
The Devil Is in the Details of Project Verify’s Goal to Eliminate Passwords - DiabloD3
https://www.eff.org/deeplinks/2018/10/project-verify
======
rustamm
Phone numbers are awful for authentication. I stopped using my Russian phone
number once I moved to the US and mobile carrier just reassigned that phone
number to some other customer.

I found out when I saw myself in my Telegram contact list having other
person's avatar and I assume people who had my old phone number in contacts
also saw a new account in their Telegram contact lists under my name.

~~~
ObsoleteNerd
In Australia it's outright common to have recycled numbers. I've had a few. My
work phone had to be given a new number 3 times in the first 6 months until I
had a useable one, because I kept getting random calls at all hours of the
day/night looking for people who weren't me. It's mostly for work phones for
some reason (I assume they have a higher rotation of useage as employees come
and go, and nearly all companies use the same provider, Telstra), but my
brother got a number that was someone else's before him too so it does happen
privately.

The idea of phone numbers being the prime authenticator is laughable. I'll
actively avoid any service who ever does this.

------
nostromo
There's simply no way I trust AT&T, Sprint, T-Mobile, and Verizon to secure my
private information.

~~~
qrbLPHiKpiux
There's not even a way I would trust anyone else with my most private data
except me.

------
civilian
Why can't we use privatekeys as a way to log into websites? It's good enough
for servers, and it's good enough for git access. I'd be way more comfortable
about simply having my browser have access to a privatekey, and prompt me to
use it to login when a webpage had a keyed login prompt. It seems like
privatekey login would solve the problem of guessing & phishing passwords.

(Someone plz fork Chromium and build this in! And hit me up when you want me
to make the Django/ExpressJS auth plugin for it.)

~~~
tonyhb
WebAuthn does this, and chrome/FF/edge support this. They're also adding CTAP2
support allowing the use of biometric, BTLE, and NFC devices to provide
authentication keys.

Soon you'll be able to use TouchID to log in to your website, provided you've
associated the pubkey from your fingerprint authn with your website.

[https://www.chromestatus.com/features#component%3A%20Blink%3...](https://www.chromestatus.com/features#component%3A%20Blink%3EWebAuthentication)
(TouchID on MacOS: TBD)

[https://bugs.chromium.org/p/chromium/issues/detail?id=780078...](https://bugs.chromium.org/p/chromium/issues/detail?id=780078#c31)
(CTAP2: merged)

[https://www.chromestatus.com/features/6288375388569600](https://www.chromestatus.com/features/6288375388569600).

We're integrating webauthn for our medical clinics as a way to support easy,
secure authentication without 2FA to reduce sharing of ipads with a session
logged in.

More reading: [https://duo.com/blog/developments-to-webauthn-and-the-
fido2-...](https://duo.com/blog/developments-to-webauthn-and-the-
fido2-framework)

~~~
plopz
So instead of password managers we'll have private key managers?

~~~
tialaramex
WebAuthn private keys don't exist at all outside of the physical token. So
there's nothing to manage. If you rely on WebAuthn as an essential
authentication step you'd have two or more tokens registered and treat those
the same way you would house keys.

~~~
simongr3dal
When you lose a house key it's pretty manageable to get a few locks changed,
but it can be rather overwhelming to remember all the dozens of websites that
have your auth details, and update them.

~~~
tialaramex
Good news. Like a house key, the FIDO keys are basically anonymous. So, as
long as you didn't e.g. leave it with your wallet on a bus, or write on it
with non-erasable marker "simongr3dal@example.com" losing the key is not that
scary.

In fact, unlike a house key, the Security Key works fine for its new owner,
they can register it to sign into their Facebook, or whatever, that will work
fine. Facebook will have no idea it's your key, now it's their key.

If they know you're simongr3dal@example.com on Facebook then that's a problem,
yes, as obviously they can sign in as you, but if it's so hard for you to
remember what you signed up to, seems like it'll be pretty hard for a
hypothetical finder to figure out too... "Hmm, I wonder if this random
stranger was into Diaper Porn and Antique furniture?"

------
interfixus
How many years have we been hearing username/password auth is outdated and
difficult and stupid and insecure? Fifteen? Twenty? Something like that at
least, and I'm headbangingly tired of it. As tired as of the two factor idiocy
popping up everywhere these days. Latest offender I've run into is Digital
Ocean, who might otherwise have lured me back with a recent promotional offer.
But no, they had to go and ruin it by plastering me with emails and codes and
whatnot every single time I tried logging in, presumably because I like to get
rid of my cookies the instance I leave a site.

Listen, _passwords are not hard to use_. Mine are 256 bit and utterly random
everywhere they are allowed to be. I manage them responsibly. It's not a
hassle, anyone can do it, there are great tools for the job. I do not _want_
any centralised single sign-on solutions or other fancy hocus pocus, I do not
_need_ them, and I feel - increasingly - penalised for the laziness of those
who can't be bothered.

So, in short, whatever this is about, I can only hope it fails like so many
other attempts before it. The _Log in with Google & Facebook_ buttons
proliferating on every second site out there are plenty bad enough.

------
FilterSweep
I find it very troubling how small/nonexistent the outcry is over such an
invasive concept.

The PR teams are already hard at work making Facebookian claims of user
privacy control that were found to be grossly untrue.

I personally will need to be diligent in avoiding the firms that adopt this
service at all costs.

Furthermore, you have to wonder why seemingly “competitive” entities(as far as
an oligopoly goes) would collude to provide such as service. Their motives
have already been demonstrated to be bad in the past.

Further reading (if you haven’t already):
[https://krebsonsecurity.com/2018/09/u-s-mobile-giants-
want-t...](https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-
your-online-identity/#more-45035)

------
gammateam
I am going to start suing everyone for negligence - or whatever applicable
term my lawyers can think of - if they force me to use SMS authentication with
no other OTP alternative.

------
marcus_holmes
I move country every month or so at the moment. Since telecom providers choose
to charge vast sums of money for roaming, I have to get a new sim card in each
country. So this whole system is just not going to work for me.

It also means that my phone number is meaningless. I never answer it, as I
only use messaging (or messaging calls) to talk to people. But this isn't
unique to my situation. A lot of non-roaming friends are the same - they never
use phone or even SMS any more. The only people who phone using your number
are spammers, scammers and marketroids.

I'm an edge case, but what of someone going on holiday for two weeks? At the
moment, they still get a local SIM, because it's massively cheaper than
roaming. This would prevent that.

Maybe that's the point - the telecoms companies need a way to keep us locked
to our SIMs so we can't switch providers at the drop of a hat.

~~~
LoSboccacc
Same here. Even if I am not a frequent roamer, I changed country every now and
then.

Whatsapp already shows how painful is to use ephemeral phone numbers as
identity: when you change your number, even with their migration procedure,
you still have to notify all your contacts, because at most numbers are
authentication, not identification. Doesn't strike me as unusual however that
corporations with obsession on control and snooping are trying to conflate the
two.

------
xte
Anytime someone say password are not good I reply: can you change fingerprint?
Can you change retinal imprint? How accessible are such data? => biometrics
it's no good.

n-th factor auth: how can we trust a token? I mean at a hardware level? => if
we can really control it's a nice ADDITION to password protection, but no
more.

Other options like "granted third parties" (SSO solution by any kind, from
Google to mobile phone auth) IMVHO can be trusted LESS than passwords. So in
the end we only need to teach XKcd password strength vignette and teach
developer how to care about security.

~~~
hirsin
No one should ever be putting your biometrics in the cloud. Similar to a PIN,
they are only used to secure a device locally once you've already
authenticated. So eg you prove ownership of your email + phone number to
authenticate, then save the token locally secured by a fingerprint.

For good implementations, it's not a naive token saved to the hard drive but a
key saved to the enclave that's initialized during first auth. To crack that
you need to get sufficiently advanced malware onto the device so that it can
break open the enclave.

These both are significantly more secure than a password than anyone can spray
against the target from anywhere and are subject to reuse.

~~~
xte
In the end what you say is really "I trust more my device and vendor then
myself". Not really a concept I accept...

Of course too many lusers use IT devices even for serious work but consider
their "luser" characteristic as a natural fact and instead of education prefer
trusting a vendor for me is like preferring a dictatorship hoping that "it
will be a good one" because people are not adult enough to be in a democracy.

A small classic example we all know "ok, you are authenticated because you
have entered the correct username & password, now prove it a bit more typing
an OTP I send to your mobile via SMS" can be easily read as: "I do not trust
enough you because someone may have steal user & password BUT I consider
enough unlikely that he/she/it steal also your mobile" and as a consequence it
means that carriers/phones are considered more trusted than humans being. Not
a good thing for me, not a thing I can accept despite, in limited case have
some points.

Also I do not want my carrier know all the service I use and when I use them,
it's a significant metadata leak that may be irrelevant in single case but may
became relevant in other cases.

~~~
ubercow13
So write down the secret OTP key, do the crypto yourself with a pen and paper,
or failing that with any device (laptop, hardware TOTP device) you own, using
open source software, or build your own using the standard. It's nothing to do
with your phone or carrier.

~~~
xte
I simply do not need such kind of authentication for myself, at least I do the
best to avoid such need.

Try to think of a Plan9-like world, which means user-centered not "modern
mainframe centered". We still need services, but there is no need to have them
like today.

