Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms

Tech giants will try hard to slide into your DMs phone and connect everything together via cloud....

 

Seriously, Apple, M$ and Google are all idiots! Stop trying to make us use our smartphones for 2FA, it's so stupid. I would rather see 2FA via hardware key, biometric login or authenticator that runs on the device itself (desktop/laptop/smartphone).

 

Why?

Many phones have biometric unlock and a Secure Enclave which makes using them to log in more secure than an average (weak?) password.

 

Would it be 2 factors authentication still? I mean if someone’s Windows is infected with trojan eavesdropping on everything it can also be extended to steal authenticator codes.

 

It's stupid because I don't want to use my smartphone for 2FA.

Yes, that's why it should be protected by the CPU, see link. And besides, don't forget that on smartphones there is no true 2FA either if you don't make use of biometric security or hardware security key.

https://blog.dashlane.com/dashlane-intel-u2f-windows-password-manager/

 

Seems like a cool Dashlane feature.


Anyway standard TOTP smartphone app is 2FA even if someone does not use biometric. Someone has to physically have free access to smartphone (I.e. steal it) to obtain access to 2FA codes, so even if you don't protect smartphone with any lock screen at all it is still 2FA.

For passwordless auth system discussed in this thread however yes, some screen lock protection is needed either biometric, hw security key, pattern or (sic!) Password

 

Yes, I would love it if apps and especially websites would support Intel U2F. I suppose you would first need to register trusted devices like desktop, laptop and tablet. So I'm not sure if it would work on devices not owned by you.

What I meant is that in many mobile apps like online banking apps, there is no 2FA, you can simply login with your PIN code or password. I suppose it's tied to your mobile phone number, but then again I keep reading about people being scammed by typing in their PIN/password on fake websites and then hackers can plunder their account. This shouldn't be possible with true 2FA.

 

It feels offtopic, because banks do things slightly differently than Big Tech and you are keep mixing it. Anyway in general second factor is something you have. It means physical protection of some kind of object.

I want to clarify that I am not talking about SMS based authorization, but in-app authorization. When it comes to banking apps, at least those european ones I used, the assumption is that app is tied to particular smartphone which in turn is something more or less protected physically. That physical protection and posession is that misterious second factor. Before first use of an app on a new/factory refreshed smartphone you need to somehow activate it which ties it to device. Different procedures are used by different banks. It may involve some connection/text to particular phone number, but it is only temporary until an app is tied to smartphone. Then that phone number is useless.
I guess technically banking app generates a secret token that can't be exported to the external filesystem.

 

I'm not sure what you mean with this, that I keep mixing it up. In my book, 2FA is some extra proof that you need to provide when you sign into some app or webservice. This can be biometric like face/touch ID, or hardware token like YubiKey or sign-in code, but this code can also be delivered to the same device, as demonstrated by Intel U2F.

Then why do I keep reading about people's banking account getting plundered once they have filled in username and PIN/password on some fake website? On PC based websites this isn't enough to get access to someone's bankaccount, but on smartphones it apparently is possible, or perhaps I'm misunderstanding. So most banking apps don't seem to be tied to phone-number.

 

I read about people giving access to thieves of their bank account via web and smartphones.
You must provide details. It is too vague.

 

OK cool, will search for a couple of examples and report back. Because based on what I have read, I decided not to use my smartphone for online banking since in my view most mobile banking app don't offer true 2FA, but perhaps I'm wrong.

 

It's an older article (from 2017), but might still be an interesting read:

Is it safer to use an app or a browser for banking?

 

PS: 1Password is also getting ready for this password-less future:

We’ve joined the FIDO Alliance to build a better future for authentication

 

My concern about mobile banking apps is that they use only a username and PIN/password, while with browser websites you will always have some form of 2FA, either SMS or hardware token. And malware is of course more of a risk on PC's when compared to smartphones, but 2FA should also take care of that.

To be honest, it's not clear to me yet how this will work, will keep an eye on it.

 

I never saw hardware token authentication in banking neither via web browser or Android app. I know from insider that banks are looking at it, but it isn't easy to justify business case for it. 2FA via YubiKey isn't bulletproof and has its limitations.
2FA in banking apps is present, at least the european ones. User just doesn't need to constantly retype codes, because it is one-time process done during app activation then it is tied to a particular installation to particular device.
As a side not even if an banking app wouldn't be protected by 2FA then not using it by legitimate user wouldn't improve account security, because it is the adversary/thief that needs to use it.

 

1 That's weird, I'm sure you know about those hardware authenticators used by just about all major banks in Holland like ABN AMRO, ING, Rabobank and SNS? This stuff is quite hard to hack and is much safer than SMS based 2FA, see link.

2 OK then I misunderstood, I didn't know banking apps where tied to a phone number. But I have just looked it up and this stuff is easy to bypass, by for example the so called ''Tikkie fraud'', where hackers can simply install a banking app on their phone and register with your identity.

https://www.onespan.com/products/hardware-authentication

 

1. No, I wasn't aware of that. That is cool! It seems there are more differences in banking even within UE. However I won't open a bank account in foreign country just to use hardware-key 2FA.
2. They usually don't. They are tied to smartphone, not phone number or SIM card. SMS may or may not be used during initial activation. It depends on the bank etc.
What is stopping them to install an app and login/activate (in country I live in logging in is not enough - you need to activate it before first use) when you don't use an app?
I also think that if criminals have enough data about you to register banking app with your identity then they may just open an account in different bank and take loan with your identity instead. I mean it is probably easier to win a case in court to not pay for that credit than win a legal battle with a bank to return your money transferred from bank account, but in both cases it is still pretty bad situation.

 

I somehow thought you was from Holland, so that's why I was a bit surprised. If your country doesn't offer this, it's pretty bad. But hopefully now you understand why I believe that banking on a PC feels more safe to me when compared to banking on a mobile phone, even if so called ''experts'' will say it's the other way around, I'm not buying it. Because I need true 2FA with hardware based security.

For me a username and PIN/password is not good enough, no matter if it's tied to a certain device. In fact, even SMS based 2FA is not good enough because of SIM swapping. But to get back on topic, I'm not into this new PassKey ''passwordless'' stuff, there is nothing wrong with passwords as long if it's combined with 2FA. And I do not want to use my smartphone for 2FA. That's why I believe Google, Apple and M$ are stupid.

 

This video (the non code parts) might be helpful:

https://developer.apple.com/videos/play/wwdc2022/10092/

 

https://www.cnet.com/tech/mobile/its-time-to-learn-about-passkeys-the-no-password-login-tech

 

So if we are to use our phones for this I expect a surge in stolen phones?

 

definitely.

 

I think that people are already signed in to Google Accounts etc
I also don't know exactly how this works, because I am satisfied with standard TOTP auth codes. I only have this passwordless feature on work phone, but here phone settings are managed by company I work in and there is just no option of having lock screen disabled. Max time of inactivity that can be set is 2 minutes before screen locks and asks for whatever method your are using to unlock it. Does these passwordless method always require screen lock enabled?

 

TOTP still has a small window that can be abused by phishers that put a fake website between you and the real website (as a MITM).

With passkeys phishing apparently is no longer possible (the key won’t be filled on a fake website).