[roywashere]

The article does not fully explain it, but the proposal is about using FIDO to sign in to services. The article simplifies this as signing in by unlocking your phone, but that is just one way to do FIDO (and possibly the most common way). If you prefer not to use your phone, you can also use a YubiKey or similar on your desktop/laptop; pushing FIDO as a standard would probably make it possible to use a YubiKey with much more services than today!

[autoexec]

FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password). Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.

Having something you know (a password) is more secure because something in your memory that you don't share can't be taken from you by any means. Passwords aren't perfect (you can be tricked into sharing it, or tortured into giving it up) but there are solutions for being forced to hand over a password, and neither tokens or biometrics solve the problem of people being tricked.

No one can murder you in an alley, and drag your lifeless corpse to an ATM and clean out your bank account because the murderers have your face, and fingerprints, even your cell phone, but not your pin. Good security should always require a secret that you know.

Not having a password would be fine for logging into low risk sites like this website, where at worst someone might get your account banned or post comments under your username, but any site or transaction where the risk is greater should just always require a password.

[txcwpalpha]

>FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password).

Not necessarily. The specific implementation being talked about in the article is to use your phone as your FIDO device, and your phone has to be unlocked. So the "something you have" is your phone, and to unlock it, you can either use "something you are" (biometrics via face ID or fingerprint), or you can have a PIN/password on your phone to make it "something you know".

I wouldn't be surprised (and I would hope) that the FIDO app or feature on phones would also come with the ability to restrict it via PIN/password even if your phone unlocks via biometric.

[autoexec]

I agree there are implementations that would be more secure, but they'd still require a password (even a weak version of one via 4 digit pin) and at that point we might as well just unlock our phones and click on the icon for a password manager.

The dream of a life without passwords sounds great, but I don't think FIDO can get us there and if it can't, we have to think about whether or not the extra convenience we can get from FIDO is worth what it would cost us in terms of all the data and control we'd be handing over to 3rd parties.

[jjulius]

Preface: I've been busy as shit this week and haven't really read up on FIDO. I don't know that I have a position on it yet.

> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.

Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.

I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

[idle_zealot]

> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security

> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager). Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.

[jjulius]

I stand corrected on some of my phrasing, thank you for the correction. However...

>Services do not need a copy to validate your password, and should never store one.

"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.

[idle_zealot]

Users don’t know how a site implements FIDO either.

With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.

All authentication schemes offer benefits only if implemented correctly.

[autoexec]

> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

True, and better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.

As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.

> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.

[JumpCrisscross]

> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).

Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.

[autoexec]

"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.

Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.

[ryukafalz]

FIDO with a PIN also involves something you know, with the added benefit that the PIN is never sent across the internet.

[epistasis]

FIDO is quite old, and a huuuuuuuge upgrade over a password based system in terms of both security and in terms of user convenience.

It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.

[jerednel]

Per the Fido spec, “Something you know” can still be used to unlock the Fido Authenticator by way of a pin.

Passwordless is better because you aren’t storing a phishable password on a server.

[rstuart4133]

If there is an article that explains what's different about passkey under the hood, I've yet to find it. That's not entirely surprising as it's brand new. Still it's mighty frustrating when google searches just page after page of re-writes of fido/google/microsoft press releases, all saying little more than "hey! passkey replaced passwords (and it somehow involves phones and bluetooth)".

Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.

Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???

And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?

But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.