Hacker News new | past | comments | ask | show | jobs | submit login

How many times does this have to happen before we realize passwords are a terrible authentication method? It is ridiculous.



The alternative you'd put forward is?


Public key cryptography. I want to generate a public/private key pair and upload the public key as my identity when I register for an account somewhere. Then there is nothing to steal on their end.

I want to say this is how websites authenticate themselves to users, but ssl certs serve a somewhat different purpose.


https://www.varnish-cache.org/docs/trunk/phk/http20.html may resonate with you. Generally a lot of people were critical of Paul's opposition to SPDY, but myself I think he makes some good and valid points especially regards identity.


I'd like my phone to ask for some pin or my fingerprint when I want to login something. No username, password or anything. Like bluetooth pairing, I'd pair my phone with services that I register and they could trigger my phone to ask my confirmation.


What's the difference between a pin and a password?

I think the solution is public key cryptography. See my other reply. However, I don't want my private keys stored on a computer or phone, since they can be stolen. I want to store they keys on a frob (USB key, wireless doodad, whatever) that signs messages with private keys but can't be accessed directly. This frob would be protected with a password or PIN of some kind. The frob should display the requested confirmation (Log into Hacker News as cottonseed? Yes/No) and require direct confirmation. This is, for example, the architecture people using for bitcoin hardware wallets, where the potential cost of failed security is very high.


That sounds just like TOTP.

I use Google Authenticator on iOS and Android. It's just a standards-compliant (RFC 6238) TOTP app, not anything Google specific. I've got six logins using it - gmail, Dropbox, Amazon (AWS), Github, Digital Ocean, and an internal service.

One thing that is a bit badly done - and I understand why - is making it easy to have "redundant duplicates". When setting up a new TOTP three factor auth account, I need to get my iPhone, iPad, and Android phone all together and manually type in the seeds (or QR code them) to all three to ensure I'm not completely screwed if I lose the only device with the magic tokens…

I'd love to have more of my important stuff secured with TFA/TOTP.


No, fingerprints are only suitable as a unique ID and not a password. You leave your fingerprint everywhere you touch and that cannot be changed.

http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...


This is at the top of HN right now: https://news.ycombinator.com/item?id=6722292

And here's a -fun- / alarming story of someone I know, which I wrote up on my blog: http://williamedwardscoder.tumblr.com/post/24949768311/i-kno...

I'm not dismissing what you say, I'm saying that alternatives don't look much better right now.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: