So i replied to a post in Passwordless Login to web vault Passwordless login to web vault - #8 by qFKesZC77KY83rJHoJs
It got me thinking about security.
So what is security in the first place. I think it means I should be able to do just about anything and not compromise my website logins or have anyone clone copy or otherwise access my personal information.
A few points.
I am somewhat paranoid about security and privacy.
I use a password Manager because I can have many different long complicated passwords and never have to reuse one.
I use a very long Master Password but I only have to remember this one password.
I use several devices and use the Password Manager to sync passwords across devices.
I want Password Manager to persist whilst I am using the device, but want to lock it with distinct timeout on no activity of an app (usually the browser) and shutdown of the device. I do not want it to lock every time I close the browser. I do not leave my browser running in the background.
I am fairly certain 2FA as implemented on most websites is flawed.
I like the IDEA of Zero Trust Authentication, but a drill down into who is fully embracing it and what it actually means is REALLY concerning.
As people start to take their privacy more seriously and realize that security and privacy are intimately linked.
I use Firefox because of its privacy protections. This has hurt Google, Microsoft, Amazon, Facebook, (& Apple) and websites generally because a great deal of the data they rely on for their Advertising algorithms is denied to them
Well Zero Trust Authentication will circumvent all those protections, by using things like device identification IP address, operating system versions, names, email addresses, date of birth just to authenticate. “but it will all be encrypted and not on sold”…yep as Zuckerberg has said to the senate multiple times "we will just have to do better, but he never does)
Now back to passwordless logon.
So now I can authenticate by effectively once verifying my credentials which will produce a token so I don’t have to plug in my password.
So now my device can login without any interaction from me. Security is effectively now handle/moved to my security of how I login to my device (face, fingerprint, pin, password)
The consummate zero trust authentication. If I can logon to my device, then that device is now able to automatically login to my password manager and all my passwords are now exposed to my device. Only my device can get to my passwords.
BUT how secure is this? Well it is SUPER, SUPER, secure PROVIDED I DON’T LOSE MY DEVICE or leave it open and misplace it or have someone clone my sim.
So let me recap. As long as I keep my device itself super secure then that is all it takes.
So why not just have my Passwords in plain text on my phone? Why use a password manager at all?
I could use a long and complicated method to access my device, but to make it easier I will write down the instructions and keep it with my phone.
Please pick holes in my logic.
So is security just that someone else external can’t login to my account?
Or is it that almost no matter what I do (lose my device, have my sim cloned, leave my device permanently open I still have some layers of protection?
One thing that is of some concern is that the login password to the website where my vault is kept and my the master are the same. It means I cannot store configuration information for the password manager itself on the website, unless the vault is unlocked. It does mean the website owners cant see ANY of my data that is not encrypted.