Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech (cnet.com) 132
Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.
Re: (Score:2)
First, developers do not care about client side security issues, the developers will get their revenue or not, as long as they do not put functions server side that require something that the browser does not support.
Second, how much revenue can people who are still running XP produce for a website? Even in China, XP machines a handmedowns, they are consumption devices, not devices for purchases.
Re:Another dead Firefox release. (Score:5, Insightful)
Re: (Score:1)
I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.
Slimjet is a good chromium based alternative browser.
Re: (Score:1)
Re: (Score:1)
PaleMoon (Score:2)
It's been working very well for me.
If for some reason it went away, I would reluctantly go back to FF.
Re: (Score:2)
AI (Score:1)
Re: (Score:2)
All this AI stuff is just marketing buzz words.
Re: (Score:2)
Re: Time Saver (Score:5, Interesting)
I create new EMAIL for every account I have to sign up for.
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.
It is actually empowering taking control.
Re: (Score:2)
Re: (Score:3)
If you own a domain you can do it easily, I would also think it is possible to register for a service where you own a subdomain. e.g. mydomain.subdomainservice.com
They can all be directed to 1 email address and you can just filter out any that you don't want
Re: (Score:2)
outlook.com
yahoo.com
gmail.com
mail.com
Mail.com has a number of other domain names you can use.
Re: (Score:3)
My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix).
You know that 2-digit pattern is going to bite you come y3k.
Re: (Score:2)
You mean y21c.
Re: (Score:2)
Y2.1K?
Re: (Score:2)
We should start this debate now, so that by the time it starts to matter in 2096 or so the main arguments are refined, well understood and people can skip straight to the flaming.
Re: (Score:2)
LOL, Gawd I hope so!
Re: (Score:2)
You know about email aliases, right?
Re: (Score:2)
I do. I actually use them on occasion ;)
Re: (Score:2)
I do the same. I was surprised and disappointed to find out my online stock trading account was selling my info to the most spammers out of all my accounts. Security? lol...
Re: (Score:2)
I do something similar, but with my own domain, using the domain name where I'm registering in the part before the @. No need to create a new mailbox or forwarder for each site, as it's a global forwarder. You can be more selective in the forwarding by requiring a specific string as part of the address in order to forward, so you don't get messages sent to random addresses in your domain.
It would end up something like this (obviously much shorter - this is just for explanation): DomainNameWhereI'mRegisterin
Re: (Score:2)
the +Netflix_2016 bit isn't quite an alias. Technically it is ignored by the Email Server for the domain. IT acts like an alias however. A real alias is a full email address that is delivered to another primary email box. The former can be removed in transit, as you indicated, a true alias cannot.
Re: (Score:2)
...pretty much...
Its not all the time. I will still sign up for some things. Just most of the time. That what pretty much means.
Long term: Bad for the web (Score:5, Insightful)
While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,
Re: (Score:2)
"rather than something in our possession" - that is EXACTLY what a Yubikey is though, a physical device that you possess, and can have multiple types authentication credentials stored on it.
Re: (Score:2)
Digital radio requires a proprietary receiver--that's all. Whether that's DAB+ globally or HD Radio (NRSC-5-D) in the US, there is no subscription or identity required. Satellite service is different, of course, but that's true of TV broadcasts (also digital) too.
Re: (Score:2)
I prefer my identity to be proven by a few factors, not just easily spoofed, guessed at, or things possessed.
Re: (Score:2)
I'll just assume you've never actually USED a Yubikey then? Because it isn't easily spoofed or guessed. Plus to use certain modes on it, they're protected by pin codes, making the device itself require two factors (something you have and something you know).
Re: (Score:2)
There are no yubi models protected by pin. None of them has a physical keypad. I actually have several.
Re: (Score:3)
Source: https://developers.yubico.com/... [yubico.com]
This is something I use on a daily basis. It does indeed exist.
Re: (Score:1)
You can use a PIN/passcode, but the client software on the computer is the UX for it - Firefox in this case, the operating system in others.
Re: (Score:2)
The problem is that "something you know" makes a reasonable assurance of intent to authorize. "Something you have" or "someone you are" does not, and opens up for abuse, perhaps especially from those in power.
Re: (Score:2)
Yubikey is fantastic. Your identifying private keys are stored insider a secure hardware module inside the Yubikey. The login process sends a random challenge to the Yubikey, the Yubikey replies by signing the challenge with your private encryption key. The login process verifies the signed reply against your store public key.
At no time does your secret key ever leave the device, not even to your own computer.
A trojan could eavesdrop on the whole thing and not learn anything useful.
Re: (Score:2)
The Yubikey can generate a different set of keys for each participating website so separate websites can't cross-reference your identity.
Is Two-Factor dead now? (Score:2)
So just replace the first factor with the second one?
Re: (Score:2)
To be fair, if you are faced with endusers either doing password or doing 'something they have' and unable to reasonably require them to do both, it's probably best to let them use 'something they have'.
Biometric of course seems to be the order of the day, though I have a harder time defending the security of that sincerely.
Re: (Score:2)
Still two factors. First factor is you must have the physical device that contains the private keys, and the second factor is what you use to access those keys (PIN, password, biometrics)
Re: (Score:2)
Nope. It's just the private key. Someone who pwns the host machine can copy the private key and reuse it later, with no need to know whatever opens the Yubikey/whatever device and no need to physically have the Yubikey/whatever device.
Unless someone is physically inspecting the "something you have" or "something you are", it's just something you're telling them, and thus it's effectively "something you know".
Re: (Score:3)
Someone with access to the host machine does not have access to the private key.
The private key stays on the authentication device. Data goes in to it, signed or encrypted data comes out of it. The private key stays just that - private.
You can't replay responses either, as the data going in to the device is randomly generated by the server requesting authentication.
Re: (Score:2)
If you use "biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID" on the device you're logging in with, then you have both together.
Re: (Score:2)
Wrong.
Your private keys are stored in a secure hardware module inside the Yubikey. They never leave the Yubikey not even into your own computer. The login process sends a random challenge into the Yubikey. The Yubikey responds with the challenge encrypted by your secret private key. The website can verify the response against your public key. The response is unique to that random challenge and gives an eavesdropper no useful or repeatable information.
Each website gets a different set of keys generated by th
Government vs Biometrics (Score:5, Insightful)
The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.
Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.
Re:Government vs Biometrics (Score:5, Insightful)
IMHO, the fundamental problem with biometrics is that they're a password you cannot change.
No mater how personally unique some characteristic of you may be, it ultimately has to be captured and turned into a data stream to be used for authentication. What exactly stops someone from simply capturing and replaying that data stream?
Re: Government vs Biometrics (Score:3, Informative)
The fundamental problem is that biometrics are identities, not secrets.
Re: (Score:3)
What exactly stops someone from simply capturing and replaying that data stream?
Nothing. Now don't forget that some diseases like diabetes, lupus, MS, and so on can change the information that's used for biometrics. Retinal patterns being one of the big ones.
Re:Government vs Biometrics (Score:5, Insightful)
This is the first post that clearly states what the problem actually is.
Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.
I want my authorization, which requires an ACT on my part besides just being me (dead or alive).
Re: (Score:2)
So what exactly is the problem with WebAuthn then? It does not have any dependency on biometrics. All it requires is an authenticator capable of correctly signing a challenge with a private key that you have. How you protect the ability to sign the challenge, is up to YOU, the user. For some people (probably many people), possession of the device and a fingerprint may be sufficient. For others, a PIN or password may be required. Maybe the really paranoid want to type the challenge into a battery opera
Re: (Score:2)
Actually, there is a difference on the back end and usernames are used for good reasons. The username indexes more than your password, and is usually safe to record to logs and expose to a larger code surface in the AAA infrastructure. (With logs, best practice is to only record usernames from existing accounts in case a password accidentally gets typed in the username field... but of course make sure there's no delay introduced by doing so that would allow testing which usernames are valid.)
Also in chall
Re: (Score:2)
So if I create a new user account, and use the login JohnSuperSekrrit1! do I get to claim ownership of yours or should I just leech anything useful then move on?
Re: (Score:2)
Identity is not the same thing as authorization. Your new user login isn't proof of identity, nor authorization. You'd be hard pressed to be able to truly prove you are me, let alone authorized to act on my behalf.
Re: (Score:2)
You know this, I know this. The AC to whom I replied appears not to.
Re: (Score:2)
The thing about a transaction is that it requires two authorizations to be valid. I was focusing on security, because that is largely focused on the authorization of the person who has secured something else. Someone can pick a lock, but that doesn't grant them authorization. ;)
Re: (Score:2)
For something like webauthn, the biometrics data never leaves your device so there is nothing to capture.
Re: (Score:2)
Re: (Score:2)
An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest
Pro Tip: For the iPhone X to unlock you have to have both eyes opened.
Re: (Score:2)
Re: (Score:2)
For this use case Smart Lock is just a password manager.
Re: (Score:2)
Awkrad abbreviation... (Score:2)
I would have guessed WebAuth to be a bit smoother...
Re: (Score:2)
Perhaps they don't want to confuse authentication with authorisation.
Authn sounds more like authentication than authorisation.
No thank you (Score:5, Interesting)
So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.
Re: (Score:2)
Re: (Score:2)
I assume advanced users will be able to use something like SSH keys.
Re: (Score:2)
Meanwhile, they do not mention anything about the "Logins API" needed for Add-Ons like "password-exporter" (https://github.com/fligtar/password-exporter) to work.
The security review still has not happened (https://bugzilla.mozilla.org/show_bug.cgi?id=1357856)
Re: (Score:2)
Advertising on the internet has been around for longer than the internet.
https://tech.slashdot.org/stor... [slashdot.org]
Re: (Score:2)
What you said is illogical. You can have advertising about something before that something exists, but you cannot have advertising on something before that something exists.
Re: (Score:2)
It's mostly semantics. It happened on what is now called the Internet before it was called the Internet (ARPANET).
Re: (Score:3)
FFS!
about:config
extensions.pocket.enabled = false
browser.newtabpage.activity-stream.sections.highlights.includePocket = false browser.newtabpage.activity-stream.sectionOrder = "topsites"
Re: (Score:2)
Oops! i missed a line break.
browser.newtabpage.activity-stream.sections.highlights.includePocket = false
browser.newtabpage.activity-stream.sectionOrder = "topsites"
noooooo Dongles! (Score:2)
just.... no.
Re: (Score:2)
Just as well this is just a generic API for private key authentication then.
Any biometric part of it doesn't share the biometric data. It only uses it to unlock a private key.
PKCS#11 support? (Score:2)
Does this mean we will finally be getting a browser JS API for talking to PKCS#11 devices so we can do something more interesting with them besides mutual TLS authentication? I'd love to be able to, for example, bind a web server session to a remote AD using a browser-supplied hardware token, but right now that is virtually impossible unless you've jumped through all the hoops necessary to get NTLM working.
Re: (Score:2)
Yes, of course they are.
They aren't better than passwords, unless you're trying to sell them as a "solution".
Re: (Score:2)
If the man in the middle has stolen the private key of the servers certificate or has managed to obtain a trusted certificate for the domain and hijacked your DNS.
Even then, the man in the middle would not obtain access to the credentials, they would only have access to an authenticated session.
If you were using a password, the man in the middle would get the password too.
Re: (Score:2)
You've ignored that man-in-the-middle doesn't have to steal the origin server's private key - they just have to be able to sign a certificate with the same Subject or Subject Alternative Name using any CA Root or ICA in your trusted certificates store.
Certificates are only as strong as the weakest CA which is why Apple, Google and Mozilla created a big song-and-dance act about StartSSL/Start.com allegedly (and never actually proven, mind you) being owned by China-based Qihoo 360 Group.
One could argue that i
Re: (Score:2)
You missed the bit where I said "or has managed to obtain a trusted certificate for the domain"
You're also ignoring the point where if that happens, the credentials do not get compromised. The attack can only happen while the MITM is in the middle to initiate the session.
If you were building a service that required high security, you'd also make any secure actions require a new authentication to be performed.
I had a bank once that sent out hardware tokens. You needed a code from the token to login. You also
Re: (Score:1)
It has a prerequisite of TLS, so it is as susceptible as TLS is. If the browser accepts a fraudulently issued certificate, that fraudulent site can coordinate with the legitimate site to MITM you. This is a common weakness of TLS, and one of the reasons the browser/OS vendors have been ratcheting up their requirements for CA processes and certificate transparency.
The individual public key credentials which are issued as part of webauthn are basically scoped to the relying party website, so paypalonline.com
JUST STOP IT (Score:5, Interesting)
Man, I'm f*cking tired of this shit.
Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
What passwords provides is fundamentally different from what biometrics can offer.
If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.
It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.
For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.
Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.
And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.
Biometrics instead of passwords? (Score:2)
Yeah, because something you have is better security than something you know, right?
Re: (Score:3)
Nor is presenting it, or a hash of it, proof of having the corresponding biology.
It's just a password at that point, and one the legitimate user has no direct control of. If they lose a finger, fuck up their eye with diabetes, get a scar on their face, etc. they're fucked. If an attacker can spoof their biometrics (or the hash a biometric reader puts out), the legitimate user can't easily reset their biology.
Re: (Score:2)
Re: (Score:2)
Because the fake website also needs to present a trusted certificate for the domain the credentials are associated with. They also don't get given the credentials either. They get given a signature.
The hardware stores different certificates for each site. The private keys aren't required to be exported anywhere.
When you register your hardware device with your account, you're only sharing the public key of a new unique private/public key pair..