[HN Gopher] Beyond Identity Offers Free Version of Its Passwordl...
___________________________________________________________________
Beyond Identity Offers Free Version of Its Passwordless Technology
Author : dpelevator
Score : 37 points
Date : 2021-01-26 14:55 UTC (8 hours ago)
(HTM) web link (www.darkreading.com)
(TXT) w3m dump (www.darkreading.com)
| intotheabyss wrote:
| There's already a passwordless technology; it's called Ethereum
| and Metamask. Store your private key on a hardware wallet, and
| boom, you have a very secure account controlled by the user where
| no password or login required to interact with applications. It's
| also free
| CharlesW wrote:
| Point us to anything showing that Metamask supports WebAuthn
| for this passwordless login use case.
| jtbayly wrote:
| Who is giving out free hardware wallets? I'd like one.
| [deleted]
| zackify wrote:
| Uhhh the free version of passwordless technology is called
| "webauthn"
| CharlesW wrote:
| WebAuthn is a framework. A quick search shows that Beyond
| Identity uses WebAuthn, FIDO, and other identity management
| flows and standards.
| holtalanm wrote:
| I'm tempted to suggest the linked article be changed to:
| https://www.beyondidentity.com/blog/why-we-made-passwordless...
|
| the actual blog post from Beyond Identity.
|
| was really frustrated when the first link in the darkreading
| article just linked out to _another_ darkreading article.
| Like....wtf?
| joncp wrote:
| And the original doesn't render unless you let it use js.
| decentralbanker wrote:
| interesting. i wonder if it supports linux? How is this different
| from Yubikey? We use FIDO keys and HYPR at my office -
| https://www.hypr.com/
| [deleted]
| ancharm wrote:
| I want my private keys stored on my iPhone / Apple Watch, in
| Secure Enclave memory, with two-factor biometric authentication
| (FaceID and Fingerprint). No more passwords.
| CharlesW wrote:
| I thought this was supported as of Safari 14, but I haven't
| heard if Google and Firefox intend to support this as well.
|
| https://developer.apple.com/videos/play/wwdc2020/10670/
| dheera wrote:
| I don't. I don't want to have to carry a stupid phone around
| everywhere to get things done. I should only have to move my
| body between the places I go, and the various 24"+ screens I
| encounter, mostly at home and the office, should become my UI,
| and none of that should depend on carrying a stupid 6 inch
| device.
|
| I like passwords + a YubiKey left permanently plugged into
| every device.
| Shebanator wrote:
| That's fine for many applications, but for someone like me
| who has a Continuous Glucose Monitor having my phone/watch be
| with me at all times is a fact of life. I look forward to the
| day when my CGM interfaces directly with my watch so I don't
| have to carry the phone all the time.
| RHSeeger wrote:
| I'd settle for it just displaying on the lock screen, so I
| don't need to unlock my phone and check the statuses to see
| what my blood sugar is at. That being said, just being able
| to look to see what my blood sugar is at without having to
| poke a hole in my finger was a massive change in how I
| managed my blood sugar. Having alerts for low (or dropping)
| blood sugar is a great thing, too. Man, I love my CGM
| (Dexcom G6)... can't say enough good things about it
| compared to manual blood testing.
| dheera wrote:
| > but for someone like me
|
| Of course that's a special case which doesn't apply to most
| people. But also, why can't the CGM just have its own
| display, which would simplify things a lot more and likely
| also require much less power if it used e.g. eInk?
|
| It sounds ridiculous to me that a medical-grade device
| should _depend_ on a second consumer-grade device to be
| useful. If it 's an added feature for e.g. logging or
| monitoring or telemetry to the doctors, great, I
| understand, but if you're just trying to get a glucose
| reading I strongly believe in one device giving you that
| reading instead of "Hey I'm a device that your health
| insurance paid $1000 for but sorry I'm too lame to display
| data and you're going to need to install this silly iPhone
| app to actually read its values"
|
| "and oh by the way we also will track your contacts, which
| apps you are using, your GPS, and serve you and your
| contacts targeted ads for glucose-free health foods from
| our partners at Amazon"
| ng12 wrote:
| > why can't the CGM just have its own display
|
| So I can check my blood sugar without taking my shirt
| off.
| olah_1 wrote:
| "Passwordless technology" is just giving users their own keys.
|
| How to provide a good onboarding and UX around that process is
| another story. It requires educating the user to a different
| mindset.
|
| I advise looking into Argent[1] (Loopring is the same) or
| BrightID[2] as just a few examples of how this can work well.
|
| If you have no friends for social recovery, Argent provides their
| own service that links to your email or phone for recovery. So
| it's more like a typical account recovery that users are
| accustomed to today.
|
| Similarly, ZenGo[3] provides just that email/phone recovery
| service alone but it feels intuitive and safe depending on your
| threat vector. The cool thing about them is that it also uses
| facial recognition.
|
| [1]: https://www.argent.xyz/
|
| [2]: https://www.brightid.org/
|
| [3]: https://zengo.com/
| dandanua wrote:
| Asymmetric cryptography under the tonnes of bullshit marketing.
| ng12 wrote:
| Bullshit marketing is what CTOs buy. Who cares if the core
| principles are simple or not, if they're selling a useful
| service (especially one that can help secure our data) good on
| them.
| CharlesW wrote:
| This is the first I've heard of the product, but remind me why
| building cryptography products and then marketing them is bad?
| yjftsjthsd-h wrote:
| I don't know that it is bad per se, just pointing out that
| this is a fairly simple existing technology and not some new
| thing
| CharlesW wrote:
| Ah, gotcha. I'm always interested in tuning my bullshit
| meter, but their top-level claims -- passwordless,
| continuous authentication, improved user experience -- seem
| pretty justifiable.
|
| I use a good password manager right now, but even so I find
| myself entering passwords _many_ times per day. I 'd love
| to not have to do that, so any tips on how I can do that
| are appreciated.
| dandanua wrote:
| It's fairly easy to build passwordless scheme.
|
| 1. Service picks asymmetric scheme (RSA, ECDSA, etc.)
|
| 2. User generates public/private pair of keys locally
|
| 3. User registers its public key in the service
|
| 4. Now user can sign anything thus confirming its
| identity
|
| No third-party service required. Users have to keep their
| private keys locally, but BeyondIdentity also requires
| this. I don't feel their complicated scheme has much
| sense. Also they've mentioned the use of machine
| learning, this looks even more strange.
| motohagiography wrote:
| Good of them to do this as if it's useful, we will find out
| pretty fast. If they have a Vault integration, that would be
| helpful as well. Solving IAM/IAA problems and designing products
| are orthogonal concerns, and to me that they're building a
| product around just managing asymmetric key pairs is a positive
| note.
|
| An authentication scheme is only ever as secure as its recovery
| process, so that's going to be where the magic happens.
___________________________________________________________________
(page generated 2021-01-26 23:01 UTC)