
Yubico and Microsoft Introduce Passwordless Login - guitarbill
https://www.yubico.com/2018/04/yubico-and-microsoft-introduce-passwordless-login/
======
emlun
I'd like to try to answer some common questions I see here:

\- Q: Doesn't passwordless mean single factor? Isn't that insecure?

A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an
on-device PIN that isn't shared with the server, like conventional smart
cards. This allows the key to act as both "something you have" (the key
itself) and "something you know" (the PIN for the key). The PIN is optional,
though, so both the single factor and two factor use cases are possible.

\- Q: Is this Azure/Windows/AD only?

A: This post highlights the partnership with Microsoft and the integration
with their products, but FIDO2 is not Microsoft-only (and Yubico will not be
the only key vendor). CTAP2, once finished, will be published as an open
standard like U2F, and the accompanying Web Authentication API [1] (WIP) is an
OS-agnostic W3C standard enabling the same features in browsers.

[1]: [https://www.w3.org/TR/webauthn/](https://www.w3.org/TR/webauthn/)

\- Q: Will I need a new YubiKey?

A: For passwordless (PIN) login, yes. However, existing YubiKeys with U2F
support will be usable as a 2nd factor in Web Authentication, and sites that
currently use U2F can upgrade to using the Web Authentication API without
needing their users to re-enroll their keys.

Full disclosure: I'm a Yubico engineer and one of the editors of the Web
Authentication spec.

~~~
ahelwer
What's the deal with lost yubikey user workflow? Rely on individual websites
to give you a one-time recovery passcode that you then have to input into
every website? I can't believe I'm taking UX cues from cryptocurrencies, but
what about providing the user with a seed for the yubikey private key they can
back-up offline then reinstall in a new yubikey?

P.S. just ordered a yubikey security key, excited to add this additional layer
to my own personal byzantine security labyrinth. Or maybe simplify it, who
knows!

~~~
emlun
It's still a largely unsolved problem, unfortunately. Enabling private key
backup comes with a suite of nasty problems like what it means for device
attestation and how to guarantee that a key hasn't been cloned in transit. Our
best recommendation right now is to have a backup key, but it still means you
have to register it everywhere in advance and then go to each site to revoke
the lost key.

At least Web Authentication platform credentials should let you have multiple
authenticators without having to buy an extra YubiKey.

------
krupan
The conversation here is blowing my mind. People are actually worried that
their yubikey might get lost or stolen when likely most of your passwords are
already all over the internet. I got an email from Twitter just a few days ago
stating that they'd leaked my password. Twitter! Not Joe's Auto-Body who's
website is being run by a high-schooler, but one of the pioneers of internet
companies. They messed up. Your password is not safer "in your head" than a
private key because it is not only in your head (who keeps all passwords in
their head anymore anyway?)

Private keys are way, way more secure than passwords for that reason alone.
You don't have to give anything secret to a third party.

If that's the one problem this solves and revocation and recovery and 2-factor
are all still as difficult and broken as they are now with passwords that's
still a huge win.

EDIT: more thoughts. I also really hope that hardware tokens like a yubikey
are not required for every site or app. I'd like to be able to keep private
keys on my phone or laptop for some things (how many of us keep our ssh keys
exclusively on hardware tokens?).

~~~
TheDong
> I got an email from Twitter just a few days ago stating that they'd leaked
> my password

Clearly you didn't read the email.

The password was potentially logged to twitter's servers in plaintext.

They have no evidence anyone collected those passwords, but various employees
could, in theory, have seen those logs.

Presumably those logs are now all deleted.

Even if you didn't reset your twitter password, it's very likely you'd be fine
since it's not "leaked" (to the wider internet), but could have been seen by
some employees who, for fear of being fired, no doubt did not save it (and in
all likelyhood didn't see it in the first place).

~~~
krupan
You obviously are more trusting than I am. Also, my point was that if Twitter
messed up, so has every other website. Do you trust them all as much as you
trust the Twitter employees?

~~~
ajeet_dhaliwal
You don’t trust Twitter’s story but you trust Twitter software engineers more
than others?

I trust Twitter’s story about the plain text logging but don’t trust their
software engineers more than others.

------
BoppreH
Did they improve the stories for recovery ("I lost my device") and revocation
("my device has been stolen")? As far as I knew you had to buy 2 devices to
have a chance of recovery, and Fido 1 explicitly said "revocation is something
that needs to be resolved by each website that authenticates users", which is
just asking for trouble.

I would love to have a hardware (or even phone-based) alternative to
passwords, with no third-party and better privacy, but I feel like this
solution only handles the happy path.

For an example of a happy-path-only system that makes me nervous, look at
Google Authenticator. Recovery is made with backup codes, but they are also
"resolved by each website"
([https://security.stackexchange.com/questions/167563/where-
to...](https://security.stackexchange.com/questions/167563/where-to-find-
google-authenticator-backup-codes)), which often means no support at all. Not
to mention having to create a new backup after creating a new account. I still
use Google Authenticator myself, but I dread the day I lose my phone.

If the protocol doesn't handle recovery/authentication, the fallback is a
trusted third party (e.g. email) or legal identity (e.g. scanned passport).
Aside from being a huge hassle and creating a weak point, it weakens the
user's privacy.

~~~
jetrink
Every place that I use my key gives you a set of one-time-use recovery codes.
To log into your account, you can use either the key or a code. (You still
need your password.) Codes can be regenerated at any time. To revoke a key,
you simply remove it from your account.

~~~
noja
Can you give a list of all these places?

Gandi doesn't even have a non-human method of recovery.

~~~
pimlottc
Facebook, Google, Dropbox, and github, at least.

~~~
ilikepi
Fastmail also.

------
djrogers
More specifically, they're introducing passwordless login with FIDO2, as
Windows had had passwordless logins with certs and CAC cards for ages.

------
vzaliva
Correct me if I am wrong, but passwordless login is a single-factor
authentication and less secure than MFA. Depending on whenever hardware key is
more or less secure than the password, the mass adoption of this could make
things LESS secure.

~~~
Xylakant
I would expect things to be more secure in many cases. People are pretty good
at keeping physical items somewhat safe and notice when they’re gone. Yubikeys
cannot easily be cloned. The password cannot be attacked remotely. 2FA is
certainly safer, though.

~~~
closeparen
The standard in high-assurance applications is to present a PIN to the
hardware token before it can be used, ideally through an out-of-band keypad.

In this context, it would be reasonable to have the Yubikey require a PIN
entry from the computer. You could use the same PIN for all sites because it
stays local; the relying party never handles it, only the Yubikey.

~~~
emlun
That's exactly how FIDO2 PIN on the new YubiKeys works.

------
aepiepaey
It's too bad sshd never got support for U2F. Seems like the discussions just
petered out.

Maybe the introduction of FIDO2 will spark some interest in that again?
[https://bugzilla.mindrot.org/show_bug.cgi?id=2319](https://bugzilla.mindrot.org/show_bug.cgi?id=2319)

Yes, sure, you could use pam-u2f, but that will never be as seamless as having
it supported upstream in ssh.

Or you could use the OTP mode instead, but that has other disadvantages (you
have to depend on yubico's servers or run your own KSM+validation servers).

------
dogma1138
Would be interesting if this would become popular one downside I see to this
is that if law enforcement get their hands on your token they can unlock the
device. Also as the token can be regarded as a key rather than a password a
court would be able to legally compel you to surrender it without invoking
much debate regarding laws against self incrimination (e.g. the fifth).

~~~
krupan
Can't law enforcement now just ask Google or Facebook or whoever for the
information they need without needing your password (or future token)?

~~~
dogma1138
It's not that simple, firstly some Google and Facebook services are E2E
encrypted which means that they cannot comply.

This also goes well beyond just Facebook and Google and if you use it to lock
a physical device like a phone or a laptop that isn't something Google or
Facebook would be able to help law enforcement with.

Also while I don't want to make a statement or start a debate on the level of
compliance and attitude that Google and the rest have towards search warrants
(because it's not relevant and I don't have sufficient knowledge to actually
form an informed opinion on the matter). Google and Facebook's legal
departments have more funding than most state attorneys yet alone local DA's
if they want to fight on your behalf (or on the behalf of their business
model) in court they would be able to do so much more effectively than you
ever could.

Google and Facebook also require a full and lengthy process with FIDO tokens
they can do it on the spot, heck they are legally able to do so if you either
agree to a search or law enforcement has an alternative sufficient basis to
invoke a lawful warrantless search:

[https://en.wikipedia.org/wiki/Warrantless_searches_in_the_Un...](https://en.wikipedia.org/wiki/Warrantless_searches_in_the_United_States#Exceptions_to_the_search_warrant_requirement)

TLDR; Officer: May I search your vehicle You: Yes

At that point they are legally are allowed to take the FIDO token from your
keychain and unlock your laptop.

------
ocdtrekkie
So my biggest question here is: Is this Azure only? Each announcement about it
seems to indicate that I might _not_ be able to use this key with my local
account PC.

Specifically, I have one use case computer where I have no screen, and getting
through Windows login without it can be troublesome. I'd love to use this key
to unlock it instead, but it's an offline machine.

I had this plan with Yubikey for Windows Hello, which has been out a while,
and I bought a Yubikey, and discovered it could only unlock my Windows machine
if it was locked (not logged out), which defeated the purpose entirely.

~~~
fl0wenol
Unfortunately it only works with Azure (at the minimum AD federation with
Azure if you have some on-prem)

~~~
youdontknowtho
You can use other identity providers for Azure AD. Shibboleth is supported, F5
and Ping are certified, there are others. If you use a different LDAP system
than AD you can also sync your identities to Azure AD. OpenLDAP or one of the
commercial vendors. It might be a little more elbow grease, but it works.

------
BartBoch
Two things - is there really need for them to be this large? They also look
vulnerable? Maybe its just the look, but the blue one looks like it won't
survive proper stress test...

And second thing - is exposing connector safe against mechanical damage? Will
it withstand constantly being scratched by keys?

~~~
pg_bot
There is the "nano" version available which is a lot smaller than the one
advertised. The ones that I own have held up just fine for the past year on my
keychain.

[https://www.yubico.com/product/yubikey-4-series/#yubikey-4-n...](https://www.yubico.com/product/yubikey-4-series/#yubikey-4-nano)

~~~
BartBoch
This size is much better, but I assume it lacks the "touch" protection against
remote attacks, like the other ones?

I still wonder about the exposed connector - what its durability. After all, I
would like for such a tool to serve me for years fault-free.

~~~
lovelettr
I personally have the nano version.

> but I assume it lacks the "touch" protection against remote attacks

It has the touch protection. There is a small strip of metal that protrudes
beyond the USB port that you touch.

> what its durability

I've used it daily for about a year. Granted this is not "years" but so far it
still feels very solid.

~~~
BartBoch
Sounds good then. I am ready to test one of them. Thanks!

------
Tomte
Okay, so I have two Yubico U2F keys and two other U2F keys so far. I don't
think I'll buy a fifth and sixth anytime soon.

But hopefully U2F will actually work in non-Chrome browsers in the near
future.

~~~
Spone
It already works in Firefox (behind a flag), but sadly some websites
explicitly target Chrome...

~~~
guitarbill
FF traditionally required a plugin, I think native support is recent?

~~~
mcbain
It was added in Firefox 57.

Works fine for me.

------
grondilu
Can someone remind me why we don't use public key cryptography for
authentication on websites?

~~~
swebs
It looks like there's a W3C draft "in the works" but I'm concerned since
almost half the editors work for the two companies trying to pass this
proprietary Azure/AD vendor lock-in nonsense.

[https://www.w3.org/TR/2018/CR-
webauthn-20180320](https://www.w3.org/TR/2018/CR-webauthn-20180320)

~~~
ilikepi
You may be comforted by the fact that the top three people on the Github
contributor graph[1] are not from those two companies. I've skimmed some of
the published meeting minutes[2], and JCJ (Mozilla) and JeffH (Paypal) seem to
be highly involved.

[1]:
[https://github.com/w3c/webauthn/graphs/contributors](https://github.com/w3c/webauthn/graphs/contributors)

[2]: [https://www.w3.org/blog/webauthn/2018/01/11/meeting-
minutes-...](https://www.w3.org/blog/webauthn/2018/01/11/meeting-
minutes-2018/)

EDIT: add forgotten link

------
pg_bot
Glad to see greater adoption of Yubikeys, however there is still a long way to
go. Speaking from experience writing a u2f_auth client library, browser
support is still nascent and hacky. Edge, safari, and AWS would need to adopt
it before I would truly consider it mainstream.

If anyone is considering adopting Yubikeys in their organization using a
language that is not supported by one of their client libraries my email is in
my profile and I would glad to help out to the best of my ability.

------
blablabla123
I wonder if these Hardware key really make things better for the end-user.

When using it even for login, people connect it to their laptops - that's what
most people work with after all - and they must make sure they don't forget it
there. As well they need to worry nobody steals it, whether it's on your
laptop or you become a theft victim on the street. In the latter case the
thieves might know what a Yubikey is and ask you for the pin.

Not sure what problem this solves. But I have the impression we're converting
a virtual problem into a physical problem. To be honest I prefer to save keys
on laptop drives, that's more difficult to steal, especially when using an
encrypted disk.

------
nikolay
No USB-C version and no way to upgrade my other 4+ YubiKeys I've got for more
than $50 each! I think YubiKey has been abusing its monopoly recently! They've
been working on this for quite some time and clearly new they're not going to
make their old premium keys support it so that people can waste time and money
to upgrade! Is there an alternative more conscious company - I'd pay even $200
for the piece of mind that I won't have to change this key 1-2 times per year!

P.S. Obviously, no. Neither Nitrokey [0] supports it, nor it's a sturdy one!

[0]: [https://www.nitrokey.com/](https://www.nitrokey.com/)

~~~
pfg
YubiKeys are non-upgradable by design. This is occasionally annoying when new
standards come out and you need to go buy new keys (which is not something
that's gonna happen a lot), but it significantly reduces the attack surface of
these devices. They've been pretty good about giving out free replacement keys
whenever major flaws have been found, and webauthn is pretty good about
remaining backwards-compatible with U2F keys, so I don't think it's something
they handled particularly badly.

~~~
nikolay
I get that, but my point was that they just released expensive new products
knowing they'd be obsolete in just a couple of months and people will have to
throw old ones in the garbage and buy new even more expensive ones. I do not
doubt that a product with an immutable core and mutable interfaces is both
possible and even more secure as when flaws are discovered (like last year),
some may decide not to replace them - even with free replacement. I spent over
$100 just last year, and I think this is a bit too much. I give my old keys to
my kids, but, still, I'd appreciate some form of subscription service, which
both reduces my recurring cost and possibly improves Yubico's bottom line,
too, primarily by building loyalty instead of pissing customers off.

------
jimmcslim
Anyone think that Apple is likely to add support for FIDO anytime soon?

------
crankylinuxuser
My problem is that Microsoft doesn't allow swapping in and out of
authentication plugins like PAM.

I work primarily in a Windows shop, and I got the other co-workers in Linux
because PAM supports seamless multi-factor auth. I would have went Windows,
but its too obfuscated or hard to do that.

LinOTP works very well. And LinOTP works with a wide variety of tokens. Don't
be locked to a single vendor.

~~~
ShroudedNight
> Microsoft doesn't allow swapping in and out of authentication plugins like
> PAM.

FWIW, that's not strictly true. See: [https://msdn.microsoft.com/en-
us/library/windows/desktop/mt1...](https://msdn.microsoft.com/en-
us/library/windows/desktop/mt158211\(v=vs.85\).aspx)

I don't have enough experience to comment one way or the other about its
difficulty.

~~~
crankylinuxuser
Well, this certainly surprises me. I know last I looked, there was some
discussion about MFA and requiring Azure.

In the environment I work in, I'm not able to use services outside a very
limited list, or I have to roll my own using established technologies
(FedRAMP). So Azure is right out. So was using Amazon Directory Services.

I know my colleagues are much more familiar with Windows, whereas I.. (look at
username, relevant!). My solution, after assessing that Windows couldn't do 2
(or 3) factor, and it was stuck at login/password and some firewall blocking
IP's, I knew what I had to do. And that meant Linux for the bastions, and
LinOTP and appropriate config options to make it work.

I was kind, and didn't inflict a AAA stack of "kerb, ldap, radius, and shib"
on the Windows admins :) Well, that and I didn't want to be the sole
maintainer of that system.

~~~
ShroudedNight
To be fair, the only reason I knew of this at all is because of a brief
patronage of a library in Belgium during a trip I took in the summer of '99\.
The computer systems of said library used a bizarre system of time-limited
authentication tokens stored on floppy disks that were used during the Windows
log-on process. I was curious how it might have worked.

------
fabian2k
What I'd find interesting is using U2F (or FIDO2, which seems to be an
evolution of this) as a second factor for SSH logins. But that doesn't seem
possible without changes to SSH itself.

And I hope that this might trigger more widespread support for U2F and similar
mechanisms in browsers and websites.

~~~
floatboth
No need to touch SSH itself, PAM is a thing (unless you're on OpenBSD). Here's
an example of pam-u2f with OpenSSH:

[https://aprilmacdonald.com/two-factor-ssh-authentication-
wit...](https://aprilmacdonald.com/two-factor-ssh-authentication-
with-u2f-hardware-security-key/)

I actually use a Yubikey for SSH in a different way: with gpg-agent. E.g.
[https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-
NEO....](https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO.html)

~~~
jlgaddis
> _PAM is a thing (unless you 're on OpenBSD)_

And if you are on OpenBSD, there's login_yubikey [0] (although it uses OTP
instead of U2F).

[0]:
[https://man.openbsd.org/login_yubikey.8](https://man.openbsd.org/login_yubikey.8)

------
pishpash
Good. After all the roundabout bullshit of "factors" ("2FA") and password
managers, people have finally come to their senses that physical tokens are a
very natural evolution of analog keys and the only real security, and should
have been used from the get-go.

~~~
tracker1
Keys are not the only real security... real security includes something you
are, something you have, and something you know.

Having something like this combined with the something you know (passphrase)
would be real closer security. Now anyone with your token can access
everything that key gets access to, without you needing to be there, or
sharing a passphrase. That's less secure imho.

~~~
xur17
A lot of these devices allow you to configure a pin code that is required to
unlock the device before use, which effectively provides a second factor.
Also, stealing a fido device requires physical theft and can't be duplicated,
so the owner would likely know if it was stolen.

------
belst
So this needs a new yubikey? I can have passwordless login on linux right now
with my old yubikey.

~~~
emlun
Depends on what features you want. The old U2F YubiKeys are compatible as 2nd
factor keys, but they don't support the passwordless (PIN) or username-less
(user ID stored on device) use cases.

------
joering2
Why can't I secure login with a fingerprint?

Microsoft could have team up with Logitech like Sony with Erricson, and come
up with a standard and put (mildly cheap) finger print reader on each sold
keyboard and popularize open source standard for software implementation.

~~~
tialaramex
Your fingerprint is not a key, it's an identity. So your design tells every
place you sign in this way "I'm joering2". And if course if any of them want
to log in somewhere else, they now know to say the same thing, "I'm joering2".

I guess this is slightly easier than typing your email address? But it's not a
security feature.

The FIDO/U2F design is a cryptographic key enshrined as a physical key, so
rather than "I'm joering2" it says: "I can prove I'm this particular key
talking to your site again using mathematics".

Which key? No way to know, but it's the same one as before. Google can't use
the credentials it presents to them to get into Facebook and vice versa, the
proof from yesterday is worthless today and so on.

~~~
emlun
This.

Though I'd like to add that FIDO2 does support fingerprints and other
biometrics as an additional authentication factor - it all goes under the same
abstract "user verification" umbrella as PIN does. The important distinction
is that the PIN or fingerprint is never shared with the server - it's only
used to unlock the private key - so it's much more difficult to steal.

------
LammyL
I wonder if we’ll get to the point of having two-factor passwordless
authentication. Like you need two of the following methods to access a website
(u2f/fido2, TOTP, SMS, Recovery codes, tls client certificate, etc.) and
forego passwords altogether.

------
lisper
Here is a completely standalone (no server required) and self-contained (no
dependencies) FIDO U2F test:

[https://github.com/rongarret/u2f-test](https://github.com/rongarret/u2f-test)

------
floatboth
Can someone explain why CTAP was created? What exactly was wrong / not enough
about the original U2F protocol?

~~~
emlun
Some differences:

\- CTAP2 supports "user verification", such as PIN or biometric authentication
locally on the hardware key. This enables using the key as both 1st and 2nd
factor without need for a server-side password.

\- CTAP2 supports storing the private key along with some metadata on the
device, whereas U2F instead encrypts the private key and stores the ciphertext
on the server. While the encryption approach allows for simpler hardware and
an unlimited number of registrations, the local storage approach allows login
without even having to type (or even have) a username. CTAP2 supports both.

\- CTAP2 has an extensions framework in which an authentication vendor and
server can cooperate to implement custom features without the browser having
to understand them.

\- CTAP2 - or at least the companion web API, Web Authentication - is
compatible with more existing TPMs and such hardware. For example, it's
theoretically possible that some Android phones could receive software
upgrades that turn their fingerprint sensors into WebAuthn authenticators.

------
IOT_Apprentice
why isn't a phone with a secure enclave (or similar) the focus, instead of
something that doesn't work on mobile?

------
tahw
Ad companies that specialize in re-targeting are going to have an absolute
blast with this!

~~~
Xylakant
How? Login is not automatic, you need to tap the key. So unless you tap the
key each time you view an ad, the ad company gets nothing.

