Post AVgLm5CMA4fZ7YB3aK by lauren@mastodon.laurenweinstein.org
(DIR) More posts by lauren@mastodon.laurenweinstein.org
(DIR) Post #AVcceD18813fdtuy24 by lauren@mastodon.laurenweinstein.org
2023-05-13T19:29:27Z
0 likes, 0 repeats
***** 0000, 1234, and Google passkeys *****As you probably know by now, I am critical of the #Google passkey implementation primarily because it does not provide an option or requirement for a passkey authentication layer other than the device lock. It is entirely dependent on the strength of the device lock. If a perpetrator can see or crack a weak device lock, they then have access to all of the passkeys and associated accounts, no other authentication needed. Which brings up the question -- how many devices use weak device locks? After all, human nature never really changes.Mel Brooks would be amused.According to this recent article, about 26% of phones can be unlocked using one of 20 4-digit PINS, including 1234, 1111, 0000, etc.:https://www.pocket-lint.com/these-are-the-20-most-common-phone-pins-is-your-device-vulnerable/Passkeys need an additional authentication layer.Think about it. -L
(DIR) Post #AVcdjlSDcVA9qgnjhA by topher@mastodon.online
2023-05-13T19:41:47Z
0 likes, 0 repeats
@lauren Thanks a lot, Lauren. Now I have to change the combination on my luggage!
(DIR) Post #AVcdoOuqqNb3ObP9fc by david1@mastodon.world
2023-05-13T19:42:37Z
0 likes, 0 repeats
@lauren Secret Double Octopus does the same thing. I never understood why companies thought this was better than, say, Duo Multi-factor authentication.
(DIR) Post #AVcdruJUZ7FDdrbOhk by lauren@mastodon.laurenweinstein.org
2023-05-13T19:43:08Z
0 likes, 0 repeats
@topher And it's about time!
(DIR) Post #AVceG5eE4lVdkFpcdU by topher@mastodon.online
2023-05-13T19:47:36Z
0 likes, 0 repeats
@lauren Good thing my phone password is >3x the length of a 4-digit pin!
(DIR) Post #AVd2XgS4tFwhiJ4V0q by lauren@mastodon.laurenweinstein.org
2023-05-14T00:19:29Z
0 likes, 0 repeats
@skarra Sriram, hi. This gets into the weeds very quickly of course, and clearly there is no "one size fits all" solution. My overriding concern is to protect vulnerable users from leveraging of (already) weak device locks, but this can potentially cover a lot of ground.Some of the issues I've been thinking about are the different inherent levels of trustworthiness of different platforms, the varying security needs of different passkeys (e.g., passkeys for a hobby forum can likely be viewed as a lower grade concern than passkeys for a GAIA or financial account), and so on. Recovery issues are definitely of concern, and of course would relate to (among other things) the availability of fallback authentication methods for accounts (e.g., ordinary credentials + 2sv). To the extent that these are unavailable, untrusted, or for some other reason no longer usable (I noted in the G announcement the goal of eventually subjecting fallbacks to non-passkey authentication methods with more scrutiny), then other methods would be necessary, and the issue of who takes responsibility for this is an interesting one for discussion.I have a pile of notes here representing my detailed thoughts about this entire set of issues that could be pulled together into a formal doc if I had any sense that it would be of use, to the extent that my current resources would allow. Thanks very much. Best. -L
(DIR) Post #AVdZbwWsLzt1DqxEcC by sjjh@hachyderm.io
2023-05-14T06:30:10Z
0 likes, 0 repeats
@lauren Should users be blocked from setting any of those twenty passcodes?
(DIR) Post #AVeHcV9434HsZ5tRp2 by lauren@mastodon.laurenweinstein.org
2023-05-14T14:43:19Z
0 likes, 0 repeats
@sjjh The likely result would be users gravitating to the simplest PINs that would pass whatever test was deployed. So instead of 0000 they use 00000, etc. Pretty quickly a new "top 20" list would be established. Of course on the other end there's the nightmare password rules still employed by many sites that drive users nuts with complexity and just encourage the taping of passwords to monitors.
(DIR) Post #AVeIOHYJtASSJAURPs by lauren@mastodon.laurenweinstein.org
2023-05-14T14:52:01Z
0 likes, 0 repeats
@skarra Agree 100%. These areas are a complex array of tradeoffs -- technical, human factors, societal impact, and more. And I'll note that this reality is all too often not understood (or simply ignored) by regulators and politicians, resulting in regulatory/legislative/legal frameworks that do not allow for proper balance and create negative collateral damage to firms, their users, and society at large as a result.
(DIR) Post #AVfsNpjb6gWJXWoIqG by asjmcguire@mastodon.scot
2023-05-15T09:09:56Z
0 likes, 0 repeats
@lauren but how is it worse than an authenticator app on the phone or SMS? Again the attacker needs to access the phone - just like with Passkeys. So whether you are using Passkeys or an authenticator app on the phone (not necessarily the Google one) - then it's the same issue.
(DIR) Post #AVgLm5CMA4fZ7YB3aK by lauren@mastodon.laurenweinstein.org
2023-05-15T14:39:23Z
0 likes, 0 repeats
@asjmcguire Obviously, authentication apps are less secure than physical FIDO keys, since the latter are typically kept separate from the device and unlikely to be obtained by a phone thief when the phone is grabbed. And FIDO keys of course also provide the ultimate anti-phishing protection. But if someone insisted on using an Authenticator, Google's is pretty much the most simplistic of the bunch -- there are others that offer their own authentication layer.
(DIR) Post #AVgM4Abym2FB7dmqem by lauren@mastodon.laurenweinstein.org
2023-05-15T14:42:43Z
0 likes, 0 repeats
@asjmcguire But of course, there's another issue too. Assume a Google account secured by normal credentials, even without 2-factor. Many people don't use password managers (I limit their use greatly, personally), and a phone thief would not typically know what those credentials are for accounts (Google, financial, whatever). Passkeys bypass the credentials and any 2-factor (even the weakest, SMS). Unlock the phone, and you get it all, immediately.
(DIR) Post #AVgTKLvBBwpWVkQn6O by asjmcguire@mastodon.scot
2023-05-15T16:04:02Z
0 likes, 0 repeats
@lauren right but my point is, once you have unlocked the phone - any other method you use SMS, password manager etc - is pretty much broken too, once the phone has been unlocked, all bets are off.
(DIR) Post #AVgTlDv730gVVzDGIS by lauren@mastodon.laurenweinstein.org
2023-05-15T16:08:52Z
0 likes, 0 repeats
@asjmcguire That's incorrect. Unlocking the phone does not provide account credentials unless a password manager is in effect, and those can have an additional authentication layer. Passkeys as implemented by Google have no additional authentication, so unlocking the phone provides access to all associated passkey accounts without additional authentication. Given a secure password manager, or no password manager at all, unlocking the phone does not provide the means to access other non-logged in accounts in the normal scenarios.
(DIR) Post #AVgUIqCXjwu5nXObnU by asjmcguire@mastodon.scot
2023-05-15T16:14:57Z
0 likes, 0 repeats
@lauren ok we are clearly going to disagree on this point, so I won't continue down that route. Instead I'll ask - what kind of additional authentication do you want to see implemented?
(DIR) Post #AVgUnNdG0e3mAZSAka by lauren@mastodon.laurenweinstein.org
2023-05-15T16:20:31Z
0 likes, 0 repeats
@asjmcguire There is no one-size-fits-all answer to that question, and the range of conditions and answers (and related crucial issues surrounding associated lock/account exception/recovery topics) is nontrivial. I am considering a formal paper about all this, rather than trying to address this all piecemeal in social media and my other venues, since this gets into the weeds of technical and human factor aspects very quickly!