Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Firefox Mozilla The Internet

Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech (cnet.com) 132

Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

This discussion has been archived. No new comments can be posted.

Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech

Comments Filter:
  • I think with all this new AI stuff that was invented we would have something better than typing in a string to authenticate a user. Aren't computers intelligent?
  • by Anonymous Coward on Wednesday May 09, 2018 @02:49PM (#56583258)

    While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,

    • by darkain ( 749283 )

      "rather than something in our possession" - that is EXACTLY what a Yubikey is though, a physical device that you possess, and can have multiple types authentication credentials stored on it.

      • I prefer my identity to be proven by a few factors, not just easily spoofed, guessed at, or things possessed.

        • by darkain ( 749283 )

          I'll just assume you've never actually USED a Yubikey then? Because it isn't easily spoofed or guessed. Plus to use certain modes on it, they're protected by pin codes, making the device itself require two factors (something you have and something you know).

      • by arth1 ( 260657 )

        The problem is that "something you know" makes a reasonable assurance of intent to authorize. "Something you have" or "someone you are" does not, and opens up for abuse, perhaps especially from those in power.

      • by hoggoth ( 414195 )

        Yubikey is fantastic. Your identifying private keys are stored insider a secure hardware module inside the Yubikey. The login process sends a random challenge to the Yubikey, the Yubikey replies by signing the challenge with your private encryption key. The login process verifies the signed reply against your store public key.

        At no time does your secret key ever leave the device, not even to your own computer.
        A trojan could eavesdrop on the whole thing and not learn anything useful.

        • by hoggoth ( 414195 )

          The Yubikey can generate a different set of keys for each participating website so separate websites can't cross-reference your identity.

  • So just replace the first factor with the second one?

    • by Junta ( 36770 )

      To be fair, if you are faced with endusers either doing password or doing 'something they have' and unable to reasonably require them to do both, it's probably best to let them use 'something they have'.

      Biometric of course seems to be the order of the day, though I have a harder time defending the security of that sincerely.

    • by bws111 ( 1216812 )

      Still two factors. First factor is you must have the physical device that contains the private keys, and the second factor is what you use to access those keys (PIN, password, biometrics)

      • Nope. It's just the private key. Someone who pwns the host machine can copy the private key and reuse it later, with no need to know whatever opens the Yubikey/whatever device and no need to physically have the Yubikey/whatever device.

        Unless someone is physically inspecting the "something you have" or "something you are", it's just something you're telling them, and thus it's effectively "something you know".

        • Someone with access to the host machine does not have access to the private key.
          The private key stays on the authentication device. Data goes in to it, signed or encrypted data comes out of it. The private key stays just that - private.

          You can't replay responses either, as the data going in to the device is randomly generated by the server requesting authentication.

          • If you use "biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID" on the device you're logging in with, then you have both together.

        • by hoggoth ( 414195 )

          Wrong.

          Your private keys are stored in a secure hardware module inside the Yubikey. They never leave the Yubikey not even into your own computer. The login process sends a random challenge into the Yubikey. The Yubikey responds with the challenge encrypted by your secret private key. The website can verify the response against your public key. The response is unique to that random challenge and gives an eavesdropper no useful or repeatable information.

          Each website gets a different set of keys generated by th

  • by Daemonik ( 171801 ) on Wednesday May 09, 2018 @02:56PM (#56583320) Homepage

    The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.

    Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.

    • by Octorian ( 14086 ) on Wednesday May 09, 2018 @03:10PM (#56583420) Homepage

      IMHO, the fundamental problem with biometrics is that they're a password you cannot change.

      No mater how personally unique some characteristic of you may be, it ultimately has to be captured and turned into a data stream to be used for authentication. What exactly stops someone from simply capturing and replaying that data stream?

      • by Anonymous Coward

        The fundamental problem is that biometrics are identities, not secrets.

      • by Mashiki ( 184564 )

        What exactly stops someone from simply capturing and replaying that data stream?

        Nothing. Now don't forget that some diseases like diabetes, lupus, MS, and so on can change the information that's used for biometrics. Retinal patterns being one of the big ones.

      • by Archangel Michael ( 180766 ) on Wednesday May 09, 2018 @03:38PM (#56583634) Journal

        This is the first post that clearly states what the problem actually is.

        Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.

        I want my authorization, which requires an ACT on my part besides just being me (dead or alive).

        • by bws111 ( 1216812 )

          So what exactly is the problem with WebAuthn then? It does not have any dependency on biometrics. All it requires is an authenticator capable of correctly signing a challenge with a private key that you have. How you protect the ability to sign the challenge, is up to YOU, the user. For some people (probably many people), possession of the device and a fingerprint may be sufficient. For others, a PIN or password may be required. Maybe the really paranoid want to type the challenge into a battery opera

      • by bws111 ( 1216812 )

        For something like webauthn, the biometrics data never leaves your device so there is nothing to capture.

    • by jon3k ( 691256 )

      An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest

      Pro Tip: For the iPhone X to unlock you have to have both eyes opened.

  • Comment removed based on user account deletion
  • I would have guessed WebAuth to be a bit smoother...

    • Perhaps they don't want to confuse authentication with authorisation.

      Authn sounds more like authentication than authorisation.

  • No thank you (Score:5, Interesting)

    by AuMatar ( 183847 ) on Wednesday May 09, 2018 @03:07PM (#56583406)

    So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.

    • I agree. A password manager with different complicated long passwords gets you a long way.
    • by LubosD ( 909058 )

      I assume advanced users will be able to use something like SSH keys.

    • Meanwhile, they do not mention anything about the "Logins API" needed for Add-Ons like "password-exporter" (https://github.com/fligtar/password-exporter) to work.

      The security review still has not happened (https://bugzilla.mozilla.org/show_bug.cgi?id=1357856)

  • just.... no.

  • Does this mean we will finally be getting a browser JS API for talking to PKCS#11 devices so we can do something more interesting with them besides mutual TLS authentication? I'd love to be able to, for example, bind a web server session to a remote AD using a browser-supplied hardware token, but right now that is virtually impossible unless you've jumped through all the hoops necessary to get NTLM working.

  • JUST STOP IT (Score:5, Interesting)

    by XSportSeeker ( 4641865 ) on Wednesday May 09, 2018 @07:03PM (#56584868)

    Man, I'm f*cking tired of this shit.

    Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
    What passwords provides is fundamentally different from what biometrics can offer.
    If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.

    It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.

    For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.

    Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.

    And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.

  • Yeah, because something you have is better security than something you know, right?

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...