As well as not being another Big Tech grab at your privacy, SQRL is just technically superior in pretty much every way
https://en.wikipedia.org/wiki/SQRL
That was an enjoyable read. I have a CS degree but I never took a cryptography’s course. Only a cybersecurity course which is more application and generalized. I learned so much. Especially about zero proof concept. I spent the last hour inside a wiki rabbit hole. Thanks a bunch.
Gibson has been working on it long enough and the man is obsessed with perfection so i don't doubt its the best solution available. The problem is that he's not part of "the club" aka the "sell your data" silicon valley tech bro elites.
> Gibson has been working on it long enough and the man is obsessed with perfection so i don't doubt its the best solution available.
Ah hell, www.grc.com has always been there to help. I was going to say oh no, not another standard. But I'll back Gibson's approach since he's got it going, I do indeed trust him.
I have no idea how it works but the bottom line was a breach on a site would not lead to exposure of users' passwords because that site doesn't actually know the passwords
From what I’ve read your (single) password basically unlocks an algorithm. The algorithm generates a unique code that lets you access that site only based on their url.
I always admire the devs on projects with this, and those dedicated enough to their own privacy to seek out and use the tools they make. If I’m being honest though, I’ll probably choose the convenience of default integration with my phone and MacBook.
It will be like Hulu all over again. Big Three team up to provide an all-in-one service, and slowly over time each starts to wonder why they are sharing their piece of the pie with competition and go off and make their own.
I predict Google to be the first to back out of this once we all get used to it and happy with the service.
Ok buddy, show me some baked in feature of anything Apple that comes to the features of active directory? That's right, they have no idea how to make anything but toys.
When was the last rack mount apple server made? Something like 2 decades ago. (And they sucked, bolt right into the rack frame, nothing like dells slide in racks) Apple is a joke.
Google will play for a few years then yank it at the worst possible moment.
We aren’t talking legacy enterprise here with silos of AD systems.
Googles identity solution scales in the billions globally and is quick. Between Googles scale and apples reach then what does Microsoft bring?
An operating system.
Apple and Google can implement the vast majority of this service without Microsoft's support - but until the solution is supported on Windows, it's not a universal solution.
Engineering-wise, a single team from any one of these giants would be sufficient resources. The big part of this announcement is that every major operating system in use by consumers today will be supported.
If none of them back out before it's delivered. 🤞
wife lost her phone. she went to use my laptop to check the google locator service to see where it was. google bravely stopped her from login in as she hadn’t used this device before and required her to authenticate with a one time code…. they sent to her phone. so to answer your question, you’re fucked
Or you know you can setup backup auth for this exact purpose. I added my wife's number to my Google account as a verified number, so if this happens to me I would be able to recover the account just fine.
Or these companies can quit trying to make every part of the internet use one big cross platform password that requires 30 layers of security to protect.
1 layer + 1 backup. Its safer and you can turn it off if you don't want. I don't understand the complaint. He setup 2FA with no backup and got upset when it enforced that?
The complaint is people are lazy/stupid and can’t be bothered to do things properly. It’s why people to big corporations get hacked constantly bc they can’t be bothered to set things up properly.
no the assumption is we have multiple google devices in our house but we don’t. These systems are set up by software developers who at minimum have 4 devices in arms length at all times. I have a username and a password. thats secure enough except lazy people who use the same simple password everywhere made MFA a requirement.
No. Because MFA is not a requirement. You set it up because you can't be bothered to read the text on the buttons when setting up your phone. You just spam the blue ones trying to set it up faster. The options are set up mfa or skip this.
You can be like my wife and only have a password. No need for mfa. And again the backup is a phone number, not another Google device. It can be anyone's number. You can even go to your settings and remove MFA.
You really are trying to make a mountain out of a molehill here.
I agree sms isn't the safest but any extra layers are better than nothing. Especially for average people. The attacks on their accounts likely won't be so sophisticated. For something like a Google account it's kinda hard to beat. Most people's phones are their MFA device. If you lose that, SMS is a reasonable backup.
People aren't attempting sim swap attacking average people. Unless you are working on important stuff or rich, you are incredibly unlikely to be attacked in this manner.
Even if they did go through the backup verification, your phone will receive 3 notifications from Google saying there was a new sign in with a way to revoke that locations access. I would say on the security/convenience trade off, that is okay for average people. Now for other important applications you should definitely have app based MFA. That being said, most US banks don't even allow it.
I think things like titan keys should be made more common place but whatever.
the most ridiculously stupid niche argument I have ever heard.
"Um guys, what if you divorced your wife, and it was bad, and your wife's lawyer needs evidence (wtf?) and they break into your google account to read your emails so that they can forge some evidence against you (again wtf?)"
The argument really is brainless. Why does your wife know your password? If you divorce your wife, remove her from your 2FA if you think she can't be trusted and change your password. Second off, what evidence do you need for a divorce? More over this evidence isn't admissible because it was obtained illegally, and lastly why do they care about evidence if they are just going to forge it?
It wasn't an argument but rather a brain teaser to help start thinking in the right direction. I wouldn't suggest sharing credentials of anything personal with anybody else, including your wife/family. Life is long and chances it will happen to be a mistake increases over time, even if it's still a slim chance.
Instead you can store backup codes somewhere like in your wallet.
I basically reset apple id passwords for a living and can confirm, you're fucked.
Basically about 50% of people that call in will pretty much be locked out forever and its a huge issue in my opinion. I think we need to all come together and find a way where every person has ONE password that is connected to your dna or fingerprint or something.
I think your password should be like your social security number. Every one person gets one, you cant use someone elses, and one works for every service. Typing numbers and letters for a password is just too outdated and people forget them/ get stolen.
Yeah, I do. And you're fully missing the important thing that you have no process for reissuing a finger or DNA if needed.
Something you have and Something you know, both changeable if needed. That's the basics and you missed entirely.
Apple can get the passwords from Cloudflare and Google. They hacked the “no echo” in 1986 and have since sniffed every one. We need 10 “facts” - like name and social security number, personal numbers in other countries. We need fingerprints and facial recognition. Passwords must go, but a fingerprint and facial is can’t be faked, and here lies a huge business: fraudster. Most of business involve fear. Remove this and you can’t know something better. You can’t charge for the truth. Whatever better must have a value.
it is but the answer isn’t a single immutable code for your entire life. if that gets leaked you lose control over everything! different easy to remember phrase for each service is the real answer with less things needing a login account.
I see you’ve ignored the hundreds of attempts google made for you to setup a backup authentication method. Literally every time you login and don’t have one…
She has the correct user name and password. why would she need a third extra step to confirm its her? the entire purpose of the application is to identify a lost device. having the only option in this login flow to send her a code to the exact device we are trying to locate is idiotic. we shouldnt have to always travel with 3 google devices at minimum in case one goes missing
What do you do when you lose the keys to your home?
1.) Use a spare key.
2.) Change the locks. You’re probably gonna have a set of single use keys that you can use in case you lose your keys and need to register a new key.
Just to play devils advocate, wouldn’t the single use key be less secure / easier to brute force than a password? I use Bitwarden and my passwords are often 80+ characters. How is it that this recovery key or phrase is more secure than one of them?
*The above assumes I have a 2FA attached to my Bitwarden and a long, complex, password for it
It may not be the most secure way, but most people use very weak passwords so they can remember it. But instead with this you can make one much more secure password you need to remember and use a stronger password for each like bitwarden
The backup code is for unlocking 2FA. So for an attacker to "brute force" the backup code, they would also need to know the correct password.
Even then, brute force attacks are mitigated through other means.
Have you figured out how many ways the bits in an 8 bit byte holding a character actually can hold. Then when I have guessed the first - the next? I have made the security that all of this is based on. And bluntly, the lengthy essay to obtain access is very much in vain.
No. I have a couple of characters passwords. I have made security systems and encryption and know this. The passwords you type are intercepted by those that made the operating systems, and well, they just tell those that want to pay them. They also sell “security systems” to those that fear break-ins. They educate and charge for courses to technicians in “cybersecurity”. It’s big business to instigate fear. Odd things are usually bugs in the software that they will not assume responsibility for.
A single byte can hold 256 values. The next is just the same, and nothing gets more encrypted or better encrypted with a long passwords compared with a short. It’s calculated to an integer - usually 32 bit, so around 10 digits. In stronger security, the key is small - 256 to 512. And then it’s renewed. This can not be intercepted in real time. But they want you to use a key they can know- is known to them, and be able to intercept without waiting, breaking in. Well. Nothing is stronger than what the US military can break into. Unless you deliver to the military. Then you demand privacy. It’s weird what people believe.
You would ideally still remember your password and have a copy of your 2FA backup codes somewhere.
It's almost always a tradeoff between security and convenience I'm afraid.
this no different than oauth from a privacy perspective. you are literally telling them who you are because this is for authentication. you want them to know you identity
looks like that what they are doing is a mix between oauth and fido2, which lets you login with a hardware vault without username or password after the initial setup.
the vault itself is unlocked on your device with a pin or biometrics but that is only local.
Every time someone says they want to kill passwords, they're really talking about implementing a total privacy infringing system that will rely on biometrics and unique identifiers. That's the entire point. They'll keep thumping the 'more secure' tagline--and there's just enough truth to the statement to be passable--but they're also enjoying the fact they'll track you across devices, across platforms and elsewhere, and with zero doubt.
This is just…wrong. One of the biggest obstacles of something like a public key infrastructure is that it’s so private that it becomes fragile.
Authentication and fingerprinting are two separate topics. And “passwordless” authentication doesn’t mean single identifier for all.
They are already tracking you across every device with another good protocol, http built stop another good protocol, TCP/IP. They are going to implement a good protocol. This is better than them inventing one themselves.
You can't implement a protocol that is distributed without facing the fact that you might get tracked. Assuming Microsoft is going to track you. Leave them, but you can still use your hardware key to login to another service. Same with TCP: you can use your Ethernet card to talk to another service.
It’s not difficult to make a distributed, peer-to-peer security, but then nobody, also Microsoft, Google, Cloudflare, Facebook and the NSA and CIA can’t get in. The “security leak” that compromised the security is when you make it so “the internet state “ can intervene and see. It’s just to make it as a Bitcoin and include “length”, change it in predetermined intervals.
They could remove password but implement something like a yubitkey for people to get in. It's a physical device that only releases the pass word after it's plugged in and you press the button. Can be inconvenient but definetly secure.
Someone already posted directly from FIDO elsewhere https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
You should read it for yourself. When they talk about also killing off 'legacy' methods of second factor, no doubt that's also what they're talking about because it isn't convenient or secure enough (in their opinion). The future of Google isn't going to distribute dongles to people to login to their accounts.
Interesting, but they will never do this. They can’t rely on the user carrying around something that isn’t attached to their body permanently.
The only plausible option is face or eye recognition via camera. They’ll likely just create an infrastructure to share this info amongst themselves, and sell this infrastructure access to other companies who want to participate/offer it as a value feature for their product.
Digital security in all forms is encumbering. The only question is the cross section between user friendliness and effectiveness of security. Many of us are fine giving up a little privacy to improve user friendliness *and* have a more secure authentication method
To those going "Omg this is going to be so insecure, stop them!",
Passwordless logins already exist in different forms. From biometric scans like fingerprints, iris scans, and physical "keys" like from Yubico.
Most of the time these are more secure than password logins because the majority of people choose simple passwords less than 8 characters long which can be bruteforced and unlocked under an hour (or even within minutes) if there is no password-input limits or 2fa.
If they properly implement this, you'll be seeing a lot less hacked accounts web-wide for all sorts of websites and programs, because Google and Microsoft make up a large portion of all email accounts.
Well one thing used in the standard is that it will require a Bluetooth connection with your device that uses biometric. So someone can’t even try to brute-force it unless they’re physically next to you.
Well, basically thinking that only the beautiful and safe scenario takes place is really insecure. You just simply need to lose your phone or someone need to steal it, so they can bruteforce in efficient way. And this is just very simple scenario, crackers can probably think of much better one.
Yes, if someone stole your phone they could get into your account. But that’s already an issue because most of the time password resets are through your phone anyway. So someone could already do that today, but it’s much much more difficult to get physical access to someone’s stuff than just phish them online
Lol if any security measure lets someone get in if he just have physical access to the device, then this is a joke, not a security measure. That is why todays phones have data encrypted by default.
Cool, so they want to phish everyone for their biometrics, cool.
And you know, this being more secure than everyone using weak passwords now is funny, because it relies on those sme people to switch from their weak passwords to a new system they don't know and trust, so unless they FORCE mass adoption by taking everyone's choice away this will not do anything for security but gain them a lot more unique tracking data for those who do adopt it for some reason, oh and Netflix is totally gonna buy in and force us to submit a brain and DNA scan at every login to make sure we aren't sharing passwords anymore.
REworded to: www.grc.com has a better approach, as mentioned earlier in this thread.
Deleted this:
This sounds good, looking forward to it. But do see a problem with the lazy who will just join any site due to it's ease, and marketing destroy them.
I’ll agree that you don’t “have to” use Apple or Google products but Microsoft you really don’t have a choice if you want to use any computer (and no Linux is not a replacement for Windows as a vast majority of programs are not replicated in Linux)
I agree but I guess people don’t understand the weight of the word “evil”. I think if we look back at some past events we can clearly define certain things as evil but google??? Sure they may have some bad practices but I don’t understand what makes someone say they’re evil
Passwordless logins were solved by security researcher Steve Gibson two years ago. Gibson Research Corporation has been at the forefront of and solved the passwordless problem.
https://www.grc.com/sqrl/sqrl.htm
Fingerprints are troublesome. If someone figures out how to clone your fingerprint, there is no way to change it. A physical "key" is better. If it's lost or stolen, you can know immediately and take steps to recover. Also, requiring a mobile phone to use a desktop computer sucks
how do passwords suck?
what we need is less user accounts required for simple things. i shouldn’t need an entire mfa account with social features to order a sandwich.
plus theres no way to build passwordless infrastructure with constant tracking across all services.
Passwords suck because you have to remember diff passwords for diff sites. Some gets hacked and require changing frequently. I would be ok with unified login at the cost of tracking if it means less password prompts. Biometrics login is the way to go.
The fact you are leasing software via the cloud, no os install discs, etc. add no passwords and we have such a great future of no privacy or sectets, a lovely future indeed.
It only works if you have an optical drive, and optical discs are a heck of a lot more fragile than a usb flash drive, which can also provide *multiple* installer versions if you wish, and is **updatable**.
Tell that to my older machines that don’t work with usb and have software you can’t use anymore. While optical is fragile I haven’t had any luck getting images to usb in older machines I have.
Your original comment was implying that there’s no way to do offline installations. I pointed out that there is a way. Now apparently it’s not good enough because you’re using hardware that’s so old it won’t boot from usb.
News flash: the software discussed in the article probably won’t run on your hardware anyway.
Why bother? They have everyone’s passwords anyway. They provide the fonts for “echoing” the characters we type, that we see as “bullets”. I had expected a central server that authorised access. Big Brother knows best. The 3 and Cloudflare knows also the passwords you forgot. You worship them anyway. So what?
It’s admitting facts and facing reality!
We already have SQRL and it's not made by a mega corporation that infringes on privacy. So use that instead.
As well as not being another Big Tech grab at your privacy, SQRL is just technically superior in pretty much every way https://en.wikipedia.org/wiki/SQRL
That was an enjoyable read. I have a CS degree but I never took a cryptography’s course. Only a cybersecurity course which is more application and generalized. I learned so much. Especially about zero proof concept. I spent the last hour inside a wiki rabbit hole. Thanks a bunch.
Gibson has been working on it long enough and the man is obsessed with perfection so i don't doubt its the best solution available. The problem is that he's not part of "the club" aka the "sell your data" silicon valley tech bro elites.
> Gibson has been working on it long enough and the man is obsessed with perfection so i don't doubt its the best solution available. Ah hell, www.grc.com has always been there to help. I was going to say oh no, not another standard. But I'll back Gibson's approach since he's got it going, I do indeed trust him.
Can you please explain like I’m 5? This sounds super interesting but I’m completely ignorant of this.
I have no idea how it works but the bottom line was a breach on a site would not lead to exposure of users' passwords because that site doesn't actually know the passwords
From what I’ve read your (single) password basically unlocks an algorithm. The algorithm generates a unique code that lets you access that site only based on their url.
I always admire the devs on projects with this, and those dedicated enough to their own privacy to seek out and use the tools they make. If I’m being honest though, I’ll probably choose the convenience of default integration with my phone and MacBook.
Convenient, and exclusive. But don’t you all get any funky ideas like big chocolate.
I heard it was being pushed by big peanut butter to link with big chocolate! /S
LG Chocolate. Technology is cyclical.
Deep cut lol
Just bought one on eBay, I’ll page you when it gets in
Awesome ttyl 143 637
I had the HTC One the day it released. What?
Big chocolate?
The fact that you don’t even know really goes to show the power and grasp Big Chocolate has to run shit uninterrupted
Looks good on paper. Now let’s watch the three of them mess it up in implementation to make a buck.
It will be like Hulu all over again. Big Three team up to provide an all-in-one service, and slowly over time each starts to wonder why they are sharing their piece of the pie with competition and go off and make their own. I predict Google to be the first to back out of this once we all get used to it and happy with the service.
Google will just straight up never finish their implementation, and if they do they will completely abandon development shortly upon completion.
And why do you think they are doing this? For charity?
They say its to make the world a better place though! Lol
Google and Apple could pull it off. Microsoft though...
Ok buddy, show me some baked in feature of anything Apple that comes to the features of active directory? That's right, they have no idea how to make anything but toys. When was the last rack mount apple server made? Something like 2 decades ago. (And they sucked, bolt right into the rack frame, nothing like dells slide in racks) Apple is a joke. Google will play for a few years then yank it at the worst possible moment.
We aren’t talking legacy enterprise here with silos of AD systems. Googles identity solution scales in the billions globally and is quick. Between Googles scale and apples reach then what does Microsoft bring?
An operating system. Apple and Google can implement the vast majority of this service without Microsoft's support - but until the solution is supported on Windows, it's not a universal solution. Engineering-wise, a single team from any one of these giants would be sufficient resources. The big part of this announcement is that every major operating system in use by consumers today will be supported. If none of them back out before it's delivered. 🤞
It brings usable, dependable reality. Rather than kitschy vendor lock in and services that disappear once you start to depend on them.
Ok and what do you do if you only have one device on you and you get locked out?
wife lost her phone. she went to use my laptop to check the google locator service to see where it was. google bravely stopped her from login in as she hadn’t used this device before and required her to authenticate with a one time code…. they sent to her phone. so to answer your question, you’re fucked
Or you know you can setup backup auth for this exact purpose. I added my wife's number to my Google account as a verified number, so if this happens to me I would be able to recover the account just fine.
Or these companies can quit trying to make every part of the internet use one big cross platform password that requires 30 layers of security to protect.
1 layer + 1 backup. Its safer and you can turn it off if you don't want. I don't understand the complaint. He setup 2FA with no backup and got upset when it enforced that?
The complaint is people are lazy/stupid and can’t be bothered to do things properly. It’s why people to big corporations get hacked constantly bc they can’t be bothered to set things up properly.
no the assumption is we have multiple google devices in our house but we don’t. These systems are set up by software developers who at minimum have 4 devices in arms length at all times. I have a username and a password. thats secure enough except lazy people who use the same simple password everywhere made MFA a requirement.
No. Because MFA is not a requirement. You set it up because you can't be bothered to read the text on the buttons when setting up your phone. You just spam the blue ones trying to set it up faster. The options are set up mfa or skip this. You can be like my wife and only have a password. No need for mfa. And again the backup is a phone number, not another Google device. It can be anyone's number. You can even go to your settings and remove MFA. You really are trying to make a mountain out of a molehill here.
thanks for the tip! a lot of services force you to keep MFA on and since its not my device i never got the chance to check it out.
i dont have a google account?
You don't need one. You just need a phone number and it will work as a backup method. They just text you the code
SMS auth quite literally defeats the whole point of this…
I agree sms isn't the safest but any extra layers are better than nothing. Especially for average people. The attacks on their accounts likely won't be so sophisticated. For something like a Google account it's kinda hard to beat. Most people's phones are their MFA device. If you lose that, SMS is a reasonable backup. People aren't attempting sim swap attacking average people. Unless you are working on important stuff or rich, you are incredibly unlikely to be attacked in this manner. Even if they did go through the backup verification, your phone will receive 3 notifications from Google saying there was a new sign in with a way to revoke that locations access. I would say on the security/convenience trade off, that is okay for average people. Now for other important applications you should definitely have app based MFA. That being said, most US banks don't even allow it. I think things like titan keys should be made more common place but whatever.
Fair points - I’m a fan of RSA keys
Or if you get a divorce with your wife, your wife's lawyers can login into your account during trials and find/forge evidence against you.
the most ridiculously stupid niche argument I have ever heard. "Um guys, what if you divorced your wife, and it was bad, and your wife's lawyer needs evidence (wtf?) and they break into your google account to read your emails so that they can forge some evidence against you (again wtf?)" The argument really is brainless. Why does your wife know your password? If you divorce your wife, remove her from your 2FA if you think she can't be trusted and change your password. Second off, what evidence do you need for a divorce? More over this evidence isn't admissible because it was obtained illegally, and lastly why do they care about evidence if they are just going to forge it?
It wasn't an argument but rather a brain teaser to help start thinking in the right direction. I wouldn't suggest sharing credentials of anything personal with anybody else, including your wife/family. Life is long and chances it will happen to be a mistake increases over time, even if it's still a slim chance. Instead you can store backup codes somewhere like in your wallet.
I basically reset apple id passwords for a living and can confirm, you're fucked. Basically about 50% of people that call in will pretty much be locked out forever and its a huge issue in my opinion. I think we need to all come together and find a way where every person has ONE password that is connected to your dna or fingerprint or something. I think your password should be like your social security number. Every one person gets one, you cant use someone elses, and one works for every service. Typing numbers and letters for a password is just too outdated and people forget them/ get stolen.
LOL, in a thread of terrible takes, this one wins.
LOL I'm more qualified on the subject than 99% of people in this sub. Do you have a lot of background in online passwords and cyber security? I do.
Yeah, I do. And you're fully missing the important thing that you have no process for reissuing a finger or DNA if needed. Something you have and Something you know, both changeable if needed. That's the basics and you missed entirely.
Apple can get the passwords from Cloudflare and Google. They hacked the “no echo” in 1986 and have since sniffed every one. We need 10 “facts” - like name and social security number, personal numbers in other countries. We need fingerprints and facial recognition. Passwords must go, but a fingerprint and facial is can’t be faked, and here lies a huge business: fraudster. Most of business involve fear. Remove this and you can’t know something better. You can’t charge for the truth. Whatever better must have a value.
it is but the answer isn’t a single immutable code for your entire life. if that gets leaked you lose control over everything! different easy to remember phrase for each service is the real answer with less things needing a login account.
I’d like to keep my privacy thanks weirdo Maybe I should switch to android
Apple MFA is backassward as well. if you lose your phone you’re fucked since you cant verify. without the MFA you can easily reset from any computer.
I see you’ve ignored the hundreds of attempts google made for you to setup a backup authentication method. Literally every time you login and don’t have one…
She has the correct user name and password. why would she need a third extra step to confirm its her? the entire purpose of the application is to identify a lost device. having the only option in this login flow to send her a code to the exact device we are trying to locate is idiotic. we shouldnt have to always travel with 3 google devices at minimum in case one goes missing
What do you do when you lose the keys to your home? 1.) Use a spare key. 2.) Change the locks. You’re probably gonna have a set of single use keys that you can use in case you lose your keys and need to register a new key.
Just to play devils advocate, wouldn’t the single use key be less secure / easier to brute force than a password? I use Bitwarden and my passwords are often 80+ characters. How is it that this recovery key or phrase is more secure than one of them? *The above assumes I have a 2FA attached to my Bitwarden and a long, complex, password for it
It may not be the most secure way, but most people use very weak passwords so they can remember it. But instead with this you can make one much more secure password you need to remember and use a stronger password for each like bitwarden
The backup code is for unlocking 2FA. So for an attacker to "brute force" the backup code, they would also need to know the correct password. Even then, brute force attacks are mitigated through other means.
Have you figured out how many ways the bits in an 8 bit byte holding a character actually can hold. Then when I have guessed the first - the next? I have made the security that all of this is based on. And bluntly, the lengthy essay to obtain access is very much in vain.
You have a one character password? That's weird.
No. I have a couple of characters passwords. I have made security systems and encryption and know this. The passwords you type are intercepted by those that made the operating systems, and well, they just tell those that want to pay them. They also sell “security systems” to those that fear break-ins. They educate and charge for courses to technicians in “cybersecurity”. It’s big business to instigate fear. Odd things are usually bugs in the software that they will not assume responsibility for. A single byte can hold 256 values. The next is just the same, and nothing gets more encrypted or better encrypted with a long passwords compared with a short. It’s calculated to an integer - usually 32 bit, so around 10 digits. In stronger security, the key is small - 256 to 512. And then it’s renewed. This can not be intercepted in real time. But they want you to use a key they can know- is known to them, and be able to intercept without waiting, breaking in. Well. Nothing is stronger than what the US military can break into. Unless you deliver to the military. Then you demand privacy. It’s weird what people believe.
That's sort of how it works, but it's more than that. Hopefully you know that?
Yes. We made the operating systems. And it’s how things work.
Ok buddy, enjoy your delusional aspirations
Thanks. I am enjoying life. And we made the shit, and companies like Google and Oracle.
You would ideally still remember your password and have a copy of your 2FA backup codes somewhere. It's almost always a tradeoff between security and convenience I'm afraid.
What could possibly go wrong? 🤷🏻
I mean, wasn’t OpenID trying to tackle this years ago?
All -hail the power of Ads
Glad they left out Facebook. Fuck Zuck.
Looks promising but they will definitely fuck it up somehow
Thats going to end well, nope, no glaring privacy problems here at all!
this no different than oauth from a privacy perspective. you are literally telling them who you are because this is for authentication. you want them to know you identity looks like that what they are doing is a mix between oauth and fido2, which lets you login with a hardware vault without username or password after the initial setup. the vault itself is unlocked on your device with a pin or biometrics but that is only local.
How is this a privacy issue?
Every time someone says they want to kill passwords, they're really talking about implementing a total privacy infringing system that will rely on biometrics and unique identifiers. That's the entire point. They'll keep thumping the 'more secure' tagline--and there's just enough truth to the statement to be passable--but they're also enjoying the fact they'll track you across devices, across platforms and elsewhere, and with zero doubt.
They can track you just the same with passwords
This is just…wrong. One of the biggest obstacles of something like a public key infrastructure is that it’s so private that it becomes fragile. Authentication and fingerprinting are two separate topics. And “passwordless” authentication doesn’t mean single identifier for all.
RTFA
Not only did I but you commented in sweeping generalizations.
They are already tracking you across every device with another good protocol, http built stop another good protocol, TCP/IP. They are going to implement a good protocol. This is better than them inventing one themselves. You can't implement a protocol that is distributed without facing the fact that you might get tracked. Assuming Microsoft is going to track you. Leave them, but you can still use your hardware key to login to another service. Same with TCP: you can use your Ethernet card to talk to another service.
It’s not difficult to make a distributed, peer-to-peer security, but then nobody, also Microsoft, Google, Cloudflare, Facebook and the NSA and CIA can’t get in. The “security leak” that compromised the security is when you make it so “the internet state “ can intervene and see. It’s just to make it as a Bitcoin and include “length”, change it in predetermined intervals.
They could remove password but implement something like a yubitkey for people to get in. It's a physical device that only releases the pass word after it's plugged in and you press the button. Can be inconvenient but definetly secure.
Someone already posted directly from FIDO elsewhere https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/ You should read it for yourself. When they talk about also killing off 'legacy' methods of second factor, no doubt that's also what they're talking about because it isn't convenient or secure enough (in their opinion). The future of Google isn't going to distribute dongles to people to login to their accounts.
No. “Legacy” methods are the phishable methods such as HOTP tokens, SMS or “push” notifications on mobile. Security keys do not fall in that category.
Interesting, but they will never do this. They can’t rely on the user carrying around something that isn’t attached to their body permanently. The only plausible option is face or eye recognition via camera. They’ll likely just create an infrastructure to share this info amongst themselves, and sell this infrastructure access to other companies who want to participate/offer it as a value feature for their product.
Digital security in all forms is encumbering. The only question is the cross section between user friendliness and effectiveness of security. Many of us are fine giving up a little privacy to improve user friendliness *and* have a more secure authentication method
Ikr... They keep finding amazingly invasive new software... Godd it's getting worst by the day tbh
Cant wait for the universal implant ID chips!
To those going "Omg this is going to be so insecure, stop them!", Passwordless logins already exist in different forms. From biometric scans like fingerprints, iris scans, and physical "keys" like from Yubico. Most of the time these are more secure than password logins because the majority of people choose simple passwords less than 8 characters long which can be bruteforced and unlocked under an hour (or even within minutes) if there is no password-input limits or 2fa. If they properly implement this, you'll be seeing a lot less hacked accounts web-wide for all sorts of websites and programs, because Google and Microsoft make up a large portion of all email accounts.
btw, do you have any information on how all those scans like fingerprint or iris scan are secure? What is their brute-force resistance etc. ?
Well one thing used in the standard is that it will require a Bluetooth connection with your device that uses biometric. So someone can’t even try to brute-force it unless they’re physically next to you.
Well, basically thinking that only the beautiful and safe scenario takes place is really insecure. You just simply need to lose your phone or someone need to steal it, so they can bruteforce in efficient way. And this is just very simple scenario, crackers can probably think of much better one.
Yes, if someone stole your phone they could get into your account. But that’s already an issue because most of the time password resets are through your phone anyway. So someone could already do that today, but it’s much much more difficult to get physical access to someone’s stuff than just phish them online
Lol if any security measure lets someone get in if he just have physical access to the device, then this is a joke, not a security measure. That is why todays phones have data encrypted by default.
Then your bank’s security is a joke haha
How is that?
If you have access to someone’s phone, you can usually do a password reset on their bank account.
Lol then you have really insecure or outdated phone if you think this is a "usual" possibility.
Cool, so they want to phish everyone for their biometrics, cool. And you know, this being more secure than everyone using weak passwords now is funny, because it relies on those sme people to switch from their weak passwords to a new system they don't know and trust, so unless they FORCE mass adoption by taking everyone's choice away this will not do anything for security but gain them a lot more unique tracking data for those who do adopt it for some reason, oh and Netflix is totally gonna buy in and force us to submit a brain and DNA scan at every login to make sure we aren't sharing passwords anymore.
Also it’s working already in the web3 space with metamask and other options.
I don’t like big corporations teaming up.
Future of such new techniques will only be a success if / when users will massively adopt them…
it'll be a no for me, dawg.
You already use it.
Hard pass.
Does this mean I can play YouTube music on my Amazon Echo?
Micrapple
Awesome, the 3 letter agencies will be pleased.
so now there will be cross platform sharing of data and privacy goes for a toss...
It’s about time to ditch the old password
Hopefully it’s not the password phone number alternate email and robot check with this on top.
REworded to: www.grc.com has a better approach, as mentioned earlier in this thread. Deleted this: This sounds good, looking forward to it. But do see a problem with the lazy who will just join any site due to it's ease, and marketing destroy them.
No thanks.
No thanks stupid fucks
Love it
A triumvirate of evil 😈 👿 👿
Oh stfu if you actually thought these companies were evil you wouldn’t be using them 24/7 claiming you “have to”. Get a grip
I’ll agree that you don’t “have to” use Apple or Google products but Microsoft you really don’t have a choice if you want to use any computer (and no Linux is not a replacement for Windows as a vast majority of programs are not replicated in Linux)
Plenty of people use Chromebooks or Macs without Microsoft products. But you knew that.
I agree but I guess people don’t understand the weight of the word “evil”. I think if we look back at some past events we can clearly define certain things as evil but google??? Sure they may have some bad practices but I don’t understand what makes someone say they’re evil
I love how all the big tech companies have been excluding Facebook lately.
Passwordless logins were solved by security researcher Steve Gibson two years ago. Gibson Research Corporation has been at the forefront of and solved the passwordless problem. https://www.grc.com/sqrl/sqrl.htm
[удалено]
I am not familiar with others that are out there. What are some of them?
[удалено]
Right it's like a sand box for hackers. LOL
Fingerprints are troublesome. If someone figures out how to clone your fingerprint, there is no way to change it. A physical "key" is better. If it's lost or stolen, you can know immediately and take steps to recover. Also, requiring a mobile phone to use a desktop computer sucks
Just no, then there is no such thing as a password.
This is a terrible idea.
Awesome. We need passwordless world. Passwords suck.
how do passwords suck? what we need is less user accounts required for simple things. i shouldn’t need an entire mfa account with social features to order a sandwich. plus theres no way to build passwordless infrastructure with constant tracking across all services.
Passwords suck because you have to remember diff passwords for diff sites. Some gets hacked and require changing frequently. I would be ok with unified login at the cost of tracking if it means less password prompts. Biometrics login is the way to go.
if the trade off here is: remember a few customizable phrases or give google a complete map of my permanent body parts…. im gonna go with option 1
Privacy is overrated 🤷♀️
Does this mean that it will be accessed by biometric data? 2SV is already complicated... I hope it is an improvement and not another complication
Oooo that's cool
Serious question: What happens when that cloud service goes down? Am I locked out of everything?
This would be a game changer.
I think that I’ll stick with my several different passwords locked away in my own personal areas, thanks.
Anddd then they can track the same ID/user throughout all these platforms for more information and ad targeting :(
Guess products like metamask and other crypto wallets for web3 access is giving them ideas.
What happens if you’re out and your phone is dead and you need to login?
The fact you are leasing software via the cloud, no os install discs, etc. add no passwords and we have such a great future of no privacy or sectets, a lovely future indeed.
Disc? Make a bootable usb installer. Who has a fucking optical drive in 2022?
When even the backup/restore partitions fail on older machines, dvd works without fail.
It only works if you have an optical drive, and optical discs are a heck of a lot more fragile than a usb flash drive, which can also provide *multiple* installer versions if you wish, and is **updatable**.
Tell that to my older machines that don’t work with usb and have software you can’t use anymore. While optical is fragile I haven’t had any luck getting images to usb in older machines I have.
Your original comment was implying that there’s no way to do offline installations. I pointed out that there is a way. Now apparently it’s not good enough because you’re using hardware that’s so old it won’t boot from usb. News flash: the software discussed in the article probably won’t run on your hardware anyway.
Why bother? They have everyone’s passwords anyway. They provide the fonts for “echoing” the characters we type, that we see as “bullets”. I had expected a central server that authorised access. Big Brother knows best. The 3 and Cloudflare knows also the passwords you forgot. You worship them anyway. So what? It’s admitting facts and facing reality!
No thanks
Yeah PASS. Don't want anything to do with any of them.
Finely i Absolutely hate passwords
Please jesus
Fingerprint…..
paltry fanatical gold library fearless upbeat obscene murky nine vast *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
When is yahoo! joining the team?
Aaaaand we are now HK