Google joins FIDO's crusade to replace passwords

This is great news for privacy.
Awful news for anonymity.

 

How is this good for privacy? This is BAD for privacy and anonymity.

 

"including biometrics such as fingerprint scanners and voice and facial recognition". But of course Google would think of these things. Hey, Google, intend to pay for these fingerprint scanners and special hardware/software for end users? How about the millions of websites that would have to implement it? You plan on paying for that as well? Passwords aren't broken, they just fell victim to the disease that plagues all end users, laziness.

 

well said! the issues are human sourced. bad code, bad habits, sloth the list goes on.

Google can add my biometrics to their databases of personal information.


Are no laws against invasion of privacy?

 

Most websites ask passwords between 6 and 20 characters, my password for Skype is 20 characters, my bank asks for 12 characters. Websites have to modify their products to accept passwords with 32-50 Characters. My password for keepass is 50 characters and 291 bits. Modifying all existing products would cost websites money for programers, it would be cheaper to get the end user to pay for additional hardware.

 

Which you better come with some fantastic talking to get the public to do. That's the biggest problem, someone is going to have to pay for this stuff and unless it's the very big players (whom are a tiny portion of the entire net), it's not likely to be the websites footing the bill.

 

Once I knew Google had their own space program, I came to the conclusion that they can do ANYTHING they want to. It's an empire. I'm not saying that's good or bad, but spending money on hardware for this user profiling system, seems like something they could do with a finger snap.

 

I just assumed that this would make your accounts impossible to hack and eliminate the man-in-the-middle = privacy? however, you will always be identified as the same person = no anonymity.

Maybe I'm thinking wrong, but then again I don't fear Google. I fear malicious users.

 

Someday soon I suggest we READ and UNDERSTAND google's privacy policy.

 

Can you name the last successful attack using brute force?

 

Makes it sound privacy friendly, doesn't it? Anyone buying that?

 

I assume it's just a matter of time before everything works based on IRIS scans, facial/voice recognition and fingerprints. Maybe 20 years from now when you go buy gas or anything they will recognize you, scan your eyes for verification and deduct the necessary funds from your account. Like Minority Report.

 

Nope, not for a minute.

 

No matter how good the biometric devices might be, there's no way I'll believe that all of the software they need to function is exploit proof. What this will do is greatly increase the cost of failure. Exploit a vulnerable part of that software and an attacker gains access to everything that uses it. If reusing passwords is bad, how can this be good?

I'm not only not buying it. I'm refusing to use it and won't add any device with such abilities to my system or network.

 

It's easy for end users to deal with passwords via managers, etc. The problem with passwords, and why they are always called 'broken', is more due to LDAP and Pass The Hash attacks, where hardware tokens are far more secure.

 

No such thing as absolute security and any effort to make security and privacy convenient usually ends up making it much easier for the attacker as well. Even if you could build some kind of consolidated system, I wouldn't trust it. Diversity is your friend. Besides, users are at enough risk already. Even if you change passwords and security questions/answers religiously. There is always the chance your data could be exposed. We just had another plain text exposure last week. If companies can't secure the servers they are already using. How exactly are they going to pull this off?

 

It's okay, I can just cut off your thumbs at the ATM or in your home to hack into your things, hey it could be months before anyone missed you right? I could store the thumb in cold storage for whenever I need it. Which is why this system is dumb, and if it ever became mandatory, well goodbye internet.

 

From the FIDO Alliance's site, this appears to be just a draft for a public key cryptography method of authentication, and nothing else... I'm not saying that it is a wrong idea, but why is this considered something new?

 

Its hard to say how new/novel, if at all, their design is without detailed documentation. Earlier this year I carefully read all the public info at the FIDO Alliance website. It appears to me they've since changed their website and I don't see similarly detailed descriptions any more. FWIW, older copies of the "How it works" page are still available:

http://web.archive.org/web/20130317011249/http://fidoalliance.org/how-it-works.html

but I believe there was another page with descriptions and I can't find older copies of that one. I briefly commented on the subject back then:

https://www.wilderssecurity.com/showthread.php?p=2228608#post2228608

which touched upon what may be one twist that isn't inherent to public key cryptography based authentication... a design built around hardware embedded/derived tokens, which can help or hurt security depending on implementation and context. There was also mention of an Internet repository (IIRC, multiple repositories were mentioned somewhere) for registering tokens and that was a hmmm. I believe there was also mention of utilizing encryption which would be resistant to local machine compromise (and therefore possibly end user monitoring).

I thought the descriptions I saw back then were fuzzy, and I don't know where their plans/designs stand now. Has someone found recent descriptions worth studying? Perhaps some would still say we've seen such techniques and combinations thereof before. Either way, though, it smells as though there will be something new as in "newly available implementations" being pushed out by these and other players.