Hacker News new | ask | show | jobs
by autoexec 1503 days ago
FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password). Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.

Having something you know (a password) is more secure because something in your memory that you don't share can't be taken from you by any means. Passwords aren't perfect (you can be tricked into sharing it, or tortured into giving it up) but there are solutions for being forced to hand over a password, and neither tokens or biometrics solve the problem of people being tricked.

No one can murder you in an alley, and drag your lifeless corpse to an ATM and clean out your bank account because the murderers have your face, and fingerprints, even your cell phone, but not your pin. Good security should always require a secret that you know.

Not having a password would be fine for logging into low risk sites like this website, where at worst someone might get your account banned or post comments under your username, but any site or transaction where the risk is greater should just always require a password.
3 comments
txcwpalpha 1503 days ago
>FIDO weakens security by limiting authentication to just something you have (a device/USB token) and something you are (biometrics) while throwing out the requirement for something you know (a password).

Not necessarily. The specific implementation being talked about in the article is to use your phone as your FIDO device, and your phone has to be unlocked. So the "something you have" is your phone, and to unlock it, you can either use "something you are" (biometrics via face ID or fingerprint), or you can have a PIN/password on your phone to make it "something you know".

I wouldn't be surprised (and I would hope) that the FIDO app or feature on phones would also come with the ability to restrict it via PIN/password even if your phone unlocks via biometric.

link
autoexec 1503 days ago
I agree there are implementations that would be more secure, but they'd still require a password (even a weak version of one via 4 digit pin) and at that point we might as well just unlock our phones and click on the icon for a password manager.

The dream of a life without passwords sounds great, but I don't think FIDO can get us there and if it can't, we have to think about whether or not the extra convenience we can get from FIDO is worth what it would cost us in terms of all the data and control we'd be handing over to 3rd parties.

link
jjulius 1503 days ago
Preface: I've been busy as shit this week and haven't really read up on FIDO. I don't know that I have a position on it yet.

> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.

Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.

I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

link
idle_zealot 1503 days ago
> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security

> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager). Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.

link
jjulius 1503 days ago
I stand corrected on some of my phrasing, thank you for the correction. However...

>Services do not need a copy to validate your password, and should never store one.

"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.

link
idle_zealot 1503 days ago
Users don’t know how a site implements FIDO either.

With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.

All authentication schemes offer benefits only if implemented correctly.

link
autoexec 1503 days ago
> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

True, and better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.

As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.

> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.

link
JumpCrisscross 1503 days ago
> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).

Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.

link
autoexec 1503 days ago
"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.

Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.

link
ryukafalz 1503 days ago
FIDO with a PIN also involves something you know, with the added benefit that the PIN is never sent across the internet.
link
autoexec 1503 days ago
True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).

Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.

link
epistasis 1503 days ago
FIDO is quite old, and a huuuuuuuge upgrade over a password based system in terms of both security and in terms of user convenience.

It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.

link
jerednel 1503 days ago
Per the Fido spec, “Something you know” can still be used to unlock the Fido Authenticator by way of a pin.

Passwordless is better because you aren’t storing a phishable password on a server.

link