| > I agree. But there is still the issue of forgotten passwords and the infamous password reset emails. How do secure them in the face of "opportunistic encryption with STARTTLS"? Realistically, you can't without some secondary auth for password resets (i.e. secret questions, a phone call, or things like 'send a message signed with your public key' (which the service operator obviously needs to know beforehand) - all of which are either easy to game, or not particularly user friendly for the non-technical - but even without those options, the password reset scenario still has one advantage over the 'login link' system: at the very least the user will know the breach occurred, because they will a) lose their current sessions and b) not be able to create new ones (due to the password having changed). > My point being, if you are already using Gmail, then just use your GMail address There are plenty of reasons not to use the 'primary' email address of a system which also offers pop3 download into webmail, and your response just highlights how short sighted this "solution" is. > "Average people" probably use the password manager built-in in their web browser, but it doesn't necessarily solve the main issue which is password reuse. So if we agree that most people probably do use the built in password manager, wouldn't a better solution be, for the password manager, which knows all your passwords anyway, to take action, and suggest better passwords? "Hey, we just noticed you logged in with a password that you've used on at least 389 other sites. That's not very secure, if you'd like to change your password for this site, <Browser> can suggest a strong password, remember it for you and sync it to your other devices too". > Since you're asking for evidence, what evidence do you have to support your own claims? You just admitted that average people probably use the password manager built-in. It's pretty well observed now that non-technical people (and even technical, in some situations) will blindly click "OK" or "Accept" or "Yes" to whatever buttons appear on screen when they're trying to achieve something. I don't have any evidence I can link to, just 14 years of anecdotal stories about how people clicked "yes" to "do you really want to delete this now?" and then call helpdesk because it deleted something, etc. > This problem is not ignored. It's never mentioned as part of the actual proposal, it's always a "well you could do X and then Y and then Z" and pushes responsibility to the USER to determine if someone else is using their account. > We can for example watch IP addresses used to connect, and notify the user connecting on the "usual" IP that we have detected another connection on a new/unseen IP. a) most people barely know what an IP address is, much less what theirs is. Even with GeoIP info, you still have the risk of people being attached by someone actually in, or spoofing, a close proximity. GeoIP info for my current IP has recently changed to my current city, but recently showed me as being in a city 70km away, with a population of 10M people. > I'm not saying this is easy, but this is probably solvable. So is a cure for Cancer but I'm not going holding my breath for that either. > Moreover, I notice that most non-technical users around me, when they are unable to connect because their password is refused A decent auth system would notice two successive password resets in a short span of time, and send a notice with the second one that a password reset was just performed <X> minutes/hours/days prior, with information to contact the service provider if the earlier reset was not initiated by the account holder. > A civilised discussion would be easier if you could avoid the words "fucking" and "ridiculous". Maybe I should have changed the use of certain words, so let me be more clear: The idea is ridiculous: ridiculous |rɪˈdɪkjʊləs|
adjective
deserving or inviting derision or mockery; absurd
Discussing an authentication method and not discussing the security concerns is fucking stupid: fucking |ˈfʌkɪŋ|
adjective [ attrib. ] & adverb [ as submodifier ] vulgar slang
used for emphasis or to express anger, annoyance, contempt, or surprise
stupid |ˈstjuːpɪd|
adjective (stupider, stupidest)
lacking intelligence or common sense
> You're claiming that passwordless login ignores important security concerns. I think that the human factor (forgotten passwords, password reuse, etc.) is big in the list of security concernsSure, this and every other concept for emailed links for auth addresses that same single factor: people re-use, and forget passwords. I'm claiming that every "passwordless" solution based on email login links I've seen, conveniently ignores any problem their "new" idea introduces, some of which I've highlighted above. Some like Homakov go a step further: when I suggested that his version of this concept is insecure because mailboxes aren't secure, his response was literally "Yeah but I'm not trying to solve the whole problem". Right. Well I've got a great cure for an ingrown toe-nail: I'll cut off your leg. You won't be able to walk, but I'm not trying to solve the whole problem. |