked, which is where most attention is focused these days. It's getting to be pretty hard to find a new browser exploit these days, but it's easy to put a look-alike app with a malware payload on an app store. People run all sorts of shit on their phone, thoughtlessly. Already phone-based two-factor systems are discouraged, as phones are so easily compromised.

Re:

[AmiMoJo]

Security on phones hasn't been that primitive for a long, long time. They don't just store the cert in a random file that any old app can access.

The cert will be stored in the phone's secure element. Only verified, signed code is allowed to access it. Unless the malware author also hacks Apple or Google they can't sign their code with an Apple or Google chain of trust.

If malware does get that far them you are completely screwed anyway and no alternative will be any better.

Re: Heh

[BAReFO0t]

Yeah... it says "biometrics".
And you believe those boneheads can develop anything that can't be trivially circumvented?
Maybe leave that mind box of yours, I don't know... ;)

This will be the same as with FaceID again. Where the son(!!) of a woman could unlock it with his face.
Or, for an Android example: Where the malware came with it straight from the factory!

Any "secure enclave" the user doesn't have full access to, will be one where an outside element that the user should not trust will have access to. Hac

Re:

[AmiMoJo]

So what is more secure in your mind, a password that has probably been re-used 20 times already and leaked at least a dozen, or a certificate stored in the phone's secure element and protected by biometrics?

On the one hand some random person on the other side of the world can get that password from a leak or just guess it and access your account. On the other they need to somehow physically steal and unlock your phone, or infect it with some zero day malware that is worth millions but for some reason they d

Re:

[lgw]

If malware does get that far them you are completely screwed anyway and no alternative will be any better.

You have the great and excellent alternative of not trusting your phone for anything important! Phones are simply toxic when it comes to security. Do not use them in any way in any security context.

And yet, financial institutions everywhere are still sending texts to phones as a TFA approach. Texts!

Re:

[sad_]

indeed, my biggest concern.

mobile devices certainly are not the most secure, just because they are mostly always not up-to-date with their security patches, if you're still lucky enough to get them. i alread avoid doing anything involved with money on them, so i don't see me using them for replacing my passwords to everything.

Re:

[Jahta]

And, of course, it's perfectly reasonable to want to have different identities for different activities, rather than "one ring to rule them all". Who wants to use the same identity for both online banking and social media, for example?

Re: Heh

[NagrothAgain]

That's a feature. When you post on social media, we can then properly credit or debit your bank account, depending on how socially acceptable your content is deemed.

Re:

[John Allsup]

Drop or otherwise break it and you are in a similar situation. No need to actually lose the thing. One accident=one nightmare.

Re:Heh

[Solandri]

That problem is solved if you scale this back one notch from "eliminate all passwords" to "eliminate all but one password." The app on your phone which validates your identity needs a password. That's the only password you ever need to remember (so make it a good one). if you lose your phone, you just install the app on your new phone. Tell it who you claim to be, and the app restores your (encrypted) personal cert from a backup. You then enter your password. If your password is correct, then your stored certificate decrypts properly and you're back in business. If you enter the wrong password (or someone trying to claim they're you enters the wrong password), then your backup cert decrypts into gibberish and is useless.

Re:

[AmiMoJo]

This was solved decades ago for 2FA. When you set it up you also get backup codes you can use to recover your account. You keep them somewhere safe and never use to them to log in.

Wow

[fred911]

Now I feel good because we all know how secure TLS is. No MITM attacks have ever been found and all the certificates are surely safe.

so...

[Your Average Joe]

when a three letter agency clones your phone and eSIM they can get your identity as well to check your bank account... What stops the bad guys from doing the same?

Re:so...

[lessSockMorePuppet]

What stops the bad guys from doing the same?

What stops my kids from buying all the things, now that we've done away with all passwords? We're expected to use biometrics as the root of this, like the fingerprint readers that don't work if your finger is modestly wet or the print just changes a bit over a month?

Re:

[quonset]

like the fingerprint readers that don't work if your finger is modestly wet or the print just changes a bit over a month?

That's why we should use a finger prick like in Gattaca [imdb.com]. Perfectly foolproof.

Re:

[Aristos Mazer]

The password to unlock your phone is not covered by this tech. This tech is for all the sites your cell phone talks to. Keep your phone locked and your kids (or anyone else) can't get into it.

Re:

[Calydor]

So forgetting to lock your phone once because, oh, the dog wanted to be let in means EVERYTHING is unlocked.

Re:

[AmiMoJo]

They aren't talking about using your SIM for anything. The certificate will be stored in the phone's secure enclave and the phone will communicate over Bluetooth or the internet to supply 2nd factor authentication. You don't even need a SIM or an active phone contract, it will work with devices like tablets that don't even have a cellular modem.

Re:

[Anubis IV]

when a three letter agency clones your phone and eSIM they can get your identity as well to check your bank account... What stops the bad guys from doing the same?

The same thing that stops the “good guys”: that none of this info is stored in a place that would get cloned. If you clone a phone, this info would still be secure on the original device, having not been copied.

To be clear, this isn’t stored in the phone’s flash or SIM. This is stored in a dedicated Secure Enclave chip that can be written to but which does not permit direct reads. You can ask the Secure Enclave for things like a 2FA OTP or an authorized/unauthorized response to a bio

Three questions:

[ludux]

How does it preserve user privacy? What happens if you lose your phone? Without passwords how do you securely change between accounts?

OK let me get this

[oldgraybeard]

straight. I am supposed to keep all my credentials, work, private whatever in a device under someone else's control. ie smartphones?

Just my 2 cents ;)

Is the misleading name part of the plan?

[Generic User Account]

That's not "beyond identity". It is literally the complete erosion of anonymity. Shove it where the sun don't shine. There will be a cold day in hell before I cryptographically sign everything I do online. If Amazon or anyone else doesn't want my business then, they'll lose it.

Re:

[ceoyoyo]

I don't think most people will love it. Most people seem to regard their phone as a magic box with pictures in it. Lose your phone, or get a new one, lose all your pictures. Now when you lose your phone or get a new one you lose *everything*.

Too much stuff is already tied to phones. I still have the number from the previous city I lived in because I'm afraid if I change it I will forget to change at least one thing using the number for two factor authentication.

STOP SPREADING that bullshit!

[BAReFO0t]

YOU are the one promoting that!
Stop treating the average user like a retard, because you are literally actually breeding them that way with your actions!

I know this for a fact, because here in Germany, the tides have completely turned since the GDPR!
It is the older and the incompetent, that are the most fearful of being hacked, losing their privacy and such! Exactly your imaginary average moron that you somehow assume exists, but never actually existed.
They are the ones not buying smartphones because of sec

Re: Is the misleading name part of the plan?

[Linux Torvalds]

There isn't any such thing as hell, but it will be plenty cold in the cabin in the Montana wilderness where you'll end up living.

Passwords suck. They need to go away. No, an exclusively phone-based solution isn't the right answer, but carrying around an easily-backed up but hard to crack piece of authentication hardware sounds like the only possible way to move forward and ditch the whole stupid password concept once and for all.

Re:

[UnderCoverPenguin]

Cold day in hell, as I said.

As I write this, it's 7 C in Hell, with a forecast low of -2 C before dawn.

New Phone, Who's Me?

[richardtallent]

A large percentage of people these days change their cell phones more often than they change their passwords. I'm all for replacing passwords, but this isn't it.

Zero Sign On (ZSO) already exists

[theurge14]

Many vendors already offer this. ADFS + MDM + SCEP/Identity Cert based solutions abound. I fail to understand how this new announcement is different?

Re:Zero Sign On (ZSO) already exists

[93 Escort Wagon]

But those existing solutions don't benefit the venture capitalists behind Jim Clark and Tom Jermoluk!

Re:

[theurge14]

Must be. I just read the entire thing again and am taken aback at how these two describe IDP authentication as if they invented it.

Re:

[jezwel]

Must be. I just read the entire thing again and am taken aback at how these two describe IDP authentication as if they invented it.

Jim Clark and Tom Jermoluk (past founders of Netscape

The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape...

When this technology was created at Netscape

Is the summary at all correct? 'Cause that might answer your question.

Re:

[93 Escort Wagon]

Is the summary at all correct? 'Cause that might answer your question.

I just dug through several of the RFCs which define the use of X.509 certificates, and neither of these guys' names appear anywhere. Nor do their names appear in the RFCs related to SSL, nor anywhere in the "History" section of Wikipedia's Secure Sockets Layer page.

Another interesting factoid

[93 Escort Wagon]

Did a little more reading... Tom Jermoluk had nothing to do with Netscape. James Clark was a computer scientist and one of the founders of SGI, but his role with Netscape appears to have been mostly as a funding source for Andreesen. He invested 4 million at the beginning, which eventually earned him more than a billion dollars.

Re: Another interesting factoid

[BAReFO0t]

*made*. Not earned.

Don't confuse the two.
The latter implies you actually worked for it just as much as the ones paying you that money. And I don't think it is even physically possible to work enough hours of a work being worth that much per hour in one's entire lifetime, to *earn* one billion dollars.
It is profit. Profit is what you made. The opposite of what you earned.

Re:

[theurge14]

Just SSL, not IDP/SP, X.509, SAML or any other parts of actual identity management.

Re:

[theurge14]

"The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications). It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new."

Yeah, who greenlighted this nonsense? Every MDM/UEM vendor out there already does all of this, and has for several yea

It takes three licks to get to the....

[AndyKron]

I'll bet I'll still have to log in three times on my work computer. 1) log on to laptop 2) log onto VPN 3) log onto SolidWorks PDM vault. If I'm really quick with the VPN log in I don't have to log in to the PDM vault. It's a game of quick reaction.

I'm impressed

[DaveV1.0]

All someone will have to do is steal one's personal certificate which will be on a device of questionable security. What could possibly go wrong?

I don't have or want a smartphone.

[Rick Schumann]

I also don't believe having the 'keys to the kingdom' for everyone stored in one place is ever going to be secure, it's more likely to just make it easier to steal. Considering the dismal record just about everyone has for data security, shit like this would just be setting up another Equifax breach-style theft situation that will screw everyone. No thanks, I'll stick with passwords.

Re: I don't have or want a smartphone.

[aRTeeNLCH]

I can't live without my (a) smartphone, but I applaud your insistence. Keep it up!

Re: I don't have or want a smartphone.

[aRTeeNLCH]

Hah, joke's on you, I don't have any social media accounts. I typically have my data off as well, even though I normally have a prepaid bundle with unlimited data...

I use my smartphone mainly to keep track of my calendar, to get the shopping list from my wife, to browse the web, as a flashlight (on a daily basis), as an eBook reader, to connect to my home system via vnc over my VPN, etcetera. I actually rarely sync my email client, only if I need something immediately. I could live with a simple phone, wo

Re: I don't have or want a smartphone.

[aRTeeNLCH]

Then I would need a dumb phone plus a tablet or eBook reader plus a camera... I don't think you've grasped the functionality of a smartphone even if there is no data connection... Btw I wouldn't know how to make VoIP calls on the go through my own VPN without a smartphone, except when using a dumb phone plus a tablet, which is just a smartphone in two less practical devices. Like I said, I'm happy it works for you, and I fully support your point of view.

old solution

[bloodhawk]

I had this exact setup about 15 years ago and know of many that did the same, it was a fucking pain in the arse, worse than passwords. We used it for various custom apps. Lose your device, forget your device, need to replace your device and you are suddenly up shit creek.

I fail to see what's novel here.

[OneOfMany07]

I mean yes, I want to go passwordless...but the companies that let us log in to their servers must set their system up for it.

I guess this is a way to package up the method, and advertise the idea. But I'm honestly pissed we're still using the security ideas from NASA in the 60's or whatever it was (when they created the password rules we still live by).

And I'll fully say the few times I tried to work with certificates were hellish. I just thought that was enterprises having special expensive tools I don'

ID card = ID phone

[gavron]

TL;DR - Having a charged updated "accepted" phone is a problem. Have to be online even in the desert or on water or airports. Biometrics suck for authentication since everyone knows where your finger (or retina is) and how to get it.

FIRST: The phone has to be there and it has to be charged and updated.
It used to be we didn't have to carry an identification document (ID). Then cops decided they get to ask us for our driver's license whether we're driving or not. Now apparently we'll have to carry a SMARTPHONE and YOU BETTER KEEP IT CHARGED if you know what's good for you. In Nazi Germany they would say "Papers?" then "Your papers... are not in order." I can see it now "You phone?" "Your phone is not properly charged or updated or running our favorite OS of the day be it Android, or something stupid." I can't imagine if they start saying "Oh your huawei phone no longer qualifies so go buy a new phone." Or if Trump's phone-selling buddies make theirs the required phone to have. /yeck

SECOND YOU HAVE TO HAVE A NETWORK:
I live in Arizona. It's a beautiful state (we have the Grand Canyon) and nice people. In some areas though there is NO network coverage. That means I can't verify a certificate chain, log into a website, generate a validation code, or do much more than observe the time.

THIRD BIOMETRICS ARE AN ATTACK VECTOR
Biometrics are useful as ONE part of a multi-factor authentication scheme. To be the only scheme is to require everyone to have their password emblazoned on their shirt. Maybe on the inside of the shirt. Sure, we don't know what your password is, but if we grab your shirt and open up the buttons, there it is. Like fingerprints. Or retinal scans. Anything that is FIXED FOR LIFE and CAN'T BE CHANGED and is known to the black hats as to where it is is a BAD AUTHENTICATION SCHEME.

The concept of fixing 'the password' problem is good. The conceptualization they've articulated is entirely worthless.

Security researchers (who didn't start Netscape or other has-been firms) are blanching.

E

Flynt?

[bagofbeans]

Larry Flint wishes to complain.

Not the right way to do it.

[netik]

This should be handled as U2F and FIDO was handled. There shouldn't be a new company for this.

Adoption of this should be standards based and should be a cooperative effort across the industry.
(Also this sure feels like reinventing FIDO/FIDO2 for profit.)

Also, once your certificate is stolen, unless it's strongly encrypted (which, what's that? You need a password and PIN for) you're hosed. I'd really rather have a Yubikey.

 

Re:

[Bengie]

Modern phones can act as a FIDO device. As long as it's protected with a PIN that will self-destruct on too many failed attempts, sounds valid. Just wait for the first parent who gives their phone to their child and gets too many failed attempts and bricks their phone for authentication to all of their sites.

Re:

[swillden]

Modern phones can act as a FIDO device. As long as it's protected with a PIN that will self-destruct on too many failed attempts, sounds valid.

This isn't necessary. A much less destructive brute force mitigation is to enforce exponentially-increasing delays between allowed authentication attempts. Set it up so that it would take a decade or two, on average, to brute force a four-digit PIN and that should be good enough. It's unlikely that a device could be kept alive and functioning long enough to give the attacker significant odds of guessing (assuming a randomly-chosen PIN).

Just wait for the first parent who gives their phone to their child and gets too many failed attempts and bricks their phone for authentication to all of their sites.

I call this the "toddler attacker". Luckily, a simple exponential ba

Re:

[Bengie]

Exponential backoff won't help when someone clones your phone, captures the memory, and can bypass any runtime. The whole point of bricking is to protect against offline attacks where the environment cannot be trusted. At least for security keys, the point is to destroy the secrets if an insecure environment is detected. It technically doesn't brick the device, it just makes it useless until reset, at which point you have to re register the device as it will now have a new randomly generated identity.

If you thought passwords were a P.I.T.A. ...

[scdeimos]

... wait until we have to use PKI certificates for everything.

Remember these things don't last forever - they expire after some period of time, e.g.: 12 months. Currently we have password managers that allow us to have a different password on each of hundreds (/thousands) of accounts and it's relatively easy to change a password on a given site if and when the need arises. Once we replace passwords with PKI we now have to visit each and every one of those hundreds (/thousands) of accounts every 12 months to provide our new public key - before the old one expires! Do not want, thanks.

Re:

[Canberra1]

Nobody likes PKI certs because people like doctors and accountants share their passwords with their personal assistants. PKI's are more diffiiclt than post-it notes. Secondly Microsoft, and a few others recently patched some certificate checking flaws that did not check. iterate down. Boy, what a backdoor, up there with heartbleed. Thirldly the USA CLOUD Act allows silent compromise of the private key issuers/signers who all seem beholden to US law. Compromise right there. Fourth: Phone Tools.Professiona

FIDO2?

[Bengie]

I hear some devices are starting to come with integrated FIDO2 security keys. Think a Yubikey like feature built into every device.

Old technology

[WaffleMonster]

I don't understand why people keep attempting to (poorly) reinvent client certificates. They've been around now for what now ... two decades? Why not just use them and dispense with all the "patented" proprietary bullshit? What's the point in any of this?

Give Me All Your Passwords

[BrendaEM]

Anyone see a problem with this?

U2F anyone?

[jonwil]

Maybe the exact way U2F (or whatever the latest version of that thing is actually called these days) works isn't perfect but the basic idea seems good.

biometric not subject to 1st amendment

[alw53]

Police can require you to give your fingerprints and face image. They cannot currently require you to cough up your passwords.

The name is 100% Orwellian

[MrL0G1C]

The name is 100% Orwellian, it 100% requires that you constantly confirm your identity via you personal spy device.

You know what is beyond identity? - A f***ing PASSWORD.

Yeah... no. You're incompetent. Go home!

[BAReFO0t]

I stopped reading at "biometric".

These people know nothing.

SQRL

[Plugh]

Surely I cannot be the only geek who l follows Steve Gibson and Security Now! THIS is how you do secure passwordless auth, on ALL devices https://www.grc.com/sqrl/sqrl.... [grc.com]

Re:

[bill_mcgonigle]

SQRL is too simple and secure of a design to wind up at most people needing a chip implant to avoid the key management headaches.

No technical description? No actual product

[davecb]

I don't hear any scientific or technical information, only business. When you ask all the questions posed here, their answer is ... crickets

Re:Isn't the problem..

[Rockoon]

Better still, the other side will say, "You _definitely_ did this, if it weren't your certificate it wouldn't be possible!"

While only tangentially related, this is the exact reason that neither my checking nor savings accounts have had atm/debit cards issued to them. I still get odd looks from time to time when I visit the bank, drop my drivers license down and tell them I dont have a bank card, and then explain that no I dont want one when they always ask if need a new one.

Just try this:

[BAReFO0t]

Open your browser or OS's built-in root certificate list. Read through it.

And if that doesn't make you feel like throwing up, ... be happy your society provided you with a mental disabilities legal guardian to feel like throwing up for you. ... ;)

Re: They are legends at stealing your privacy

[BAReFO0t]

Hey, don't insult faggot cum gargling transvestites like that! They are faggot cum gargling transvestites, but they are not *these guys*!

Also, piss gargling foot fisted ass cunts is the new trend. Try to keep up! ;)

Re:

[DontBeAMoran]

Finally out of coma, maybe?

Re:

[WaffleMonster]

Why reinvent the wheel? A better solution to "passwords" is already there. And it's safe and usable?

Don't even go there. FIDO2 reinvents the wheel and does so poorly.

Certificate authentication predates FIDO2. Smart cards predate FIDO2. They are way cheaper and more secure than any USB security key will ever be.

It takes a special kind of genius to think it is a good idea to use USB keys for secure authentication.

Re:

[Average]

Nothing about FIDO is dependent on USB anything, though most of FIDO tokens are at the moment, and you haven't really said why that's bad. There are implementations based on native phone and laptop biometric security modules, as well and BLE and NFC (both of which do have real drawbacks).

It's also already really out there, an open standard, and implemented in major browsers and about a dozen major sites I use regularly.

Re:

[WaffleMonster]

Nothing about FIDO is dependent on USB anything, though most of FIDO tokens are at the moment, and you haven't really said why that's bad.

Is it really necessary to state the obvious? Do I need to say you can drive a train thru the attack surface of USB or does everyone already know that? Everyone should already know that.

Re:

[Bengie]

I fail to see how a smartcard is any safer. Ohh look, I have a smart card, let me read it with my USB smart card reader. And the smart card is much more inconvenient. FIDO2 isn't just a simple private/public key, it's a whole system. A remote system can detect if a security device was cloned via a counter that only increments. See a lower counter and something was cloned. The just-in-time generated private keys are signed and can be followed back up the trust chain, which also protects against MITM. Yet the

Re:

[WaffleMonster]

I fail to see how a smartcard is any safer. Ohh look, I have a smart card, let me read it with my USB smart card reader.

The smartcard is safer because the reader only reads smart cards. It can't impersonate HID devices or exploit driver defects in any of a billion different USB profiles. If my smartcard is replaced or tampered with it cannot compromise host system. The same is NOT true of USB. It only takes seconds for a malicious USB stick to install a reverse shell and completely compromise a system.

Same for users logging in to shared systems. In environments where physical access is limited the smart card may well be