Post AVcIM6jkk1jbrvsgYS by lauren@mastodon.laurenweinstein.org
(DIR) More posts by lauren@mastodon.laurenweinstein.org
(DIR) Post #AVb2hjk77YtWV3NigC by lauren@mastodon.laurenweinstein.org
2023-05-13T01:12:06Z
0 likes, 0 repeats
@dangoodin I am critical of Google's passkey implementation. Are you including me in your know-nothings category? Just curious, Dan. I've been working in this field for a very, very long time.
(DIR) Post #AVb3vtP861q4TNsdY8 by lauren@mastodon.laurenweinstein.org
2023-05-13T01:25:51Z
0 likes, 0 repeats
@dangoodin They're spread across a bunch of postings, but the foundational essence is that by permitting use of passkeys without additional authentication for access to G accounts on devices with weak locks, G is putting those G accounts at risk when those devices are stolen and unlocked using those weak locks -- an extremely common occurrence. My view is that at a minimum additional authentication should be required to access passkeys when non-biometric device locks are in use, keeping in mind that many people use very weak device locks and refuse to (or are unable to) use biometric locks for a range of reasons (both technical and legal). FIDO keys remain superior because they have physical separation from devices in most routine situations until actually needed.There are some other issues regarding user education and understanding of these technologies.That's the executive summary.
(DIR) Post #AVb4qZTYrXLDAiynK4 by SteveBellovin@mastodon.lawprofs.org
2023-05-13T01:35:59Z
0 likes, 0 repeats
@lauren @dangoodin I actually used your objections as a question on my class' final. Briefly: Google understands the unlock issue. Why did they do it anyway? Answer: it's an engineering decision and a trade off. Far more accounts are compromised through password compromise (phishing, keystroke loggers, etc.) than through forcible device unlock. (Most street thieves just want the unlocked device for resale, not for your bank account.)FIDO2 keys? Given cost and inconvenience, what is the uptake?
(DIR) Post #AVb5HyWTqWByfmPcFk by topher@mastodon.online
2023-05-13T01:41:06Z
0 likes, 0 repeats
@lauren @dangoodin If someone can hold a gun to my head for my unlocked phone and that's all it takes to log in anywhere and access all my most sensitive data and communications, that is not at all adequate enough for me.They should still need to cross a river of alligators to then proceed through a series of Indiana Jones tier traps into an underground dungeon to then crack a safe containing an encrypted hard drive containing an ed25519-sk keyfile that itself requires a hardware key.
(DIR) Post #AVb5wBj6AuaBCqUOXI by lauren@mastodon.laurenweinstein.org
2023-05-13T01:48:20Z
0 likes, 0 repeats
@SteveBellovin @dangoodin Yeah, it's a compromise, but Google has a long, long history of skewing their compromises in ways that disadvantage the most vulnerable of their users, who have the least understandings of the risks (for example, the most likely to use weak device locks). As you know, I've pushed about this regarding Google from the outside and (those times I've been working internally there) from the inside. For many years.More and more, stolen phones are quickly locked by the thieves and accounts scrutinized for crypto wallets and other valuables. I assume you've seen the stories of people being locked out of Apple accounts and Apple's unwillingness to help (as one example). As passkeys become better known for the ability to give access to lots of goodies without additional authentication, they will join that club.All Google really needed to do to avoid this issue was provide the option for an additional authentication step for access to passkeys, and urge its use when biometric device locks are not enabled. As it stands currently, I would not use passkeys on any of my mobile devices, and when asked, I am recommending against their use for most users, at least when strong 2sv is enabled on accounts. This stance could of course change if Google adds additional authentication options as I've outlined.
(DIR) Post #AVb6aANsaJaUcucx8K by lauren@mastodon.laurenweinstein.org
2023-05-13T01:55:33Z
0 likes, 0 repeats
@nazgul @SteveBellovin @dangoodin The problem is not limited to iOS, but of course iOS has the majority in the U.S. (unlike the rest of the world where Android dominates). iOS has a particularly nasty problem now with thieves quickly resetting the security key to lock the owner completely out of their accounts, and so far Apple has refused to take actions about this (but has said they're thinking about it, last time I checked).
(DIR) Post #AVb8SVId8cE95Oe6ro by lauren@mastodon.laurenweinstein.org
2023-05-13T02:16:34Z
0 likes, 0 repeats
@dangoodin @nazgul @SteveBellovin Thanks Dan. Hoping to still be around in 20 years! Yeah, the iCloud situation appears to be targeting weak device locks by shoulder surfing (or in some cases, just very weak locks to begin with, easily hit within a few tries). It's amazing how *fast* some of these thieves work (with both iOS and Android) to lock owners out of accounts once physical device access is attained. The devil is always in the details, and I'm not at this point recommending a specific form of additional authentication (or other potential measures) to better protect passkeys on devices with weak device locks. But I would like to see some dialogue with G about this issue, because I am concerned that users who are already the most vulnerable to having their phones successfully compromised are most likely to have their G accounts quickly compromised as well if they use passkeys with weak device locks. And across the user population of Google, that could be a significant number of users in absolute terms, even if not a very high percentage overall. Thanks again. -L
(DIR) Post #AVb9xdrhRP5aaDSeA4 by lauren@mastodon.laurenweinstein.org
2023-05-13T02:33:20Z
0 likes, 0 repeats
@dangoodin @nazgul @SteveBellovin Understood. Have a great weekend! -L
(DIR) Post #AVcEfbQ4UNCwiMiQVM by topher@mastodon.online
2023-05-13T01:44:51Z
0 likes, 0 repeats
@lauren @dangoodin ...each of which also require a passphrase that has to be typed each time.There are way too many single point weakness things floating around and honestly, as far as I'm concerned, if there isn't a keyfile + passphrase + hardware key and ideally also + biometrics on top - all involved and required - then sorry, it's not good enough.
(DIR) Post #AVcEfcCdZo3X8zRDCi by cy@chaos.social
2023-05-13T06:41:18Z
0 likes, 0 repeats
@topher @lauren @dangoodin Biometrics is just operating system convenience with Password fallback. Given shitty 4digit pin or paint-on-your-screen phone"security" it's just not that secure
(DIR) Post #AVcEfdAXz3yi8nT3aK by lauren@mastodon.laurenweinstein.org
2023-05-13T15:00:23Z
0 likes, 0 repeats
@cy @topher @dangoodin I generally agree. That's why I'd prefer that additional authentication for passkeys be available for all device lock methods, though in circumstances where strong device lock biometrics are in place and not easily circumvented, there is at least an argument for not enabling the second level -- but again I'd prefer that a separate passkeys authentication layer be present in all cases.
(DIR) Post #AVcIM63vFYH3mCJHM0 by topher@mastodon.online
2023-05-13T15:28:26Z
0 likes, 0 repeats
@cy Right, wouldn't mind biometrics as an additional proof of identity in addition to a key with passphrase plus physical key, but don't want it being the sole form of authentication needed for something. That's easily defeated once again in my earlier gun-to-head for unlocked phone example.@lauren @dangoodin
(DIR) Post #AVcIM6jkk1jbrvsgYS by lauren@mastodon.laurenweinstein.org
2023-05-13T15:42:13Z
0 likes, 0 repeats
@topher @cy @dangoodin At a fundamental level, the issues are pretty clear once they're pointed out. Passkeys in the current Google implementation mean that anybody who has any way to unlock the device has unfettered access to every service with passkeys on that device, with nothing else being required. Google even SAYS this, but they gloss right over it, with a line suggesting that physical device security is easy to maintain. But the last statistics I've seen say that about 30 million (!) cellphones go "missing" every year. The stolen/unlocked percentages I've seen reported are all over the place, but they're certainly significant.Google has this pattern (throughout its existence, really) of showing a diminished concern for those users who are not in what Google views as the "majority" -- but it's those very users who are typically most in need of additional protections. I've been arguing with Google about this seemingly forever. If you go strictly by the numbers as Google is wont to do, a lot of actual people can end up being hurt, even if not a large percentage by Google Scale.
(DIR) Post #AVcJKbbz4xIb045wiO by topher@mastodon.online
2023-05-13T15:53:10Z
0 likes, 0 repeats
@lauren What's crazy to me is that adding passphrases to keys themselves is not some revolutionary new concept that would further have to be developed.Every single time I open an SSH session to any server, I have to enter the key passphrase (I generally try avoid SSH agent holding onto unlocked keys) and tap my YubiKeySomeone would have to steal the private key and know the passphrase and be in possession of the correct YubiKey for each individual thing they try to access@cy @dangoodin
(DIR) Post #AVcKKx5jJkblZYjmAy by topher@mastodon.online
2023-05-13T15:55:35Z
0 likes, 0 repeats
@lauren So I guess I just don't understand why Google has determined not to allow passphrase protecting the private keys themselves, so users can still enter a password - it just unlocks the key on their device instead of going to the remote server.All the more reason I prefer to manage all of this myself, because I can constantly read up and implement best practices and choose my own balance of convenience and security that I feel is appropriate.@cy @dangoodin
(DIR) Post #AVcKKxp6b2u7qHy0u0 by lauren@mastodon.laurenweinstein.org
2023-05-13T16:04:22Z
0 likes, 0 repeats
@topher @cy @dangoodin This is really vintage G reasoning. I won't get into the details here, but like I've said when I've had the opportunity I've argued similar points over the years internally at Google. To no significant avail. That's not to say that there aren't many Googlers who often agree with me, but not necessarily at the levels that matter to policy.
(DIR) Post #AVce1g3UQoWEJimAtc by lauren@mastodon.laurenweinstein.org
2023-05-13T19:45:05Z
0 likes, 0 repeats
@topher @cy @dangoodin Here's some additional thoughts, specific to weak device locks in the wild: https://mastodon.laurenweinstein.org/@lauren/110363028223541777
(DIR) Post #AVdXgfVmqu2Hz0ZRjc by thierna@mastodon.green
2023-05-14T06:08:39Z
0 likes, 0 repeats
@lauren @topher @cy @dangoodin this sounds like a lot of phones. Just wondering if there are any numbers on how many people actually set a unlock code in their phone. I would expect that in there a lot of them out there who don't. In contrast this discussion is popular with people who know yubi keys and what biometrics mean.
(DIR) Post #AVeHys6XMpOg8uNVwm by lauren@mastodon.laurenweinstein.org
2023-05-14T14:47:30Z
0 likes, 0 repeats
@thierna @topher @cy @dangoodin I've seen some studies that simply fold "no lock" into "weak locks", since no lock is the ultimate weak lock, essentially. Some functions will refuse to operate on phones with no lock at all, and I'd certainly assume you couldn't use passkeys in any case on a phone without a lock, so this becomes a bit out of scope for the main part of the discussion.
(DIR) Post #AVeiI75OUJJmuwgB04 by nekodojo@tech.lgbt
2023-05-14T19:42:10Z
0 likes, 0 repeats
@lauren @SteveBellovin @dangoodin I think most would agree that you're pointing out a valid reason that #passkeys are not perfect. My question is, is this a reason to discourage people from using them? The scenario of the stolen device with easy unlock would also apply to passwords in a password manager if the user has a PIN to unlock, right?Don't get me wrong, it's totally valid to call out Google for not being perfect and missing an opportunity. Just, I would not want people to confuse that with "Don't use it, stick with plain password" (which I hope is not what you're saying)
(DIR) Post #AVeioE0GIzELdaagvA by lauren@mastodon.laurenweinstein.org
2023-05-14T19:48:06Z
0 likes, 0 repeats
@nekodojo @SteveBellovin @dangoodin As I mentioned in another post, a recent study claims that over 25% of phones use one of 20 4-digit PINs as their only lock, including -- you guessed it -- 0000, 1234, etc. That's a lot of phones. These are exactly the users who I am concerned about, who might accept prompts to use passkeys without understanding the implications. Frankly, I don't worry about techies like us, I worry about them. And that's my focus in this instance. Already vulnerable users are especially vulnerable to even more problems related to this issue.
(DIR) Post #AVejQPxeIKAFjDa2bo by nekodojo@tech.lgbt
2023-05-14T19:49:59Z
0 likes, 0 repeats
@lauren @SteveBellovin @dangoodin Looks like I replied late and didn't read your further comments. So let me just say that I agree with you. Personally I use #yubikey plus PIN or password for my more secure logins.
(DIR) Post #AVejQQclpR3dmkoshk by lauren@mastodon.laurenweinstein.org
2023-05-14T19:54:57Z
0 likes, 0 repeats
@nekodojo @SteveBellovin @dangoodin Thanks. FIDO physical keys are my preferred model. I realize of course that this won't work for everyone, and brings its own issues. I do believe that there is a layered authentication model that could make passkeys much safer for vulnerable users, and bring the benefits of blocking phishing attacks and more. I simply do not feel that Google's current implementation is sufficient. At Google's scale, even a relatively small percentage of users overall can represent a very large absolute number of people who depend on G in their daily lives, and their vulnerabilities matter.
(DIR) Post #AVfbH5RabP6p0waIAC by lauren@mastodon.laurenweinstein.org
2023-05-15T05:58:17Z
0 likes, 0 repeats
@jbspeakr @nekodojo @SteveBellovin @dangoodin I provided it in an earlier post, which I can't find easily right now. Thanks Mastodon. I should be able to dig it up again tomorrow.