[stavros]

> As it becomes easier to emulate hardware tokens[1], Google may start limiting which ones it accepts.

Why? I hope they don't, as I'm relying on my password manager to emulate a hardware token so I can finally log in to websites without needing a username/password.

At its core, FIDO2 is an authentication API, so the site can ask your browser to authenticate you (in whatever way the browser wants). If that's "talk to the password manager to authenticate the user using some fancy cryptography", why does the authenticating site care?

I'm looking forward to the day when my password manager only has one credential in it, my soft-FIDO2 private key.

[oarsinsync]

> > As it becomes easier to emulate hardware tokens[1], Google may start limiting which ones it accepts.

> Why?

Likely not in the same of security, but as an extra speed bump for automated account creations.

The easier it is to create accounts in automated ways en masse, the more likely that system can be abused.

If you require SMS authentication, you can use that telephone number as a means to limit accounts being generated.

If you can restrict software emulating hardware, you're similarly increasing the barrier to entry to require hardware tokens too, increasing the cost of creating accounts used for fraudulent activity, and reducing the lower hanging fruit (e.g. spam) from being as profitable.

[jqpabc123]

If you require SMS authentication, you can use that telephone number as a means to limit accounts being generated.

If you require SMS authentication, you can use that telephone number to personally identify the individual. Privacy invasion justified in the name of security.

[unqueued]

Why is it that Google and the tech giants would rather that you use highly insecure HTTP than a possibly insecure self signed certificate?

You use self signed certificates all the time with SSH. If you haven't seen an SSH key before, you don't fall back to telnet.

If you stop to think about it, is incredible how much effort they put into forcing you to use the latest browser, and not trust self signed certificates. It is far easier to root your device and patch your kernel than it is to use an older browser.

Yes, it is a highly effective but clumsy heuristic to detect abuse. But I am convinced that they may have other incentives as well.

[necovek]

It's been a while since I used self-signed certificates, but experience used to be just about right. You hit the page and browsers throw a big fat warning. You add an exception, basically acknowledging that this is a certificate you trust (exception is for the cert, not any cert on this domain ever), and as long as the certificate doesn't change, your trust is at the same level it was on the initial load of the page.

The UX problem with self-signed certs is that you start expecting to accept them, so when that site asks you again to accept it while you are browsing in a cafe on a public WiFi, your browser would need to know that now you are on untrusted network and that you should better watch out.

Which is why LetsEncrypt came to be: it provides at least some chain of trust without any extended validation, which is a bit extra on top of self-signed certs.

[unqueued]

> The UX problem with self-signed certs is that you start expecting to accept them, so when that site asks you again to accept it while you are browsing in a cafe on a public WiFi, your browser would need to know that now you are on untrusted network and that you should better watch out.

But again, should you watch out more than if you were using HTTP? Does your browser make you opt in to connecting to every HTTP site on an open wifi network? What about an HTTP captive portal on an open network?

I have not heard a good argument for the current behavior with self signed certificates that justifies the behavior of completely unencrypted connections.

The ideal behavior would be for your browser to make it clear that the connection safe from third party attacks, but that it can't verify the website. Perhaps leave the scary warnings for submitting something over an self signed or unencrypted connection.

[necovek]

It's again a user expectation problem. What if you connect to a web site for the first time while on a rogue public network?

If users expect to be "safe" when on a secure site, without them understanding intricacies of certificates, self-signed is counter productive.

There are certainly improvements to be made to the experience, but none of that can explain all these nuances in a way a temporary visitor will read and grasp.

OTOH, it's easier to teach them "HTTP unsafe, don't type anything private".

[detaro]

> The ideal behavior would be for your browser to make it clear that the connection safe from third party attacks, but that it can't verify the website.

If it can't verify the website, the connection is not "safe from third party attacks".

[oarsinsync]

> Why is it that Google and the tech giants would rather that you use highly insecure HTTP than a possibly insecure self signed certificate?

There are legacy concerns that factor in here, where HTTP was the default, and HTTPS was a costly alternative.

Changing defaults can be expensive.

[jsnell]

Chrome has been marking HTTP URLs as "not secure" in the URL bar for like three years.

[unqueued]

The current implementation is idiosyncratic.

Out of the box, you will get a lot more resistance for using a self signed certificate than bare HTTP. At the very least, self signed certificates should be in the same security context as HTTP.

Our devices should opportunistically use encryption, even if validation is not available.

I had a client that wanted to use an Android tablet to monitor IP cameras on his local network, and it was virtually impossible to use the TLS on zeroconf .local domains.

The official solution is to rely on the underlying network for security. Even though the webservers on devices and our browsers have TLS support.

[necovek]

If your password manager has control of both your password and your "2nd" factor auth, it defeats the purpose of it being a 2nd factor.

You are still protected from your password hash being stolen from the target website, decrypted and then used for log-in, but if password hashes were accessed, potentially a bunch of other stuff that you'd care about is too, so that's a somewhat moot point.

But someone stealing your laptop and getting access to your password manager gets access to your 2FA too. Making it not a "second" anything: it's akin to using two passwords for log in to a single site and keeping them in the same place. Physical separation of the two authentication factors, thus, matters.

That also means that you should not have your password manager on the phone, or at least only have a separate one: ideally, password managers would integrate between desktops and mobile devices to pass short-lived access to passwords for Oauth/OpenID Connect auth instead.

Yeah, bridging convenience and security is a long standing nightmare of a problem to solve. :)

[stavros]

Yes, I know all that, and that's fine. I'm not looking to solve the problem of authenticating so I can launch nukes, I just want people to not steal my Twitter account.

A random thief stealing my laptop would have to:

1) Bother

2) Break my hard disk encryption/know the password

3) Break my password manager encryption/know the password

I think that's hard enough for someone wanting to get into my email. I use a separate hardware key to secure my domains, and that's about it.

[necovek]

That's fine, the only question is why use 2FA at all?

What's the attack vector you are protecting against that a good, non-reused password is not covering?

[stavros]

Keyloggers, stolen password databases, MITM, shoulder surfers, interception.

[necovek]

Yeah, that makes sense: I brought up stolen password hashes, but I generally disregard keyloggers/MITM/interception because I usually use trusted devices and network encryption (HTTPS), but not all sites do, and I can see how people might be forced to use untrusted devices.

Still, when you've got access to your password manager (to get your password and TOTP token too), you've got access to a trusted device too.

And there is still an option for anyone (including shoulder surfers) to type in your password+token a bit faster than you so they get in: nobody bats an eyelid for getting reprompted for another TOTP token.

You are also vulnerable to someone stealing your password manager password in this manner, especially with a cloud one (which is what most businesses require).

As a conclusion, it does grant you some extra protection against using password only, but when on a separate device, it's really another dimension.

[hnlmorg]

I'd be interested to know more about how you use your password manager to emulate hardware tokens

[stavros]

I don't currently, I meant more in a "I'm hoping they will implement this".

[hnlmorg]

Ahhh. I wonder if this is something I could cobble together with a few open source components.

I now have a weekend project....