Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RIP passwords: new web standard designed to replace login
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Wed Apr 11, 2018 8:57 pm    Post subject: RIP passwords: new web standard designed to replace login Reply with quote

Quote:
A new web standard is expected to kill passwords, meaning users will no longer have to remember difficult logins for each and every website or service they use.

The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam.

Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.

“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.

One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.

WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.

“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance, one of the bodies pushing the new standard.

WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.

The W3C has moved WebAuthn to what’s called the “candidate recommendation” stage – the penultimate step before it becomes an approved web standard – inviting sites and services to begin implementing it. The web standards body announced that Google, Microsoft and Mozilla had committed to supporting WebAuthn, meaning that all major web browsers short of Apple’s Safari will implement the new standard.

“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.

Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key. But a single cross-platform, cross-service standard ratified by the W3C will mean that many more sites and services will be able to kill the password as the defacto login method.

WebAuthn is the culmination of many years of work and the change will not happen overnight. But as it increasingly seems inevitable that our email or other online services will get hacked into, removing the password is an important step in improving online security and making using sites and services easier.

https://www.theguardian.com/technology/2018/apr/11/passwords-webauthn-new-web-standard-designed-replace-login-method
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17350

PostPosted: Wed Apr 11, 2018 9:35 pm    Post subject: Reply with quote

Biometrics, smartphone, fingerprint scanner or webcam, BlueTooth, NFC? No thanks.

Maybe that's a business opportunity for BDaaS (burner devices as a service). With a pricing structure allowing more devices checked out at any given time with higher price.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Wed Apr 11, 2018 10:51 pm    Post subject: Reply with quote

pjp wrote:
Biometrics, smartphone, fingerprint scanner or webcam, BlueTooth, NFC? No thanks.

Maybe that's a business opportunity for BDaaS (burner devices as a service). With a pricing structure allowing more devices checked out at any given time with higher price.
Anything worth it's weight forces you to use two-factor authentication: Google, AWS, dropbox...

...and to open your phone you need a fingerprint. So you're already using it without realising it.

(OK, I realise none of those *forces* you but it's best practices)
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17350

PostPosted: Thu Apr 12, 2018 2:07 am    Post subject: Reply with quote

I'm not associating anything with everything, and certainly not where I'm the product. I briefly tested fingerprint to unlock but stopped using it.

I use F-Droid, not Google Play. I've never signed up for any of the "social space" big players (and don't see the future when I would). Currently the only things I'm signed up for and use are email and here. I have signed up for a couple of small places, but no longer use the logins.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 223
Location: Where the black men cannot enter

PostPosted: Thu Apr 12, 2018 7:31 am    Post subject: Reply with quote

https://www.w3.org/TR/webauthn/
Quote:

Abstract

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.


looks a lot like regular public key authentication ..... ergular RSA or EC-DSA like ssh..

https://developer.android.com/training/articles/security-key-attestation.html


Of course a full RootOfTrust requires that the device is locked, runs original firmware, and is uptodate :-)

The title is misleading since you can use a password to access your certificate (like in ssh), it should be more RIP passowrd sent over the wire, since the password can still be used.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5166

PostPosted: Thu Apr 12, 2018 3:16 pm    Post subject: Reply with quote

Sounds a lot like the <keygen> HTML tag. Which was culled from the spec and browsers a year or two ago, because no websites had used it in decades.

I think I'll just stick to `pass`.
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 458
Location: NRW, Germany

PostPosted: Thu Apr 12, 2018 3:58 pm    Post subject: Reply with quote

Whenever I read the words "new web standard" the first thought that pops up in my head is "no".
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 223
Location: Where the black men cannot enter

PostPosted: Thu Apr 12, 2018 4:54 pm    Post subject: Reply with quote

We're all wrong it's just a standardization of 2F authentication ......

Quote:
1.1. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §12 Sample scenarios.
1.1.1. Registration

On a phone:

User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.

The phone prompts, "Do you want to register this device with example.com?"

User agrees.

The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.

Website shows message, "Registration complete."

1.1.2. Authentication

On a laptop or desktop:

User navigates to example.com in a browser, sees an option to "Sign in with your phone."

User chooses this option and gets a message from the browser, "Please complete this action on your phone."

Next, on their phone:

User sees a discrete prompt or notification, "Sign in to example.com."

User selects this prompt / notification.

User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."

User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop:

Web page shows that the selected user is signed in, and navigates to the signed-in page.

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.

A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.

_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
Marcih
Tux's lil' helper
Tux's lil' helper


Joined: 19 Feb 2018
Posts: 81

PostPosted: Thu Apr 12, 2018 7:44 pm    Post subject: Reply with quote

Dr.Willy wrote:
Whenever I read the words "new web standard" the first thought that pops up in my head is "no".

++

When I saw the announcement in my RSS reader (yes, I am subscribed to the W3C News RSS feed, no, I don't actually read it) I just rolled my eyes and moved on. I'm happy with my passwords and I don't have that many accounts where I wouldn't be able to keep track of my passwords.
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Mon Apr 16, 2018 1:19 am    Post subject: Reply with quote

You're a bunch of dinosaurs and cokey is right. Get off his lawn.
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Mon Apr 16, 2018 7:38 am    Post subject: Reply with quote

It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5434
Location: Removed by Neddy

PostPosted: Mon Apr 16, 2018 7:53 am    Post subject: Reply with quote

cokey wrote:
It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point
why do you want to take the livelyhood of phisher away
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 458
Location: NRW, Germany

PostPosted: Mon Apr 16, 2018 10:42 am    Post subject: Reply with quote

Bones McCracker wrote:
You're a bunch of dinosaurs and cokey is right. Get off his lawn.

Friendly reminder that the chip in your head can support RSA without problem.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17350

PostPosted: Mon Apr 16, 2018 4:05 pm    Post subject: Reply with quote

cokey wrote:
It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point
If that's your only problem, it was solved ages ago. It's called a password manager.
_________________
The whole system has to go. The modern criminal justice system is incompatible with Neuroscience. --Sapolsky
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2472

PostPosted: Mon Apr 16, 2018 10:01 pm    Post subject: Reply with quote

So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Mon Apr 16, 2018 11:03 pm    Post subject: Reply with quote

Dr.Willy wrote:
Bones McCracker wrote:
You're a bunch of dinosaurs and cokey is right. Get off his lawn.

Friendly reminder that the chip in your head can support RSA without problem.

Pffft. Mine supports fuzzy Rorshach n-order elliptical curve with evacuated Heisenburg seed. Doesn't come out til Windows 2019.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Mon Apr 16, 2018 11:05 pm    Post subject: Reply with quote

The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:

Yeah, like when somebody pulls your fingerprint off a glass. Whaddaya gonna do? Get new fingers?
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Mon Apr 16, 2018 11:14 pm    Post subject: Reply with quote

Naib wrote:
cokey wrote:
It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point
why do you want to take the livelyhood of phisher away
:lol: At the moment I'm Russia and FancyBear's favourite target
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Mon Apr 16, 2018 11:35 pm    Post subject: Reply with quote

The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Mon Apr 16, 2018 11:36 pm    Post subject: Reply with quote

cokey wrote:
The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely

Have you never seen "red eye" in a flash photograph? Easier than you think.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1605
Location: U.S.A.

PostPosted: Tue Apr 17, 2018 3:11 am    Post subject: Reply with quote

And, this is why the biometric of the future is the dick-print.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2472

PostPosted: Tue Apr 17, 2018 3:27 am    Post subject: Reply with quote

cokey wrote:
The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely
You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 223
Location: Where the black men cannot enter

PostPosted: Tue Apr 17, 2018 9:04 am    Post subject: Reply with quote

The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:


Actually the non-password (or password) is used to unlock the HW backed physical keyring on your phone that contains all the certificates that have been exchanged with various web sites.
The non password is only used locally to unlock the keyring on the phone.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Wed Apr 18, 2018 10:47 am    Post subject: Reply with quote

The Doctor wrote:
cokey wrote:
The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely
You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.
Iris scanning is a mathematical interpretation and is therefore kept under an encrypted system. You would therefor need your javascript to somehow recognise whether it is successful or not. And then steal my phone. And then find somehow to put that mathematical representation into the phone while the sensor is looking at something. And then interrupt the false identification and send the correct maths.
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 223
Location: Where the black men cannot enter

PostPosted: Wed Apr 18, 2018 4:23 pm    Post subject: Reply with quote

cokey wrote:
The Doctor wrote:
cokey wrote:
The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely
You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.
Iris scanning is a mathematical interpretation and is therefore kept under an encrypted system. You would therefor need your javascript to somehow recognise whether it is successful or not. And then steal my phone. And then find somehow to put that mathematical representation into the phone while the sensor is looking at something. And then interrupt the false identification and use the correct maths to unlock the keyring into the phone and use the correct keypair to log in into the website.


FTFY
If it was like you say than your password (the math representation of your iris) would be the password for every website on the 'net, but instead there is a different 'password' that is sent over the wires for every website. Otherwise the guys at google coud look into your yahoo account if the password was the same.
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum