Where is PKI-based sign-in? Why the heck every-fucking-one is so obsessed to move your identity to third parties (email, domain or webpage providers) and disregards one of the most sane, obvious, flexible and secure (if implemented properly) concept out there?
Added: My points are:
- (Security) They are immune to attacks on websites. All attackers would extract is a public key.
- (Flexibility) They are social, yet privacy-respecting. When you want to keep your identity across multiple services — you use the same key. When you don't want so — you just generate a new one — it's free. Some variants (like OpenPGP) have web-of-trust out of the box.
- (Flexibility) They are supported on almost every modern system out there — if we're considering X.509 client certificates (probably not the best option, but). Just polish the damn UI for those already, please.
- (Sanity) They are something user actually possesses, not temporarily leases like a Facebook account, email address or domain name.
- (Flexibility/security) They could be stored as securely as one wishes. Keep those in a file (your OS or browser's keystore, actually) if you don't care, and HSMs are already here for those who want them.
- (Flexibility/security) They could be easily synced across the devices. Just escrow the key material with other key — derived from a password, if you wish.
- (Security) They could be mass-revoked. Not easy and not flawless, but there's OCSP. There're CRLs, too (although those suck). Certainly better than running across multiple sites if one had used the same (compromised) password with them.
I'm pretty sure that's what was being referred to when the author mentioned corporate drones carrying around fobs. Generally those fobs contain the keys for PKI auth in secure-hardware form.
However, having had to deal with using these myself, I'm not sure I would agree that PKI auth is "sane", "obvious", or "flexible".
As for your other points, without a hardware-secure token, I don't think PKI is secure in the least. You're one zero-day browser crack away from revealing your private key. The solution to that of course is to require a passphrase, and oops, we're back to the original problem.
"Another good practice is just to ask for passwords less often. If you’re signing in every day from the same computer in your basement, you’ll notice that Google hardly ever asks you to prove who you are."
I'm not sure if he's referring to Google asking for a second form of authentication when you log in from an unknown location (such as sending you a text message with a random number in it, which is unrelated to entering your actual account password) or if he doesn't understand state management with cookies. You obviously won't be asked to reenter your password if the session cookie has been set in your browser and you have a valid session on the server.
Passwords are awesome. A bigger, better solution is immanent, but a password does the job just fine for most uses. Passwords get a lot of flack for a problem that isn't the concept of a password's fault, but the fault of those who use poor passwords or reuse them across dozens of applications.
1) They're symmetric. I need to protect the thing I need to provide. If we can contrive to make sure that the thing I need to provide it to can be safely trusted, then this problem only manifests itself in the face of password reuse, but assumptions break sometimes.
2) Enough entropy to be uncrackable is starting to be enough entropy to be difficult to remember.
Password safes and similar address both of these - at the expense of increased exposure to slightly different threats but for a net win. They're a slight departure from "the concept of a password", though, I'd say.
Passwords carry some of the blame for being a pain in the ass to manage at scale. Because grandpa doesn't know about password managers or the xkcd method (he just wants to get to his email), he picks bad passwords and reuses them. Passwords have enabled him to shoot himself in the foot, alongside the troves of similar folks.
Passwords aren't the problem, but they're enabling the problem and because of that they certainly aren't awesome.
> the fault of those who use poor passwords or reuse them across dozens of applications
That's the reality, and that's the sole argument for why passwords suck. We can't blame the users on this one, we just have to give them something better.
The article reads like a straw man argument in favor of begrudgingly accepting password auth for the time being. It's disappointing that he has omitted mention of things like Persona, browser certificates, or even the Google Authenticator app (which completely solves his problem with 2FA).
I actually have a problem with things like Google Authenticator. I use it to secure the login for my Digital Ocean account. Worked great, until my phone broke. When I signed into Digital Ocean with a new phone... well, of course Google Authenticator doesn't know how to generate a new compatible code. That part is controlled by a QR code when you enable 2FA, and you can't get back to it without logging in. Same thing with securing the admin login to a site I run. When I switched phones, I lost my login.
Sure, there's a way around it. Digital Ocean lets you disable 2FA with an SMS code. Then I can just log in, set up 2FA again, and have it working on my new phone. But then I fixed my old phone and switched back. So I had to do it all over again.
Clef worked great, until someone with a Windows Phone joined the team and needed to log into the site. Suddenly our authentication method of choice, one we were really happy with, wasn't an option because Clef doesn't make a Windows Phone app.
These are the problems the author seems to try to point out. Passwords at least work every time you type them in, from any platform. Passwords aren't tied to Google or Apple, passwords don't shun Microsoft platforms simply because there aren't enough users. If your users have to buy an iPhone just to be able to log in, or if they lose the ability to log in because they replaced their phone (something that happens all the time), it isn't a solution at all. They're going to end up going back to passwords (like we did) because nothing else works as well as passwords.
The shallow writing of this article aside, I think it overlooks a rather promising authentication scheme by Steve Gibson. https://www.grc.com/sqrl/sqrl.htm
Another important point is that users already consider passwords to be a hassle and have little patience for anything that makes it harder to access resources online.
[+] [-] drdaeman|11 years ago|reply
Added: My points are:
- (Security) They are immune to attacks on websites. All attackers would extract is a public key.
- (Flexibility) They are social, yet privacy-respecting. When you want to keep your identity across multiple services — you use the same key. When you don't want so — you just generate a new one — it's free. Some variants (like OpenPGP) have web-of-trust out of the box.
- (Flexibility) They are supported on almost every modern system out there — if we're considering X.509 client certificates (probably not the best option, but). Just polish the damn UI for those already, please.
- (Sanity) They are something user actually possesses, not temporarily leases like a Facebook account, email address or domain name.
- (Flexibility/security) They could be stored as securely as one wishes. Keep those in a file (your OS or browser's keystore, actually) if you don't care, and HSMs are already here for those who want them.
- (Flexibility/security) They could be easily synced across the devices. Just escrow the key material with other key — derived from a password, if you wish.
- (Security) They could be mass-revoked. Not easy and not flawless, but there's OCSP. There're CRLs, too (although those suck). Certainly better than running across multiple sites if one had used the same (compromised) password with them.
[+] [-] skywhopper|11 years ago|reply
However, having had to deal with using these myself, I'm not sure I would agree that PKI auth is "sane", "obvious", or "flexible".
As for your other points, without a hardware-secure token, I don't think PKI is secure in the least. You're one zero-day browser crack away from revealing your private key. The solution to that of course is to require a passphrase, and oops, we're back to the original problem.
[+] [-] cypherpunks01|11 years ago|reply
"First, it’s easy for programmers to deploy a standard username/password setup. They more or less just push a button in their app-building toolkit."
"Two-factor sign-in: ... The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords."
[+] [-] DaCapoo|11 years ago|reply
"Another good practice is just to ask for passwords less often. If you’re signing in every day from the same computer in your basement, you’ll notice that Google hardly ever asks you to prove who you are."
I'm not sure if he's referring to Google asking for a second form of authentication when you log in from an unknown location (such as sending you a text message with a random number in it, which is unrelated to entering your actual account password) or if he doesn't understand state management with cookies. You obviously won't be asked to reenter your password if the session cookie has been set in your browser and you have a valid session on the server.
[+] [-] tubbs|11 years ago|reply
Passwords are awesome. A bigger, better solution is immanent, but a password does the job just fine for most uses. Passwords get a lot of flack for a problem that isn't the concept of a password's fault, but the fault of those who use poor passwords or reuse them across dozens of applications.
Either way, I'm excited to see what comes next.
[+] [-] dllthomas|11 years ago|reply
1) They're symmetric. I need to protect the thing I need to provide. If we can contrive to make sure that the thing I need to provide it to can be safely trusted, then this problem only manifests itself in the face of password reuse, but assumptions break sometimes.
2) Enough entropy to be uncrackable is starting to be enough entropy to be difficult to remember.
Password safes and similar address both of these - at the expense of increased exposure to slightly different threats but for a net win. They're a slight departure from "the concept of a password", though, I'd say.
[+] [-] akerl_|11 years ago|reply
Passwords aren't the problem, but they're enabling the problem and because of that they certainly aren't awesome.
[+] [-] arnarbi|11 years ago|reply
That's the reality, and that's the sole argument for why passwords suck. We can't blame the users on this one, we just have to give them something better.
[+] [-] yock|11 years ago|reply
[+] [-] freehunter|11 years ago|reply
Sure, there's a way around it. Digital Ocean lets you disable 2FA with an SMS code. Then I can just log in, set up 2FA again, and have it working on my new phone. But then I fixed my old phone and switched back. So I had to do it all over again.
Clef worked great, until someone with a Windows Phone joined the team and needed to log into the site. Suddenly our authentication method of choice, one we were really happy with, wasn't an option because Clef doesn't make a Windows Phone app.
These are the problems the author seems to try to point out. Passwords at least work every time you type them in, from any platform. Passwords aren't tied to Google or Apple, passwords don't shun Microsoft platforms simply because there aren't enough users. If your users have to buy an iPhone just to be able to log in, or if they lose the ability to log in because they replaced their phone (something that happens all the time), it isn't a solution at all. They're going to end up going back to passwords (like we did) because nothing else works as well as passwords.
And that's not a high bar to get over!
[+] [-] trickyager|11 years ago|reply
[+] [-] bigtech|11 years ago|reply