Two-factor security is a basic requirement these days if you want to take your digital responsibilities seriously, but some hardware lacks the sort of public documentation that some privacy advocates feel is truly necessary to provide ideal security. Open source enthusiasts will be glad to hear that Google has just announced the release of OpenSK, an open-source implementation for security keys, supporting both FIDO U2F and FIDO2.
I’ve always loved the idea of carrying a small piece of hardware to serve as an authentication device, but I’ve never done any serious research into the concept. Of course, and such system would need to be 100% open source, so maybe OpenSK is a contender.
FIDO2 / WebAuthn are the real deal as far as I can see.
Something some were trying to do with USB-sticks and ActiveX in IE were trying to do some 20 years ago, after 20 years we finally have a proper standard for hardware and software and can work on maybe banning crappy passwords long term. FIDO 1 wasn’t the real deal yet, still missing some pieces, but the new standard seemed to have solved any issues that were learned.
FIDO2 / WebAuthn work with USB-sticks, Linux, Windows Hello, Apple Face ID, Android thumbprint, etc.
Widespread browser support (some Android browsers are lacking support it seems): https://caniuse.com/#feat=webauthn
Which means you have a website or any other non-web app which needs authentication use the standards/APIs/frameworks that exist and it will work with on all these platforms.
The USB example is easiest to explain first, when your account is created you register the USB-key with the website. The USB-key generated a new keypair for this. A keypair is similar to a website private key and public key. The USB-key has been designed to never expose this private key and the public key is sent to the website. The website stores the public key in it’s database with your username. So when you want to authenticate the USB-key receives the name of the site and it signs some data with the private key associated with the site.
An other way is for your phone or laptop/computer to have such a key secure storage and do the same thing and you only get access to it when you have the correct fingerprint, etc. and unlocked/logged into your device (only one password to remember, could be a good or bad thing).
This means a couple of things:
– phishing attacks don’t work, because if you try to log into an other site by accident it won’t work, their is no key on the USB-key associated with that site.
– the site has a public key but when the database is leaked the public key does not match with any other site (so you have privacy. Not the same key for a webshop and a porn website).
– you don’t have to remember a password (or the USB-key can be used as a second factor)
– you can associate multiple of these devices with a site (for example phone and laptop, so when one breaks you can use an other). An other fallback many sites have is “recovery keys” you can store offline.
– the USB-keys are not that expensive and a bunch of devices now come with these built-in as no extra cost.
If it all pans out things will have greatly improved in a couple of years on this front.
I doubt we’ll ever be completely rid of passwords, much as I wish we could. You need some sort of way into your accounts if and when your one-stop authentication hardware key fails or gets lost. So unless we can work out a secondary method, I suspect garbage passwords will be with us for a long time coming. Biometrics may be a contender, however that raises even more privacy concerns depending on how it’s handled. Ditto for using mobile phone numbers and an sms passcode.
darknexus
Yeah, we’ll always need some kind of password, even if it’s only to unlock the key.
Biometrics are only of temporary value. As more businesses store biometrics the less feasible it will be to keep them private. Even biometric hashes aren’t going to solve this problem long term because these hashes can be brute forced. At best biometric can be used to identify an individual (ie “I’m Bob Dylan”) but should never to be used to authenticate a session/transaction (here is my key) for anything of value. As a matter of principal, authentication keys must be replaceable, which biometrics obviously are not.
Biometrics really suck if you need to reset/replace them. 😉
They can clearly never be the only factor, just an second factor.
I’m a sinic when it comes to publicly traded corps open sourcing code, As since it’s a company extremely anti privacy related, I’d like to find out if there’s a hook in OpenSK to call home to the mothership or NSA somehow and dump your data
Thanks for the info Naturactin