Hacker News new | ask | show | jobs
by mark_l_watson 3471 days ago
I don't like something that I have to plugin. What I greatly prefer is what PacBell gave me as a consultant in the 1990s to access their secure inner networks remotely: a device that would display a new random number every 10 seconds and I would add that number to my password when logging in. I was given the same sort of device at Google in 2013 when I was a consultant there.

For laptop and mobile devices, I like the idea of password and biometrics (finger print reader and/or facial recognition).
2 comments
petejansson 3471 days ago
A serious problem with biometrics is credential revocation. The best answer I've seen to this is using the biometric to locally unlock some other credential like a certificate that can be revoked. There are other problems that are flashier, like spoofing and liveness, but revocation is a real show-stopper that is frequently ignored.
link
nickik 3470 days ago
The new FIDO UAF standard solves exactly this problem, all biometrics are only unlocking a local identifier preferable on Secure Element or in a Trust Zone.
link
lima 3470 days ago
Those are considered deprecated by now. The most important issue with those devices is that they're not secure against phishing.

If you accidentally input your credentials and PIN code in a phishing site, it's game over.

With FIDO tokens, this is impossible - authentication is challenge-response based and tied to the encrypted channel. Your device contains a private key which is used to authenticate. This requires two-way communication, so you have to plug in the device.

link
seanp2k2 3470 days ago
What makes it impossible for a phishing site to mimic the challenge?
link
lima 3470 days ago
The challenge-response protocol is using assymetric cryptography and is tied to the SSL session ID.

More explanations on why: https://security.stackexchange.com/questions/71316/how-secur...

And how: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendmen...

link
nickik 3470 days ago
Thata the clever bit about FIDO. Part of what unlocks the private key for signing the challenge is somehing called AppId. AppId is automatically captured by your webbrowser (weborigin standard) and passed along. So the authenticator only unlooks if you are on the correct website.

A further feature is that you can make the ssl tunnel id part of this as well, that makes it even better.

This is how both UAF and U2F work.

link