Passwords are awful UX design solution. The users have to think of and remember some meaningless phrase to get the service they really needed. If you use easy password, your account can be hacked. If you use difficult password, you won't remember it in a week.
For some people remembering a password or login might be especially difficult.
You can use software to generate and remember passwords but all of them will be lost if you reformat your drive. Some of password managers are proprietary, non cross-platform and some would upload your passwords to the so called cloud so NSA can look at them too.
In any case your passwords can be easily compromised when your PC is infected or you use somebody's else device.
What we need is to get rid of this obsolete system. We need hardware authorisation key (that could look like a real key) that can be used for both registration and logging in and would generate and securely store private keys for all used services. Such device should use strong crypto, should not allow exporting private keys, update firmware or operate without user confirmation.
I think such kind of keys will appear sooner or later, they are superior to passwords and password managers and easy to use but I am not sure that they will be open source, cross platform, and backdoor-free unless we do something in advance.
No. They are not superior to passwords - they merely provide different tradeoffs. For example, the site that requires your hypothetical key-type key would require that either all of their customers have spent money on such a key (bad) or that they are willing to pay for keys for all of their customers.
More importantly, you just replaced the problems of virtual keys with the problems of physical keys: you can lose them. Recovery is much more difficult than recovery of a virtual key.
With keys such as a U2F key, you can use it for multiple sites (each site will have a site-specific keypair). Most sites allow you to associate multiple U2F keys as well. Since U2F keys typically cost 7 to 15 Euro, it's really not much of a problem to buy one for use and to put one as a backup in a fire-proof safe.
That said, I think it's bad to rely on one factor. If the key gets stolen, security is compromised. The combination of a password and a security token is far more secure. People should just stop memorizing passwords for every site and e.g. use a password manager.
A lot of banks already give them away to their customers because the hardware costs are less than the fraud costs associated with compromised accounts. And in an ideal world, said keys would be general use, not just for logging into the bank's site.
Really? You don't lose (forget) virtual keys? It's a far worse problem. A physical key can always be found if you look hard enough. A virtual key can truly be lost forever.
Ok, but that makes is harder, not easier, to manage virtual keys. And the more copies, the weaker the key (the easier to find). A million is a terrible, terrible idea.
No, I despise passwords. The whole scheme is backwards. I don't want to authenticate myself to the server; I want to authenticate the server to me. Why doesn't it provide the password, and my computer verify it? Why is a fallible human being in this game at all?
Well, yeah. That was a hyperbole. I didn't actually mean that you should go out and make a million copies of your key.
It simply meant to show that it's easier to prevent the loss of a virtual key than it is to prevent the loss of the physical key.
> The whole scheme is backwards. I don't want to authenticate myself to the server; I want to authenticate the server to me.
That's... interesting. My first thought when I read that is that the server is the one with your data and multiple users - so it needs to authenticate you to make sure that you only access your data and don't gain access to other users' data.
A server authenticating itself with you would tell you that you're actually talking to XYZ and not an imposter, but once that authentication took place you'd have access to everything on that server. Including other users' data.
Any authentication is one-to-one. The server authenticates to me, by first knowing who I am (my 'username' not a password), then using a scheme we agreed upon (our shared pair of private/public keys would be fine) to verify electronically that my machine belongs to me i.e. has the right keys.
So we are both authenticated to one another. Except now, we're using sophisticated passwords and Digital Computer Logic to work them out. Instead of my fallible wetware.
To steal a physical key you need to find a person and make him give you the key (and tell a PIN code if it is protected). It is hard to do on a large scale and you probably get beaten or go to jail soon.
And passwords can be stolen remotely using trojan software. You won't even know whether your password was compromized.
I agree the recovery can be a problem but there probably are ways to solve it.
What about fingerprints? You don't need to buy anything, phones and such are already coming out with fingerprint readers and the technology is improving all the time. Finally, you can't lose your finger print (except in the case of extreme accidents, which exist for any type of security).
We have those keys, technically supported in every browser, and you can decide on the level of security that you want - and store keys on highly secure tamper-resistant hardware tokens or manage everything purely in software of your choice.
It's called TLS client certificates and no one supports those.
Browser vendors make UIs that are absolutely awful (it's like they do this on some damned purpose!), there is no synchronization for low-security software tokens (yup, it's not a big deal to sync some private keys in a same way we sync other credentials like passwords), standardizing organizations don't work on multiple signatures (say, gradually ditching X.509 in favor of OpenPGP - TLS doesn't really care how blobs are encoded). So, the sites don't consume them, although technically everything's there - a <keygen> element, JS APIs, TLS, anything.
U2F works too, and it even hides the details about which sites you have registered in from everybody but each individual site owner - you can't identify the individual token of know if your users have registered elsewhere or not even if you compare account details. They use unique keypairs for every site.
As far as I get it (I haven't read much about U2F), U2F is generally perceived - and advertised - as a second factor, not the primary credential like a password.
On the other side, client certificates (be it TLS with X.509 or whatever) are generally considered as password replacements.
I mean, I suppose many don't want a password - just click an identity with autonomous credentials that don't depend on any third party, optionally do the confirmation ritual (hardware button, PIN entry) - and get recognized.
Ironically, it's easier for me to log into my internet banking than twitter because internet banking only has a hardware key and a simple 6 digit pin, but for Twitter, I have to go find my paper password list and type it in. It would be great if there was some kind of common hardware key that could be used on multiple sites.
Hey that looks fantastic. It only seems to be supported by about half a dozen sites though. I wonder if there are some big costs to a site adopting it.
The protocol is open, the libraries for implementing it are too. You just have to look into how it works and differ from what you have, and integrate it correctly into your auth system.
No doubt a lot of people suck at password management, but with proper management it's easier for a thief to steal a hardware key.
Or a phone. Which is why I hate that some new services require a phone number for authentication.
I don't think so. Stealing passwords from password manager with a trojan software is much easier (and safer) than breaking into somebody's house. In some countries you can even get shot for that.
You can say the same about credit cards: they can easily be lost, stolen etc. But generally they are better protected than internet bank account with just a password.
And the most appealing point is ease of use. Inserting a key and pressing a button is much easier for a common person than dealing with complicated matters like login, email or password.
> You can say the same about credit cards: they can easily be lost, stolen etc. But generally they are better protected than internet bank account with just a password.
I've physically lost one credit card and had multiple ones canceled unilaterally by the bank because some idiot merchant got hacked. On the other hand (afaik) I've never lost any bitcoin or any bank logins/passwords that were fully under my control.
I like the happy medium of one ultra quantum unbreakable master passphrase which is used to unlock easier to guess passwords. SO somebody owned your Imgur account full of memes. So what? Always assume an account is breakable.
It wouldn't be as secure as a special purpose device, but it would be a whole lot more convenient. Given that people are using banking and pay apps on their phones, I think it doesn't really introduce any new issues for the typical user.
Hardware might be a nicer UX (though god forbid you forget your dongle one day and are completely screwed). But I fail to see how it's more secure without a second form of authentication.
Passwords are awful UX design solution. The users have to think of and remember some meaningless phrase to get the service they really needed. If you use easy password, your account can be hacked. If you use difficult password, you won't remember it in a week.
For some people remembering a password or login might be especially difficult.
You can use software to generate and remember passwords but all of them will be lost if you reformat your drive. Some of password managers are proprietary, non cross-platform and some would upload your passwords to the so called cloud so NSA can look at them too.
In any case your passwords can be easily compromised when your PC is infected or you use somebody's else device.
What we need is to get rid of this obsolete system. We need hardware authorisation key (that could look like a real key) that can be used for both registration and logging in and would generate and securely store private keys for all used services. Such device should use strong crypto, should not allow exporting private keys, update firmware or operate without user confirmation.
I think such kind of keys will appear sooner or later, they are superior to passwords and password managers and easy to use but I am not sure that they will be open source, cross platform, and backdoor-free unless we do something in advance.