[jjulius]

Preface: I've been busy as shit this week and haven't really read up on FIDO. I don't know that I have a position on it yet.

> Something you have can be easily stolen, and biometrics cannot be kept secret, can be forged, and can't be reset/changed once compromised.

Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security, and at least some of those corporations duplicate copies of those databases across different data centers throughout the world. These databases can essentially be accessed by anyone, anywhere.

I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

[idle_zealot]

> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security

> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager). Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.

[jjulius]

I stand corrected on some of my phrasing, thank you for the correction. However...

>Services do not need a copy to validate your password, and should never store one.

"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.

[idle_zealot]

Users don’t know how a site implements FIDO either.

With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.

All authentication schemes offer benefits only if implemented correctly.

[autoexec]

> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

True, and better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.

As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.

> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.

[JumpCrisscross]

> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).

Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.

[autoexec]

"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.

Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.

[ryukafalz]

FIDO with a PIN also involves something you know, with the added benefit that the PIN is never sent across the internet.

[autoexec]

True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).

Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.

[epistasis]

FIDO is quite old, and a huuuuuuuge upgrade over a password based system in terms of both security and in terms of user convenience.

It feels weird to encounter resistance to FIDO on HN of all places. The biggest complaint about FIDO is that is has rolled out to slowly, not that it is in any way inferior to our horrendously insecure web dozens of accounts secured by a weak human memorizable password, or worse reused passwords.