Luddism #1: From passwords to passkeys
In the context of the passwordless desideratum that might be achieved by the generalization of solutions based on standards aimed at improving authentication security by moving away from passwords and towards biometric or cryptographic credentials, I wanted to express my “Ludditus says no!” opinion. To make it clear, this is about WebAuthn (Web Authentication), which uses public-key cryptography, and in which users can authenticate by using an external security key or built-in hardware like fingerprint sensors or facial recognition on their devices; it’s also about FIDO2 by the FIDO (Fast Identity Online) Alliance, which uses the WebAuthn API and the Client to Authenticator Protocol (CTAP).
■ The ratiocination coming from the Luddite that I am:
- Passwords are somewhat insecure and increasingly so, given the computational power of today that makes brute attacks more likely to succeed. OUCH! 😟
- But this can be mitigated in various ways, such as 2FA and logins that add a delay between attempts and block any attempt for a long time after a number of consecutive failures. COOL! 😀
- Well, 2FA can sometimes be insecure too, e.g. when an SMS can be intercepted. OOPS! 😲
- But you can have e.g. YubiKeys! COOL! 😀
- Which means you’ll pay for a monopolistic manufacturer and make them rich. Also, I find it inconvenient and reminiscent of the dongle times. OUCH! 😟
- OK, say you rely on passwords. Given that nowadays a typical individual would need to have dozens, if not hundreds of passwords, they are hard to remember, and storing them in a paper notepad or in a text file is insecure. OOPS! 😲
- But we have password managers, some of which are free! COOL! 😀
- Well, the best password managers are not free, which means “yet another civilization tax” and “let’s make some other companies rich”! OOPS! 😲
- Even worse, a password manager is a single point of failure! OUCH! 😟
- I also find them inconvenient. OUCH! 😟
- Hey, but you can live passwordless by using WebAuth/FIDO2 keys! COOL! 😀
- Well, I also find this inconvenient. OUCH! 😟
- But when the passkey is stored by a device and all you have to do is to enter your PIN, fingerprint, or to use face recognition, this also creates a single point of failure, especially when you’re stupid enough to use Face ID! OOPS! 😲
- And, should you want to use password managers able to store keys, not only passwords, you’ll have to pay. The costs of living in a “modern” and “civilized” world. OOPS! 😲
Ludditus dixit: When “they” try too hard, all “they” can do is increase complexity and incur higher costs and inconvenience.
I’m against such solutions. They are secure, they can simplify life, but they also complicate it. And they add costs. I don’t use any password manager and I never will. Not in my lifetime. As for the passwordless logins with biometric shit, I’ll also have to die first.
■ Make no mistake: I don’t reject the use of SSH keys instead of passwords! On the contrary, this is the right way to use SSH! Public-key cryptography is da shit, although it has its limitations. A Zero Trust world needs to go beyond the dumb use of passwords in the enterprise world, and this is why there are advanced commercial Zero Trust Suites that can even eliminate SSH keys, and various Privileged Access Management solutions deemed to be “quantum-safe” (duh). What a stupid cliché! Quantum computers are a hoax and pretty much useless. GPUs are not. I see a problem, though, when people use good technologies to implement stupid ideas, then force them on the public.
■ A few links about password managers being single points of failure (despite most of them saying that “until we have a better solution, in most cases, the benefits with password managers far outweigh the risks”):
- SANS Institute: Are Password Managers Still Safe and Secure?
- Fast Company: Everything you ever wanted to know about password managers but were afraid to ask
- On StackExchange: A password manager is a single point of failure. Then why is it so often recommended nowadays?
- On Reddit: Are most password managers not a single point failure?
- On Reddit: Aren’t password managers actually a massive vulnerability to personal cybersecurity because they represent a single point of failure?
- PasswordBits: Are Password Managers A Single Point Of Failure?
■ A few links on the passwordless technologies:
- NordPass: Passkeys vs. passwords — which is better?
- Okta: Passkeys 101: What they are and how they will replace passwords
- BIO-key: Passkeys vs Security Keys: Which One Offers Better Protection?
- On Medium: Passwordless Authentication With Passkey: How It Works and Why It Matters
- WIRED: I Stopped Using Passwords. It’s Great—and a Total Mess
From the piece on Medium, let me show you how simple it is:
And a chronology:
From the piece in WIRED:
Over the past year, it has become possible to ditch the password and move to passkeys instead. Passkeys are generated codes—created using public key cryptography—that are stored on your device or in your password manager and let you log in to websites and apps using your fingerprint, face recognition, or a PIN. They can’t be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.
Google, Apple, Microsoft, Amazon, GitHub, PayPal, the UK’s National Health Service, OnlyFans, Nintendo, and more than 100 websites have started supporting passkeys. More than 8 billion online accounts can set up passkeys right now, says Andrew Shikiar, the chief executive of the FIDO Alliance, an industry body that has developed the passkey over the past decade. So, I decided to kill my passwords.
…
Put very simply, when you create a passkey, the website or app you’re using generates two pieces of code. One is stored by the website or app; the other is saved on your device. When you log in, you prove it is you via a face scan, fingerprint, PIN, or however you’d usually unlock your device, and the two pieces of saved code communicate with each other. That means that creating a passkey as a user is relatively simple. All you have to do is visit your account’s security settings and go through the options to set up and save a passkey. In most cases, that’s just a few clicks.
Logging in to my Coinbase account is the perfect example of how passkeys can work. To sign in to the cryptocurrency trading app—which I largely had forgotten I had an account with—it now just takes seconds. Opening the iPhone app, I can tap on the option to sign in with a passkey, which sits alongside the choice to enter my email address or sign in with an existing Apple or Google account. I tap the passkey option, and a popup appears to ask whether I want to “Use Face ID to Sign in?” and says it will use the passkey saved in my iCloud keychain. A quick face scan later, and I am logged in. No password, no username—under 20 seconds to sign in.
However, there are a few things that caused me problems setting up passkeys—my first attempt was disastrous. In that case, my work laptop wasn’t running an operating system that supports passkeys. While waiting for it to update, the PayPal app kept glitching and wouldn’t let me complete the passkey process. Then I couldn’t create one specifically for TikTok as I used my work Google account to create the account. When I tried to set up a passkey for Amazon and needed to scan a QR code on my phone, I found that my password manager, Bitwarden, currently doesn’t support passkeys on mobile.
Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)
“The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”
…
Most of my work is done on my laptop—and it’s rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.
However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead.
What else could people dream of, short of nuclear war? Of course, trading cryptocurrency and using TikTok and using Face ID already labels you as a shithead.
Just today I discovered the meaning of Ludditus… cool!
Just rants… avoid if you have something else to do.
I consider myself among the 2% more tech-savvy people I have around and reading your posts makes me feel I don’t have 1/8 of your tech knowledge… what is the hope for the rest?
This is not new, in the 90s we both probably were in the top 0.1% on technology knowledge yet the potential for damage by bad actors was low. Now, things are different, everything is digitized and bad actors are no longer restricted by geography or limited by a small number of potential victims.
That today, that most digital criminals are from abroad is not only because being sponsored by state actors or just due to be outside FBI and Interpol’s reach, but also because a new phenomena; I have a feeling most ill-intended domestic actors don’t need to resort to operate outside the law by stealing passwords and 2FAs; these local brilliant criminals that in the past robbed a bank and got away with it, today they just find it easier to join Google or a Private Equity and making it far better than criminals did 50 or 100 years ago. Since a US senator can be bought with just an average of $250000, these top institutions get to amass hundreds of billions and reward handsomely with a sizable share of the profits so they end up earning 10 times more than the average worker… high-end crime solved in the US!
Current state and future:
I presume, companies that truly serve customers, besides using these different cryptography keys schemes, will be restricting access more and more from abroad while introducing easily accessible and truly unique identifiers in our devices. Non-corporate VPNs will be pointless in 5-10 yrs. Governments, of course, will be fully onboard with that, with a completely goal in mind.
Not really. VPNs can be used to:
1. Evade censorship.
2. Break geo-blocking.
3. Avoid being caught torrenting in countries that criminalize that, especially France and Germany.
As a private user (not in a corporate network) I have never used a VPN “for protection when using open networks.” This is 100% stupid, and I wrote about that (under the vpn tag). Everything relevant is encrypted nowadays,
“Everything relevant is encrypted nowadays”, true, when you can trust the entity you use to communicate with.
Of course, the typical reason of being spied on libraries and coffee places is now gone thanks to TLS, but getting another layer of protection still valid when companies willingly give all the data when requested by authorities, many even without warrants… let’s not mention data breaches exposes your precious IP too. Also your internet provider sells your info on the pennies… it may not be able to sell the content but yes which pages and services you interact with and creating a unique (and qualitative) identifier of you just with that. VPNs are no panacea, not even close, but still an additional safety practice, if you trust the VPN provider that is.
My IP is by no means precious as long as it’s not guaranteed, so it changes periodically. When people pay for a fixed IP, that’s usually because they run a server, in which case they actually want their IP to be publicly known!
And what info about me can my ISP sell?
STOP WITH ALL THIS PARANOIA BEFORE I CONSIDER YOU ALL MENTALLY RETARDED!
The only “precious data” regards my browsing habits, which are usually exploited through the so-called 3rd-party cookies. Also, any social network would obviously know your interests. Any “normal” e-mail service would be able to collect keywords and more from your mails. BUT THIS CANNOT BE FIXED BY USING A VPN.
I already reached the conclusion that most people (1) don’t know what they should be afraid of, or concerned about; (2) fear things they shouldn’t be afraid of; (3) believe in solutions that don’t solve anything; (4) believe themselves to be more important than they are; (5) don’t really understand that most profiling and targeted advertising is really “anonymized” and that one’s real identity need not be known.
It’s a lost cause. After all, people believe in God, so how can I expect reason from them? (I tried to become a believer in God almost as many times as I tried to take up smoking. I kept failing at both endeavors.)
I used not to believe in god but with age, I tend to believe in its usefulness for us. It reminds me of the film The Mist (did not read the book since I am not a fan of King) but he did bring a topic to light, in the weakest point of our existence, it provides us with a hope than nothing else can substitute with. Did like the movie!
I tend to agree with the utilitarian view of religion, but we have to ignore the abuses of the past (La Santa Inquisición, etc.).
Of course, what God? And why only people who believe “in the right God” (hence in Jesus), preferably also “in the right denomination” (Catholic?) can hope in salvation? How about the rest of the planet? How about people who died before Jesus? And how is a Trinity monotheistic? Why couldn’t God just say “let Mary be pregnant,” or, even better, “let Jesus be NOW”?
And then, of course, how come there’s so much evil in the world, how come prayers don’t seem to be answered, how come that prayers are even a thing when God is supposed to be omniscient, etc. etc. etc.
I’m not Dawkins, nor other militants, and I’m poorer than Ricky Gervais and much more alive than George Carlin, but I could write books on the lack of logic of religions. However, this is completely useless, as logic and philosophic inquiry have never made an atheist out of a believer.
The news about the upcoming Windows 365 Link computer (Verge, Microsoft, video) reminded me that this kind of Desktop-as-a-Service (DaaS) is one of the best targets for using passwordless authentication. It also reminded me that most Single Sign-On (SSO) implementations support various 2-factor authentication solutions, including passwordless ones.
The ecosystem of authentication APIs, authentication protocols, and identity and access management policies and technologies is such a complex jungle, that I feel that the apocalypse might come from the reality of using them in a world increasingly based on the Cloud, if not even “everything in the Cloud.” Because most security issues exist for the mere reason that the Internet exists, and people and machines are authenticating over the Internet. Even when using a VPN connection to your corporate network, you’ll have an overly complex and fragile SSO stack of shit.
Windows 365, which is a simplified offering built on the technologies behind Azure Virtual Desktop (formerly Windows Virtual Desktop) is not the first Desktop-as-a-Service OS.
ChromeOS isn’t, either. And there are important differences between the two. Despite not having much software beyond Chrome, a Chromebook runs ChromeOS locally. Windows 365 Link has no local OS, it entirely streams the Windows Cloud PC. No Internet, kaboom!
A fully streaming OS is Shells, which streams Linux (I guess). It’s so popular that Manjaro’s website doesn’t advertise it anymore, although 2 years ago they had a partnership which meant that Shells was prominently shown on Manjaro.org.
Possibly the first attempt at something similar to ChromeOS was Gaël Duval’s Ulteo Open Virtual Desktop from 2008. It was such a huge failure that there’s no English nor French Wikipedia page for it! Here’s the Italian one.
But all these “almost all in the Cloud” or “all in the Cloud” (running from the Cloud or even booting from the Cloud) systems remind me of the mainframes and minicomputers of the 1970s and 1980s. Back then, you were using dumb terminals, and everything was running elsewhere. Even when you had a graphical station, the X Window protocol was designed to be able to stream over the LAN.
Today, NVIDIA GeForce NOW does a similar shit, but you stream the video from the Cloud. Isn’t it nice how progress is actually regress, and how it requires more and more Internet bandwidth?
I’m pretty sure this is entirely “green,” and that it contributes to the “net zero” CO2 goal.
Also, what’s left of the PC concept?
BTW, I’m using autologin on my computers.
I hate Linus Sebastian from Linus Tech Tips, and I’m not entirely happy with Derek Muller from Veritasium, because many of his videos are quite forced in an attempt to find paradoxes or sophism where there’s no such thing, because without sensationalism how are you going to make money on YT? Still, many of Derek’s videos are interesting, and in this video, albeit I hate its formula, important information is conveyed regarding the vulnerability of the SS7 protocol used in mobile networks, which also affects the SMS-based 2FA: Exposing The Flaw In Our Phone System (Sep 22, 2024).
There are relevant links in the description.
Well, maybe the Internet shouldn’t have been invented, or at least there should have been no need for 2FA.
Authenticator apps are better: yeah, they force them on us. Even IONOS forces me to use one! That means I cannot log in the control panel without my phone! I obviously hate this.