Hacker News new | ask | show | jobs
by bheadmaster 1349 days ago
I don't think "things I own" is a bad security model in itself.

The ideal of authentication (to me) seems to be some kind of USB dongle with your private key baked in the hardware, that you can use to create digital signatures proving your identity. Short of stealing the dongle, there is no way anyone can steal your identity.
2 comments
alistairSH 1349 days ago
Using your dongle example, how do you access important services away from home? Carry the dongle everywhere? If so, you risk losing the dongle.

Same with your phone as the "thing I own". That's great, until the phone dies/breaks/gets lost. Hopefully you have a tablet as backup, or the paper copy of your one-time codes in your wallet.

I don't have a good answer. I just hate the idea of needing to access banking services when traveling should my phone become unavailable.

link
bheadmaster 1349 days ago
> Carry the dongle everywhere? If so, you risk losing the dongle.

To be fair, we also carry our IDs everywhere and risk losing them all the time, yet it works pretty fine in most cases. Losing your ID is painful, and so would be losing the dongle, but the security of it outweighs the risk, IMHO.

Even more if we create dongles that are shaped like cards, so we can keep them in our wallets like IDs.

link
AstralStorm 1349 days ago
Normally you do not use the ID in day to day operations. A better example would be a credit card, which combines a password (or pin) with a cryptographic chip.

The card itself is too easy to steal, hence the backup password. The other possibility is biometrics, but these come with their own problems.

link
svachalek 1349 days ago
It sounds like you don't live in the USA. No passwords here.
link
pabs3 1349 days ago
The answer with WebAuthn devices is to have more than one of them. When traveling, keep one in your safe, one with your home computer, one in the hotel and one along with your laptop. With WebAuthn passkeys, they are synced to the cloud so are available on all your devices or anywhere you have access to your cloud accounts.
link
pabs3 1349 days ago
Apple/Microsoft are also adding WebAuthn "passkeys", which is basically the same as the USB device thing, except the keys are stored on your laptop instead, perhaps in the TPM or similar. They are also synced across devices using their cloud services.
link