
Acceptance of FIDO 2.0 accelerates the movement to end passwords - _jomo
https://www.paypal-engineering.com/2016/02/17/acceptance-of-fido-2-0-specifications-by-the-w3c-accelerates-the-movement-to-end-passwords/
======
mangeletti
Every time I read about this stuff, it makes my belly churn when the answers
to questions like " _how do you recover your account, if you lose your
device?_ " are things like " _they can have an extra secure password for
recovery_ " or " _they can call and provide their <insert something vulnerable
to social engineering or government interference, like a 'PostIdent' \- which
the government actually controls>_" or " _bio-metric_ ", so, basically this
new standard doesn't solve any security problem whatsoever; it just makes
logging in easier and account recovery more confusing.

Why not instead work on a standard that enforces password strength beyond what
is economically viable for brute forcing (which is something like 6-8 chars...
not exactly a tough one)? I mean, the standard could literally just be this:

    
    
        A password MUST be 8+ characters in length.
    

Security problem solved.

Here's a comprehensive Python library for my new standard:

    
    
        def mangeletti_safe(raw_password):
            return len(raw_password) >= 8
    

In all seriousness, we will need to, at some point, come to the realization
that the key to authentication has always been and will always be based on a
secret that only you know, whether that secret is your resting pulse combined
with the color of the rabbit's foot in your left pocket, or your fingerprint,
or a password, or a private key (which IS A PASSWORD).

~~~
StavrosK
Because your proposal is defeated by a simple keylogger, or a phishing site,
or with password reuse with a compromised site, or a myriad other ways that a
U2F token won't.

The answer to your original question is the same as the answer to "How do you
recover your account if you lose your password?". Usually, email password
resets.

~~~
mangeletti
Which brings you to your email account, which if protected by U2F also, means
you're doubly locked out, unless you've left a backdoor to your email account,
which will be vulnerable to intrusion (as well as the keylogger / phishing
attacks).

Not to mention, what about the challenge step? If somebody has a keystroke
logger installed, that means they have control of at least part of your
machine. They can probably read the bytes of your private key and then listen
for your key's password to be entered.

The solution is longer passwords and expensive hashing algorithms that render
brute force attacks not economically viable. The other problems (keyloggers
(read: malware) and phishing are orthogonal and need to be solved otherwise,
rather than us putting bandages on the security issues caused thereby.

~~~
StavrosK
> means you're doubly locked out

Same if you lose your password.

> The solution is longer passwords and expensive hashing algorithms that
> render brute force attacks not economically viable.

No it isn't, longer passwords do nothing for keyloggers.

> The other problems (keyloggers (read: malware) and phishing are orthogonal
> and need to be solved otherwise

They _are_ solved otherwise. By U2F. You're saying "this solution to
keyloggers is a bad solution to weak passwords, strong passwords are a better
solution", but we aren't talking about strong vs weak passwords. Nobody here
is talking about password brute-forcing. By all means, use stronger passwords,
but they don't help with the attacks U2F helps with.

~~~
mangeletti
> Nobody here is talking about password brute-forcing.

Exactly. The problems being "solved" are orthogonal to password security. They
are phishing and keylogger problems. Attempting (but failing) to put a bandage
on one of the symptoms of these problems (stolen passwords) is not the
solution.

Since you ignored the point in my last comment, I'll reiterate: U2F's supposed
value pertaining keyloggers is dubious at best, because if a machine has a
keylogger, then it by definition[1] has malware on it, which A) could gain
access to your private key's encrypted bytes, B) listen for your "challenge"
password when you enter it, and/or C) listen for all of your other private
data anyway, rendering the password bits a lot less important.

Pertaining phishing, and I'm shooting from the hip here because I haven't read
the whole spec, but the protection might be dubious or worse there as well.
Here's why: Considering that a public key is, at best, by definition, not
protected, an attacker could gain access to your public key, then ask you to
connect to them, send you a verification message for you to unencrypt to
verify it's really them (I assume this is how it works, unless the spec
proposes a new kind of certificate authority... another problem to deal with).
Assuming that's the case, then guess where we are; back at the start, since
now we've got to find a way to ensure we can trust the original interaction,
which leads us to an education issue (e.g., "always ensure you're connected to
the correct site by checking the URL... never click from an email a link when
you're first signing up using U2F... make sure you're using HTTPS").

~~~
nindalf
> I'm shooting from the hip here because I haven't read the whole spec

I think it would be good if you did. An attacker can send a challenge to the
user, and even get it back after signing, but it would be useless simply
because each login would have a different challenge. A Man-in-the-Middle
attack is possible, however.

I think malware will have a tough time getting a private key out of what is a
device that is entirely separate from your computer, is a hardware security
module and therefore has no writable memory. It is not possible to steal the
private key, barring some catastrophic failures.

I don't think you understand what a challenge even is, if you think
"listening" to it helps at all.

~~~
mangeletti
> A Man-in-the-Middle attack is possible, however.

Which is exactly what I'm talking about.

> a device that is entirely separate from your computer

I'm speaking about the first authenticator type in the spec, which are
embedded authenticators. As we've been talking, I didn't realize (until now)
that the U2F you were talking about was a physical device (rather than just a
standard). The kind of computer lay people we're trying to protect won't
actually carry these things around (think back to RSA - most of my programmer
peers were reluctant o deal with one of these things). My understanding is
that this will be primarily used as an embedded service.

> I don't think you understand what a challenge even is, if you think
> "listening" to it helps at all.

My mistake. I assumed this was similar to the password protecting my private
key. If private keys (in the embedded authenticator) are not password
protected, then we've just introduce yet another security flaw.

------
Freak_NL
I really like the Fido U2F concept, because it ticks all the right boxes;
simple to use, reusable for multiple services without being traceable,
multiple hardware vendors, open standard, soon implement in Chrome, Firefox,
and Edge (although I am not sure about the status in Edge right now), and
cheap.

But this solves logging in with a _browser_. I have been wondering about
things like IMAP for e-mail access. To secure my mail a second factor sounds
great, but right now all solutions mean I get 2FA when I log in with a
browser, but as soon as I use an e-mail client I am back to username and
password (application-specific or otherwise).

Ideally, Fido U2F would be an option to use with IMAP and SMTP as well, so
that Thunderbird, Outlook, or Apple Mail can prompt me to touch the U2F key
when I get my mail. I have not been able to find much information on this
approach yet though. Is it possible? Desirable?

Any insights?

~~~
nickik
Nothing probits using UAF/U2F for other stuff outside web browsers. The
problem is that the concept of "AppId" is not clearly defined in non Web
Application but that should not stop people form doing it. Yubico has Open
Source code that makes it relativly easy.

~~~
aeroevan
Yubico's pam_u2f allows u2f to be used for anything pam authenticates, which
is nice for a Linux system.

~~~
nickik
Its a very cool feature, I agree, sadly making pam_u2f work for SSH is quite a
hack. Their is a patch for OpenSSH but it never went upstream. I really hope
this will be work soon.

------
AdmiralAsshat
I've been considering getting a Yubico for awhile now, but my concern is that
it seems like every few months some new model comes out that supports new XYZ
Standard. I'd really want the following before I bite:

1) The security community on the whole needs to come to a consensus on what is
going to be used. If FIDO 2.0 is it, cool, but I'd like to be sure that they
won't say "FIDO 2.0 in 2016, now and forever." then come back in 2017 and say
"Actually FIDO sucks, we're all switching to ARGUS now."

2) The device should be future-proof, insofar as it would be able to support
the agreed upon standard in Step 1 and/or any minor changes that might come
along the way without having to dump the device. IF the device must be swapped
for a newer version, there should be some way to migrate.

3) Compatibility with all of my devices--major browsers, major OS's,
smartphone, etc.

Might be a tall order, but until it can be filled, LastPass + 2FA on my
Android phone is good enough for me.

------
lhaussknecht
I was suprised that when signing in to my Goole account on my Android device
with Chrome Beta, the Google Authenticator App pops up to do U2F with my
YubiKey NEO via NFC. That was really seamless!

Does anybody know, if it would be possible to use this within a WebView in a
native app?

~~~
nickik
I don't get it. The Google Authenticator pops up and you do U2F with that?
Google Authenticator is a app for TOTP. What am I not understanding?

~~~
deckar01
Apparently Google Authenticator supports OATH-TOTP which allows the yubikey to
respond to challenges [0].

The yubikey page is light on details, but confirms that you can use a yubikey
with Google Authenticator for U2F [1].

[0] [http://binaryelysium.com/blog/2011/12/13/a-reluctant-
relatio...](http://binaryelysium.com/blog/2011/12/13/a-reluctant-relationship-
yubikey-google-authentication.html)

[1]
[https://www.yubico.com/applications/fido/](https://www.yubico.com/applications/fido/)

~~~
nickik
That is strange.

I use the 'Yubico Authenticator' (like Google Authenticator but you have to
connect to the Yubikey via NFC for it to reveal your login codes) if I need
OATH-TOTP, this has nothing to do with U2F.

However the docs in your second link does indicate that their is some new
interoperation between Google Authenticator and U2F. It seams that they use
Google Authenticator as a stopgap until browser support the system directly.
Pretty strange. This in turn has nothing to do with U2F.

I can not test this stuff very well because I use a Yubikey NEO that is to old
for the U2F NFC and a Yubikey 4 that has no NFC. I really hope release a
Yubikey 4 with NFC soon.

------
edoloughlin
What happens to the x% of users who lose/break/eat the device containing their
private keys? How do they recover their accounts?

~~~
johnm1019
In Germany every service that you can sign up for online but requires proof of
who you are uses something called "PostIdent" \-- and its a service offered by
the post office where you take the form in with your passport (or ID card) and
they punch all the details in the computer and 'verify' it's you. In a (more)
secure future, I see this being the real password recovery mechanism. The
other technique used by online banks etc... is to send your password reset to
you by mail. This assumes that physical mail to your registered address is
more secure than online quizzes.

I think both of these options will become the standard for anything where
security matters.

~~~
kogepathic
This is a good idea,and I too can see it happening in the future.

A few problems though: 1) PostIdent isn't free. You might not be paying for
it, but someone is. Also that random forum you signed up for in Singapore?
Doubt they're going to support password recovery via PostIdent.

2) What happens if you need to reset your login while you're travelling. I
have had it happen before that a password is forgotten or not available and I
really need to login (e.g. to retrieve the ticket) and a password reset to my
email address is the most expedient method.

~~~
Eridrus
Using U2F doesn't mean you can't have a fallback to email.

There will likely be a "I lost me U2F token" reset on websites which allow you
to register a new U2F token/password.

Personally I'm not holding my breath though, people hate extra steps and don't
even use password managers when companies pay for them.

In the corporate space I feel like they compete with 2FA and it's not obvious
this will come out on top in most environments.

------
hermanradtke
Now if we can only get Firefox to support it:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)

~~~
kevingadd
The real problem isn't even Firefox's lack of support. There's an addon you
can install that implements it but literally every website seems to do a
useragent check, so it doesn't work anyway :-(

~~~
nickik
Ah, thats why that damned thing wont work! Thanks.

------
technojunkie
FIDO will soon have competition in the form of SQRL which is an interesting
concept.

[http://sqrl.pl/](http://sqrl.pl/)

~~~
danieldk
SQRL is vulnerable to phishing attacks:

[https://www.cl.cam.ac.uk/~fms27/papers/2014-JenkinsonSpeWarE...](https://www.cl.cam.ac.uk/~fms27/papers/2014-JenkinsonSpeWarETAL-
phish.pdf)

~~~
technojunkie
This paper is nearly 2 years old from 2014. One can probably assume this has
been addressed and fixed by now, although I have on proof of that.

------
_Codemonkeyism
(I have no clue)

What is the difference between the $5 key from Yubico to their $50 key?

If I secure GMail, how does GMail on my tablet/phone work?

Are there other keys than from Yubico recommended?

~~~
nickik
The cheap keys support way less features. The are simple U2F tokens and cant
do anything else.

The others support tons of other features. You can use them for classic 2FA
with OTP (TOPT/HOTP/YubiCloud OTP). They support using your Yubikey as a
Smartcard, you can put your 4k GPG key setup into your Yubikey. They also
support the PIV interface and you can use it for lots of different operations,
like code signing, certificate authority, windows authentication and more.

Some of the sticks support NFC. This means you can use Smartcard, PIV and U2F
over NFC.

Sadly at the moment they have no key that supports 4k GPG Keys AND NFC.
However they will update this soonish.

See: [https://www.yubico.com/products/yubikey-
hardware/](https://www.yubico.com/products/yubikey-hardware/)

There are also older models that you can still buy that don't support U2F at
all.

> Are there other keys than from Yubico recommended?

Their are others, just search for U2F on amazon, seems their are at least 4
companies implementing them. Nitrokey is a pretty cool company with a
interesting option that are somewhat different from Yubikey.

~~~
StavrosK
What's a 4K GPG key? I just bought a Neo specifically to store my GPG keys, is
there a problem with it?

~~~
aeroevan
The yubikey neo (which is what I also have) only supports 2048 bit GPG keys.
The yubikey 4 supports 4096 bit keys but doesn't support NFC.

~~~
nickik
Yes. I am waiting for the a Yubikey with 4096 bit keys and NFC. They should
release one in 2016.

------
FooBarWidget
I support the movement to end passwords. For the average user, passwords are
as insecure as they can get.

My (non-technical) family members keep using their birth dates, phone numbers
etc as their passwords. I told them this is insecure, that they should use
long random passwords, but their response is "I can't remember that". So I
suggested writing it down, but they find that too much hassle. I managed to
convince them to do it for some passwords, but they keep losing the paper
(they just tuck away the paper somewhere and then forget where it is).
Furthermore, they don't have computers, they ONLY use mobile devices, on which
long passwords are awkward to type. So they revert to using phone numbers and
passwords, with the attitude of "I'm not an important enough target, and if a
hacker really targets me I am screwed anyway".

Some of them have difficulty grasping the concept of multiple passwords. To
them, it's just "the Internet needs a password". If I explain to them that
each website is a different vendor, they get confused. Just remembering which
login username to use for a specific website (or whether it is a username or
an emailaddress-as-a-username) is already difficult enough for them.

Mind you, we are talking about people older than 45. They have trouble using
computers (even phones!) as-is, even before we get to the security part.

I ended up becoming their password store for their most important accounts. I
setup random passwords for them, then when they need to do something (a few
times per year) they have me login and do it for them.

The average user doesn't care enough about online security to really do
something about it. They don't understand, or acknowledge, the risks. So we
need to do everything we can to make security convenient.

~~~
m0nty
> Mind you, we are talking about people older than 45.

I wish we could drop the casual ageism, age has nothing to do with it. You
might as well tell me they're left-handed and that's why they can't "do"
passwords. Difficult enough already (in social terms) without the blanket
presumption we're all _non-compos mentis_ as well.

~~~
FooBarWidget
And I wish that we could stop focussing on the ageism, as if that's the most
important point or whether it's even a negative point. I used ageism to
reinforce the notion that we should try harder to push for convenient
security. It wasn't meant in a pejorative way.

Maybe your point was that ageism isn't acceptable in any form. We'll have to
disagree there. I agree that _pejorative_ ageism isn't acceptable, but doing
away with ageism entirely is pretending that something real doesn't exist.
Sure, not all young people are computer geniuses, and not all old people are
computer illiterate -- I never said that, but that doesn't matter because
focusing on that just detracts from the core point I was trying to make.

------
ascorbic
Does this mean PayPal will support U2F? Right now they don't even support
TOTP, just SMS or the proprietary Verisign keys.

~~~
nickik
No, I dont think so. PayPal is mostly interested in FIDO because of UAF. The
have publicly stated that they would not move to U2F.

This was a while ago and I dont have a source. The plans could have changed.

------
AndyMcConachie
Is there anyone here who is familiar with HOBA(RFC 7486) and FIDO that can
comment on their differences and similarities?

------
warcode
So instead of a KeePass with a long random password for each site, I'll have a
KeePass with key pairs for each site.

The added security being that if the site gets compromised, they can't log
into the site using my account. But then again the site is already compromised
at that point.

~~~
nickik
If you already use random passwords you get less security benefits, but you
still get a lot of them.

The additional security happens if you consider MITM attacks. Assume that you
want to login to [https://mybank.com](https://mybank.com) but somebody links
you to [http://mybank.com](http://mybank.com) (bad dns) or
[https://mybank.co](https://mybank.co). With UAF or U2F the local
authenticator will not sign anything (and thus the attacker can not login to
your actual bank).

Now admittedly you browser plugin might warn you in some cases. However you
might copy in the password by hand because you think its some kind of problem
with the plug in.

The usability is of course improved as well. Their should be no need for a
password manager at all. Go to the website, put your finger on the sensor and
your done (or whatever other local authenticator you use).

------
newman314
Will this be backward compatible with the existing FIDO Yubikeys?

~~~
lhaussknecht
AFAIK yes. The spec defines the high-level API you use withing the browser.

------
mchahn
I started using algorithmic passwords a year or two ago and it has been great.
I have a different password for every domain, there is nothing to remember,
and it is hard to crack. I just tested my password on this demo and got a four
out of four score. I know others have done this but I don't know why it isn't
discussed, or better yet, recommended more.

------
monk_e_boy
When they mention device - do the mean phone? Will there be other devices that
aren't so expensive?

~~~
nickik
Well the idea is that you use the fingerprint sensor on your phone to login
while browsing with your phone. You can have a fingerprint sensor on your
laptop. Alternativly these could also be cheap external devices that you
connect over USB, NFC or Bluetooth LE (their are already standards for this).

They would really like if all devices had some kind of UAF sensor built in.

You can get U2F devices for about 15$.

~~~
monk_e_boy
Cool, bit of googling and found 'FIDO U2F Security Key' (USB) for £5 I expect
those will turn up in our local supermarkets pretty soon.

Someone should give these hardware keys a better name. E.g. your "Privacy
Lock" or something similar. Much easier to explain than a "FIDO U2F" ...
whatever those letters all jumbled together mean.

~~~
nickik
Well I use the Yubikey, thats a fun name, but not descriptive. Basic U2F
sticks will probably be between 7$ and 50$ depending on feature set.

------
davb
Could someone explain how FIDO 2.0 fits in with U2F and UAF? I'm having a bit
of trouble understanding how the pieces go together. Does FIDO 2.0 make the
existing U2F and UAF specs obsolete? Is there any documentation explaining
this (maybe I've missed it?). Thanks.

~~~
nickik
I have been following this for a while and I don't get it completly.

UAF/U2F are FIDO1.0 standards. As I understand the idea is that FIDO2.0
standards build on these basic blocks and add additional features. I think the
problem of revoking a device accross all services is something they want to
work on in 2.0.

Im also confused, but I think the UAF/U2F standards should not get depreciated
with FIDO2.0.

If somebody knows more, Im all ears.

------
SimeVidas
So I bought one of those FIDO USB sticks, but when I tested it on GitHub or
Google, I still had to enter my account password. So, how is this better than
2FA via smartphone SMS?

Is the plan to integrate a fingerprint sensor into the FIDO stick so it can
become sufficient without passwords?

------
smallduck
And PayPal wants to be in the middle every time you do a FIDO login. No
thanks. #sqrl

~~~
lhaussknecht
Why do you think PayPal is involved when you do a U2F login?

