
Stepping towards a password-free world - rauhl
https://www.ebayinc.com/stories/blogs/tech/stepping-towards-a-password-less-world/
======
qwopQwopQwop
This new methodology is generally a pretty terrible way of dealing with user
authentication.

    
    
      Device Profiling
    
      Facial Recognition
    
      Voice Audio Recognition
    

I mean, christ, eBay has some niche concerns with fraud, but this really has
no place across most of the internet, whether it’s “already happening” or not.

Google already tries to profile my device and fails miserably at doing so,
frequently locking me out, because Google thinks it knows how many laptops I
own and have access to.

Authentic audio is a laughable idea. A: Just look at transcription, B: Replay
attacks will probably be trivial, C: Vocal dopplegangers and electronic
modulation are kind of easy to utilize and forge authenticity with; imitation
is harder to notice than achieve.

Face authentication is not only hackable, it’s intrusive, in that I don’t want
systems taking pictures of my face. Foibles aside, machines will probably miss
uncanny valley deception (static sculptures, photos, video, puppets),
nevermind algorithmic hacks that poke holes in training data learning gaps.

Ebay probably needs to guard against fraud, but not with some of the the
laziest machine-learning hacks currently available. Using sly hacks to
strengthen bold/cute assumptions doesn’t make anything more secure. These are
hacks of convenience, not security.

Passwords work, and dumb users and determined adversaries will always be a
plentiful problem. Can we just admit that a lot of what happens on the
internet simply isn’t important, and doesn’t demand high security, and then
stop treating it like the blood of one’s first-born is needed to create an
account or use it?

------
woliveirajr
> Social sign up focuses on delegating authentication to social websites

So, don't ask for passwords, ask for another site so that it asks the user for
the password.

~~~
scrollaway
What's the problem with that though? Delegating authentication feels like such
an obvious thing: You allow a certain party to manage your identity, and trust
_them_ with it. You _don 't_ want to trust every random website to implement
proper password storage, add 2fa support, yubikey, security notifications, etc
etc.

I have a problem with how OAuth2, when used for authentication, locks users
into a certain provider. Wish there was a solution to that. But delegating
authentication really should be taken more seriously.

(A good example actually is... ebay, the very author of this article, that
despite managing entire businesses and moving tons of money around, doesn't
have proper MFA, has really dumb password limitations, etc. I certainly wish
ebay would let me log in with Google...)

~~~
JumpCrisscross
> _What 's the problem with that though?_

You don’t just delegate authentication. I trust Facebook to authenticate me.
That doesn’t mean I trust them with my entire web presence. Delegating
authentication promotes centralisation, which is presently to be a greater
systemic risk to the Internet than some kitty picture site getting hacked.

~~~
scrollaway
Which is why it's important to have alternatives, yes. You don't want to have
to _only_ trust Facebook, you want to have it as a choice. The OpenID "dream":
Users choose between different authentication services based on their needs.

I like Google auth because I pay for Google. I trust them because they're a
lot better at security than statistically almost every other service on the
web. I would trust Facebook, but I don't want them to know about my web
presence as you pointed out. And to keep those services in check, you have to
have alternatives.

The Payment request API is a good example of what we should be seeing for
authentication. Secure delegation without lockin.

~~~
JumpCrisscross
> _Users choose between different authentication services based on their
> needs_

Network effects inherently promote centralization. Third-party authentication
exhibits network effects. Furthermore, given nobody pays for this service, we
not only have a bias towards centralization but also incumbency.

Individually weak but diversified is a more robust model than strong but
centralized. That was the fundamental insight of capitalism and of the
Internet. Third party authentication promotes the latter.

------
zaroth
I see nothing in the article other than the byline that says anything about
going “password-free”.

TFA: Password-free is the future... here’s how we re-wrote our signup and
authentication framework to do that same thing we’ve always done but be more
buzzword compliant and also defend against bot signups with step-up captcha.

Oh yeah, and we keep long term session tokens if you install the app which you
can unlock with Touch/FaceID... after you login with your _password_ the first
time.

------
whyagaindavid
If anyone from eBay is reading: why do u disable pasting password from
password manager? This has made me to have a small password. Please..

~~~
Pimpus
Regarding pasting passwords, that reminds me: I signed up for one site, I
think it was Paypal, which had a password limit of 20 characters. Okay, that's
already pretty bad -- it's an arbitrary limit and not as secure as I'd like
for a site that has access to my credit cards and bank info.

Anyway, I generated a password using KeePass with I think 60 characters and
pasted them in without error or warning. Turned out that only the first 20
characters got pasted in and the rest were silently rejected.

When I tried to log in I kept getting an invalid password error. No indication
that the password I was trying to use was too long.

Only when I tried to change my password and type one in manually did I notice
that nothing was getting entered after the 20th character.

~~~
artmageddon
I ran into a similar issue myself. Why would PayPal, of all companies, have a
problem with this?

~~~
Pimpus
Glad I'm not the only one. Now, in the "confirm password" field, I always
backspace the last couple of characters and type them in manually, to make
sure they match with what was pasted.

------
dalbin
@

------
kevin_thibedeau
They day eBay kills its passwords is the day I leave eBay and never come back.
Is it really that hard to run a website that already has the established
infrastructure to maintain user credentials? This is just colossal laziness
from their devs trying to outsource basic business responsibilities.

