Post AVHka4suepxg0dASEC by jay_chi@mastodon.social
(DIR) More posts by jay_chi@mastodon.social
(DIR) Post #AVHiwxuEZR5X7KZUQq by lauren@mastodon.laurenweinstein.org
2023-05-03T17:31:18Z
0 likes, 0 repeats
***** The obvious solution to the Google passkeys problem *****Use of passkeys should require -- at least when biometric phone locks are not in use -- an authentication system *separate* from that used to unlock the phone. That way, a spied unlock password and stolen phone would not give the thief the ability to use the passcodes stored on the phone with such ease. -L
(DIR) Post #AVHjYfgalDNHc4AblQ by atanas@mastodon.cloud
2023-05-03T17:38:07Z
0 likes, 0 repeats
@lauren But that would defeat the purpose of simplifying the login process. I'm not defending the simplification objective, FTR.
(DIR) Post #AVHk3BR5HPAAlrSwGe by lauren@mastodon.laurenweinstein.org
2023-05-03T17:43:37Z
0 likes, 0 repeats
@atanas Too much simplification can put the most vulnerable users at additional risk.
(DIR) Post #AVHkOFsXxL8IdEMJOK by lauren@mastodon.laurenweinstein.org
2023-05-03T17:47:28Z
0 likes, 0 repeats
@DuncanWatson @atanas Years ago, I wrote "Passwords must die!" -- but the devil is in the details.
(DIR) Post #AVHkTrk4bn89Vj4SUy by bhawthorne@infosec.exchange
2023-05-03T17:48:26Z
0 likes, 0 repeats
@lauren Tried to create a passkey on my iPhone for my legacy google domain account, and google says it isn’t supported. Couldn’t find anything in admin.google.com to enable passkeys. Guessing this is just another of those things that won’t be available to those of us with legacy domains.Then, I successfully created a passkey for the gmail account I use for YouTube Music, which apparently got stored in my iCloud account. Tried to create a passkey for another gmail account on the same device and it repeatedly said there was a problem. Please tell me they didn’t limit passkeys to one account per device.
(DIR) Post #AVHka4suepxg0dASEC by jay_chi@mastodon.social
2023-05-03T17:49:37Z
0 likes, 0 repeats
@lauren back when it was known as two-factor, The rule was something you know and something you have. This covered both identity (via the "something you have" because it was often provided by an authority), and INTENT because presumably if unintended, you would not enter the secret that you know.This concept of intent seems to be less and less important as newer forms of authentication try to minimize the "something you know" portion of the challenge.
(DIR) Post #AVHlUafxe7cIpA3aW8 by atanas@mastodon.cloud
2023-05-03T17:59:43Z
0 likes, 0 repeats
@lauren Exactly! I understand the impetus behind simplification (onboard more users), but it can backfire, for it's a double-edged sword.
(DIR) Post #AVHmK5CFvi52FfiS12 by admin@mastodon.slightlycyberpunk.com
2023-05-03T18:07:28Z
0 likes, 0 repeats
@jay_chi @lauren perhaps it ought to use biometrics for that? I mean as much as I hate biometric auth as so many of them are wildly insecure...when I was in school we were taught "something you have; something you know; and something you are" -- ie, a password, a physical key, and a biometric. So a short pin to unlock the phone, the phone itself, and a fingerprint or face ID to access the keys?
(DIR) Post #AVHmK6AWJeHnGZuZwu by lauren@mastodon.laurenweinstein.org
2023-05-03T18:09:05Z
0 likes, 0 repeats
@admin @jay_chi Forcing people to use biometrics would cause a firestorm of protests. There are a multitude of reasons why people choose not to use them, even assuming their devices are so equipped.
(DIR) Post #AVHnWzbK95W2cFA2q0 by admin@mastodon.slightlycyberpunk.com
2023-05-03T18:22:34Z
0 likes, 0 repeats
@lauren @jay_chi yeah...definitely would need a fallback...problem is if it needs a complex password then it's kinda just another typical password manager, isn't it?I could see the phone-as-a-password idea being useful for certain kinds of accounts that don't need high security...but I don't think that would typically be the case for a Google account.Then again...iPhones will give up stored passwords pretty easily so maybe that fight is already lost...always freaks me out a bit when my mom asks for help on her iPhone and I can just go into the device settings and find whatever passwords I need...pretty sure all you need for that is the pin...?
(DIR) Post #AVLqA8AHDULR0h8jNA by scottmace@twit.social
2023-05-05T17:10:56Z
0 likes, 0 repeats
@lauren I asked Leo LaPorte about your concerns, and he replied: "The face or touch ID is invoked when you’re authenticating with Google. So even if your phone is unlocked, it’s still going to do the second check."
(DIR) Post #AVLqRGWfNpHBrfmbiK by lauren@mastodon.laurenweinstein.org
2023-05-05T17:14:05Z
0 likes, 0 repeats
@scottmace Yes, I noted there is a second check, BUT, AFAIK -- and G seems to say this explicitly -- if the phone lock is not biometric (and many people can't or choose not to use biometric locks, for good reasons), a weak phone unlock PIN (for example), easily spied on or crackable, will give access to the passkeys. People's phone locks are cracked this way every day. The flaw is that the second check is just as strong (OR WEAK) as the phone unlock.
(DIR) Post #AVLqgxAf70oYTByH0C by lauren@mastodon.laurenweinstein.org
2023-05-05T17:16:47Z
0 likes, 1 repeats
@scottmace That is, the passkeys unlock IS the phone unlock. And if the phone unlock is weak, getting into the phone gives full access to the passkeys, since there is no way to have a STRONGER (or at least different!) authentication for them vis-a-vis the phone lock. Google says this clearly, if someone can unlock your phone, they have access to the passkeys. This is not a good design, and is especially poor when biometric unlocks are not in use.
(DIR) Post #AVLr3PJf9L7G8Ct7I0 by lauren@mastodon.laurenweinstein.org
2023-05-05T17:20:59Z
0 likes, 1 repeats
I have so far not seen anything from G to suggest that use of passkeys is restricted to devices that have biometric device unlock capabilities and have them enabled. If they've said this, please let me know where!
(DIR) Post #AVLrFfAO2nH6lWORLU by kkarhan@mstdn.social
2023-05-05T17:23:09Z
0 likes, 0 repeats
@lauren I just wished #RFC-standardized #HOTP & #TOTP will become the norm for #2FA...
(DIR) Post #AVLrSJmmqdpYDeOB2u by lauren@mastodon.laurenweinstein.org
2023-05-05T17:25:28Z
0 likes, 0 repeats
@kkarhan Unfortunately, these are subject to phishing attacks. FIDO keys are the safest solution in my opinion currently, since they can be physically separated from the devices they are protecting, and are theoretically not phishable.
(DIR) Post #AVLrmjbCaKna4Khnkm by TrapperJohn@tootin.masto.host
2023-05-05T17:29:07Z
0 likes, 0 repeats
@lauren I read in their blog that devices without biometrics will just use their pin.
(DIR) Post #AVLrwUzZkQm9f7lJEu by lauren@mastodon.laurenweinstein.org
2023-05-05T17:30:55Z
0 likes, 0 repeats
@TrapperJohn Yeah, that was my understanding. So typical weak PINs can give away the store.
(DIR) Post #AVLs88OfaAFp3k31xA by lauren@mastodon.laurenweinstein.org
2023-05-05T17:33:03Z
0 likes, 0 repeats
@TrapperJohn The point I'm trying to make is that while a phone unlock PIN can often be easily spied, a thief is far less likely to see someone entering a *different* authentication (even if just a different PIN) for passkeys access. But G doesn't give that option.
(DIR) Post #AVLsYvAarsvpr5Ek7M by TrapperJohn@tootin.masto.host
2023-05-05T17:37:50Z
0 likes, 0 repeats
@lauren Right. So passkeys might help from getting hacked from the outside, but may not be much of a help around anyone that can see you or get ahold of your phone.
(DIR) Post #AVLssWbBvr8hRQ1dlA by lauren@mastodon.laurenweinstein.org
2023-05-05T17:41:25Z
0 likes, 0 repeats
@TrapperJohn Yep. And in this case, G could make the situation much better simply by having an additional authentication layer for the passkeys that could be different than the phone unlock. Especially important when biometric phone locks are not in use.
(DIR) Post #AVLtHk8YjbXOfWerGi by swetland@chaos.social
2023-05-05T17:45:53Z
0 likes, 0 repeats
@lauren I have had no chance to try passkeys, because, as usual, they don't work with apps-for-your-domain. Dasher Users: perpetual second class citizens in the Land of Google.
(DIR) Post #AVLzGx5ThRBQGjDsFU by timbray@cosocial.ca
2023-05-05T18:49:02Z
0 likes, 0 repeats
@swetland @lauren It would simplify communication (as it does internally at Google) if we all just started saying "Dasher" to identify whatever Google has decided to call it this year.
(DIR) Post #AVLzGxtShbAKlkbn9s by lauren@mastodon.laurenweinstein.org
2023-05-05T18:53:02Z
0 likes, 0 repeats
@timbray @swetland Of course there'd be some folks here with no idea what we were talking about, which probably wouldn't matter much anyway. So yeah.
(DIR) Post #AVM462qmQrwkjAxytM by jamiemccarthy@mastodon.social
2023-05-05T19:47:04Z
0 likes, 0 repeats
@lauren @TrapperJohn My threat model includes a thief pointing a gun at me and saying “what’s your passcode,” then unlocking it to confirm I wasn’t lying before they let me go. That’s what happens pretty often now. If there’s a single passkey app that everyone uses, they’ll take that second factor too, if they need it.The feature I need is a simpler PIN or bio key when the GPS and WiFi confirm I’m at home, and stricter security elsewhere.
(DIR) Post #AVPWKQaWLwz2ast67E by resuna@ohai.social
2023-05-07T11:47:10Z
0 likes, 0 repeats
@lauren @kkarhan FIDO keys are HOTP.And yes. I am actually angry at companies that don't support both major forms of OPEN OTP systems. I'm looking at you Apple.
(DIR) Post #AVPu3u2bzYJjuygERE by lauren@mastodon.laurenweinstein.org
2023-05-07T16:13:21Z
0 likes, 0 repeats
@resuna @kkarhan My point is that any code entered manually by a user can be attacked by man in the middle techniques. Keys can't.
(DIR) Post #AVPv5A5NvIv3vK8pGq by resuna@ohai.social
2023-05-07T16:24:15Z
0 likes, 0 repeats
@lauren @kkarhan HOTP is keys/
(DIR) Post #AVPv8pw2mivAaNWaMi by lauren@mastodon.laurenweinstein.org
2023-05-07T16:25:36Z
0 likes, 0 repeats
@resuna @kkarhan Unfortunately, not necessarily.
(DIR) Post #AVPvEgkvpGijr27KwS by kkarhan@mstdn.social
2023-05-07T16:26:33Z
0 likes, 0 repeats
@lauren @resuna in the end, everything can be phished, and the only fix is teaching people #TechLiteracy!
(DIR) Post #AVPvKR2z8ygss7ImVU by lauren@mastodon.laurenweinstein.org
2023-05-07T16:27:41Z
0 likes, 0 repeats
@resuna @kkarhan Google Authenticator, for example, supports HOTP.
(DIR) Post #AVPvW2l9GqEb1IUhfM by lauren@mastodon.laurenweinstein.org
2023-05-07T16:29:39Z
0 likes, 0 repeats
@kkarhan @resuna That's, as we used to say, a cop-out. Most people have busy lives and no inclination to learn and keep up with the ever changing tech security landscape. It's up to us to build systems that protect them. And no, FIDO keys cannot be phished.
(DIR) Post #AVPvYCizBw7oVOVrto by resuna@ohai.social
2023-05-07T16:29:42Z
0 likes, 0 repeats
@lauren @kkarhan But effectively nobody actually uses it in that mode, because no site presents anything but TOTP QR Codes for authenticator programs.
(DIR) Post #AVPvjqgowVOPdl3KlM by lauren@mastodon.laurenweinstein.org
2023-05-07T16:32:19Z
0 likes, 0 repeats
@resuna @kkarhan That's a different issue entirely. Point is, it's there, and in some cases it definitely DOES get used that way, much like some hardware OTP generators, counter based.
(DIR) Post #AVPvsOdcbhkbFJdGMK by kkarhan@mstdn.social
2023-05-07T16:30:54Z
0 likes, 0 repeats
@resuna @lauren I do have to agree that we really need to make stuff more accessible...Just like #Thunderbird made #GnuPG - #eMails easier and more accessible than anything else...https://mastodon.laurenweinstein.org/@lauren/110328347314531806
(DIR) Post #AVPvsPIk8odzIqs6SG by lauren@mastodon.laurenweinstein.org
2023-05-07T16:33:50Z
0 likes, 0 repeats
@kkarhan @resuna GPG is the perfect example of user UN-friendliness and why it has had virtually no uptake of note after all these years.
(DIR) Post #AVPw06bLYDwxcgFCAy by resuna@ohai.social
2023-05-07T16:35:07Z
0 likes, 0 repeats
@lauren @kkarhan Point is 99.44% of HOTP are FIDO keys and anyone using Google Authenticator for HOTP is almost certainly not a naive user. Bringing up that functionality is just muddying the water.
(DIR) Post #AVPw3waAk8QThxWcO8 by lauren@mastodon.laurenweinstein.org
2023-05-07T16:35:57Z
0 likes, 0 repeats
@resuna @kkarhan You said HOTP is keys, as a definitive statement. That is not correct. Q.E.D. Let's move on.
(DIR) Post #AVPw9DCkMyzAi051m4 by resuna@ohai.social
2023-05-07T16:36:48Z
0 likes, 0 repeats
@lauren @kkarhan Practically it is. And you know it.
(DIR) Post #AVPwD2pEtvb5g0ucAy by kkarhan@mstdn.social
2023-05-07T16:37:33Z
0 likes, 0 repeats
@lauren @resuna Maybe because #TechIlliterates neither know nor care nor force support for it across software and platforms.It's like with people that use #AdobeReader to this day: They don't know better!https://www.youtube.com/watch?v=158bJFTETRI
(DIR) Post #AVSBgkdSyxshZswsDI by scottmace@twit.social
2023-05-08T18:40:23Z
0 likes, 0 repeats
@lauren Leo finally acknowledged this concern on his TWIT podcast yesterday.