[x1798DE]

I think this is just illustrating precisely the point of two-factor authentication, which is defense in depth. Right now, you have one factor which means that anything that compromises that factor compromises you, and who knows what bizarre attacks someone can land once they've started penetrating your defenses. By publishing your password, you're going back down to a single factor (and in some ways it's worse than that, because who knows what security policies are in place for most services - having half of a two-factor pair here has clearly been interpreted as being someone "more authenticated" than having NONE of a single factor).

That said, I would love it if the default single factor authentication method were public keys rather than passwords. I get how impractical that is with people constantly trying to access things in some device-independent way, but I fantasize about a world where everyone carries around a cheap hardware authentication module that just negotiates the cryptographic part of SSL handshakes as the primary authentication factor (with passwords and biometrics as secondary and tertiary factors as desired). Sure would be nice if the only thing that could be leaked after a data breach was your public key.

[lotsofcows]

"a world where everyone carries around a cheap hardware authentication module"

You mean you don't have ssh-agent and Google Authenticator on your mobile 'phone?

[x1798DE]

Well, what I mean is that we'd ideally have a situation where there are cheap dedicated hardware modules which contain your private key, so that you never have to trust your private key to a phone or a laptop. A phone can play that role and likely will at some point, but I'd still like something that is dumber than a phone, because I don't want the device itself to be able to harbor malware. Plus, the idea of such an HSM would be that you carry it around and then you can plug it in (or wirelessly connect it) to any system you're using, and all that system would be able to do is ask it to use its private key (which the system wouldn't be able to see) to calculate the response to some authentication query. If you're worried that your terminal might be compromised, you wouldn't really want to connect it to your phone.

Also, Google Authenticator is similar to a really fancy password because it's a symmetric key system. It's nice because you only have to enter in one-time passwords on untrusted devices, but the downside is that both you and the service you're authenticating with has the same key, meaning that if either you or the service you're authenticating with is compromised, the attacker can authenticate as you. With SSL, the service being compromised doesn't actually get the attacker anything except your public key.

[lotsofcows]

I agree with your point about modern 'phones being too easy to compromise although I don't agree about the terminal being a specific vector - if I'm concerned that the terminal is compromised, I'm not going to use it.

Also a good point re GA - I'm not sure why it uses symmetric keys. When it first came out I'd have assumed it was for relative easy of data entry but now that even bash trivially displays QR codes it's due an update.

[rcaught]

> a world where everyone carries around a cheap hardware authentication module

There are moves towards such a future with U2F / UAF (Fido) and Yubikeys (a U2F version is meant to be released this year). I know it won't roll out exactly as planned, but I'm still excited by the tech.

[ef4]

Yeah, U2F is exciting. It has a lot of weight behind it, and I can't wait to try out the new Yubikey implementation.

We move closer to the day when I can buy embedded authentication hardware in the form of a ring, and I can make endless jokes about One Ring to Rule Them All.