Hacker News new | past | comments | ask | show | jobs | submit login

I'd like to see sites offer the option of not using password-based authentication. Instead I'd like to see public key based authentication as an option.

Basically, the site would have a copy of my public key (say my GPG key or an ssh key), and to authenticate I prove that I have access to the corresponding private key.




You've just described SSL with client certificates. Works perfectly well, is extremely secure, and has an extremely bad GUI in pretty much every browser ever. (It's somewhat difficult to use "on the road", but that's arguably a security feature.)


I ponder the quality of the GUI is a testament to the frequency of the mechanism's use.

But the worse GUI is arguably better than no GUI at all:

http://code.google.com/p/android/issues/detail?id=8196 and http://stackoverflow.com/questions/357491/iphone-client-cert...

So, for the purposes of the growing mobile browser market (where having this would be the biggest benefit IMO), this is not applicable.

Which is a bit unfortunate.


The only website I log in with using client certificates is https://www.startssl.com/ and it seems to work quite well. The UI is pretty rubbish in Firefox though I agree. Not tried other browsers.

There's an addon for Firefox called Enigform (I've not tried it out yet) which uses PGP for web authentication:

http://enigform.mozdev.org/


Easy to use on the road - don't use soft certs, use a smartcard! Works for every DOD network user around the world today...


With smartphones this is increasingly feasible. Lots of sites already use smartphone based two factor authentication (similar to rsa keys). There's no reason why a challenge / response system couldn't be set up using smartphones. For example, a website gives you a string of numbers, you input those in your smartphone app and get the response which yiu then input back to the site, the site can't determine the response ahead of time but it can validate it.


This is how blizzard (World of Warcraft) authenticators work. It's quite ironic how an online game has strong security mechanisms, yet many tools that people use just as often or more (gmail, facebook, pretty much all SaaS tools, including business) and that are are certainly more 'important' (in an objective sense, I understand that people are more attached to their WoW character than to their customer database) don't.


gmail at least has two-factor authentication

http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu...

yet my bank's web site, not so much.


WoW and gmail and other 2-factor authentication use the simpler method, 2-factor authentication using a shared secret that isn't passed over the wire (the seed for a PRNG). However, this method is still vulnerable if a hacker gains access to the seeds on the host computer. This is what happened to RSA recently and it's a very bad thing when it happens.

What I was talking about was something different. Public/private key encryption where only the public key is stored on the server.

Here's an example scenario: the server generates a random pass-phrase then encrypts it using the public key. The end-user then uses their smartphone where the private key is stored to decrypt the message and return the original pass-phrase back to the server, proving they have the private key. There are similar ways of achieving a similar result that are less cumbersome and awkward. The advantage is that if the public key is leaked it's not a big deal, it can't be used to gain access to the system.


Facebook also has this feature. It'll send a SMS with the security code and you'll type in the web UI. Since it's SMS and not an app, it also works on non-smart phones. You need to link a mobile to your Facebook account. https://www.facebook.com/help/?page=132501803490562


That's already possible with SSL sites - sign up for an account at www.startssl.com if you want to see a real-life example.


Oops! StartSSL was compromised this month, although they say the issue is remediated now. http://news.netcraft.com/archives/2011/06/22/startssl-suspen...


Yes, using client certificates for authentication does not make your service immune from security problems.


This is how we use github among other things. AFAIK there isn't standard support for this sort of thing in the browsers though.


I'd prefer they'd use OpenID. It would be easier for them to implement, and it'd let you use PKI with providers like https://certifi.ca/


certifi.ca's very own cert is expired. That doesn't make me trust them much.


I don't use them either (since they don't support CNAMEing your own domain to them like MyOpenID), but it was just an example, there are more, and you can even install your own.


What do you do when you loose the keys? And the default behavior or enabling keys whenever your computer is open? One click bank account access?


    What do you do when you loose the keys?
You don't. And ideally you have a single key. If you can be trusted to keep a social security card and a passport, you can just as easily keep a key safe. Print it out. Store it in a safe place. We've been doing that for centuries.

    And the default behavior or enabling keys whenever your computer is open?
You can password protect your keys.


Passports and social security cards are physical items. Because of this, they have the inherent property of not being capable of ubiquity.

If someone steals your passport, you'll know: you won't be able to find it.

Digital keys have no such properties. If someone steals your private key, you will have no idea until you see them steal all your money and accounts.

Physical items also need to be carried to a destination to be used. If someone steals your passport, they may be able to take over your bank accounts, etc. For that, they have to actually go in person to meet a bank manager and pretend to be you. People do that fairly successfully, but it's hardly an efficient process.

A digital passport/key, on the other hand, could be abused immediately after it's been stolen, and could be used across all your accounts within the hour, before you've even realised you've been robbed.

Finally, you can only use one passport at a time. Not only it takes time, but you need a career criminal dedicated to each "process".

A digital key robbery, however, requires no human element, and thus can be done in parallel at a large scale. One could use Trojans to capture the keys of a large number of people and steal their money in an automated manner without ever showing up at a bank.

All those problems can perhaps be solved, but they are not easy and they have nothing to do with keeping the key safe - more to do with keeping the process of using the key as inefficient as possible. The best way to ensure your digital key cannot be abused is to make sure that you can only use it in person in front of other human beings, on authorised hardware.

So, pretty much like the way our bank cards work, then.


I think we have to distinguish between stealing and cloning here. If someone steals the scrap of paper you wrote your key on, then you will know. And passports do get cloned; the issue is convenience.

1. http://www.independent.co.uk/news/uk/home-news/clone-wars-mo...

2. http://www.expatsvoice.org/forum/showthread.php?t=7001

I guess that Mossad can gather the information needed to clone a passport in under half a minute.

So while I agree that the analogy between key reminder and password is not perfect, the point is basically sound.

(On rereading your post, your point [p]hysical items also need to be carried to a destination to be used made me realise that I might have misunderstood the point you were making, but also that you may have misunderstood the point ihodes was making).


The Brazilian government has been trying to popularize digital certificates stored in smart cards and tamper-proof USB tokens that seem to be a solution to the problems you pointed at. The main barrier to adoption right now is cost, mainly because certificate issuers have little competition and a good chunk of money between infrastructure and concession fees to recoup.


Here in Portugal our new national ID cards all have a public/private key pair and the card itself can sign stuff without copying the private key to the machine, making the process very safe even when using it on a public machine.

In a couple of years everyone will have on of those cards, the problem is that nobody has readers.


Here in Belgium we have the same cards, and the readers are cheap. The reason they will be wide-spread is because you can use them to file your taxes online, which many people are starting to prefer over the paper version. I think it's a good incentive for people to start buying these things. I just hope they will become standard on computers soon, but I fear not because the dominant markets (US, really) don't have such systems.


Yeah, if they start requiring the cards for delivering the taxes online I think we'll have millions of PCs with readers in a year or two.


The US military uses smart cards with X.509 certificates for authentication: http://en.wikipedia.org/wiki/Common_Access_Card




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: