Here is an excerpt from an email I received from Microsoft about moving beyond passwords:
“By 2022, between 60 to 90 percent of enterprises will use password-free technology across more than half of their business cases according to Gartner. But how do we get there?”
I am curious as to how BW plans to evolve to continue in a password free environment. Maybe managing security tokens and using push notifications/biometrics to allow login to sites and services?
You’ll still need passwords at some point. Passwordless only works if you have a physical device. Lose your physical devices and you lose your account. And current implementations of passwordless requires webauthn, which consumes space on your security key. Yubikey model 5 only supports 28 such sites. And once you’ve added 28 sites, you have no way to remove a single site, you are forced to reset the yubikey, which nukes all 28 sites from your key.
Then there’s the whole ecosystem problem. Right now most people are not used to using security keys, not to mention shelling out $20 for a single one, to which you should have at least 2, and that’s per person in your household. And if you entire in the wrong pin a few times in a row, the security key bricks itself so you have to reset it.
Of course companies could make the devices “easier”, but only at the expense of security. These devices will effectively act as your user+pass+2fa to access an account. Any reduction in security could be horribly detrimental to a person’s everything.
I agree that passwordless logins are probably a ways away but I do think they are the future. I’d say in the next 5-10 years.
I think that cell phones, smart watches, smart rings, etc… will become the devices that hold our passwords. A necklace, a bracelet, anything.
I hear your point.
A security key is a single device with access to your accounts. So if there is a chance of compromise it needs to be wiped.
The benefit of a system with multiple clients is that if you wipe 1 device, others are still available to continue operation. Making your single point of failure the central store, not a single device.
Microsoft and Google already use this passwordless system with authorized devices. Yubikey is a hardware device with no sync function. Correct me if I am wrong.
They could, but that’s scary. Imagine someone finds your bracelet and uses it to log into your 401k and transfer out your funds. The point of passwordless is the device is now ALL that is needed to access everything. You don’t even need to know who they are. The device is like a username+password+2fa all rolled into one.
Any passwordless device must be highly secured, which raises the whole issue of adoption. Phones are not highly secure, Level 3 security keys are, like yubikey.
Scary thing about the whole security key market is nearly all of the yubikey competitors are not Level 3, which means they devices can be hacked. Looking at your nitrokey. Yay, it’s open source and updatable. Ohh, that also means someone can reprogram it to leak your data. Level 1 is what something like your operating system can offer, which is all nitrokey is. One compromise away from losing everything.
It’s a risk management issue. A yubikey is a hardware security device that has a special design that makes it nearly impossible to hack without some crazy manipulation of electrical input to confuse the device. Even then the yubikey has two processors that both have to agree, not as redundancy but security.
A cellphone can be copied and eventually broken into. A Level 3 security key like a yubikey cannot be copied and is generally considered safe from state actors attempting to break into it.
One really needs to be careful using any online connected device as a security device. These devices are meant to be convenient, which is the opposite of security.
Passwordless is great if you trust the authentication device with your life.
I feel like you are missing something. While the security key does manage 2FA, the second factor is still an input. Either PIN or biometric. It is not as simple as you have the key, you have everything.
There is also a benefit to an online device, if it is lost or stolen it can be remotely deactivated/disabled. And Sync means if you disable 1 device, you don’t have to go and set everything up again.
I am not suggesting it is a simple system/solution. I am simply starting a conversation on something that I believe is the future.
Moreover, in a system that is synced to a centrally, I would suggest the the security key is not th holder of creds. Rather the security key would tell the central system “I am who I say I am” so please send the authentication to my requested service. It would still require an MFA check such as biometrics, PIN or both/more.
Agreed, hence why I think we’re still ways away. I think the tech will need to some how determine you are who you are supposed to be. I don’t know how this’ll be implemented. A finger print sounds like the obvious/easy but I don’t know if its the best. It’ll be cool to see what the future holds.
Biometrics can be easily duplicated from photos of people at parties. You’re holding a glass in the background of a picture that was posted on Facebook, someone could clone your finger print. This has been proven to work on the cheap. Photo a person with an IR camera from a distance and you can duplicate their retina-scan.
The PIN is only as safe as the device it’s on. People are still getting their phones hacked by malware just to steal in-game currency. Malware poses as some useful software, someone so happens to install it, bam. This would be like a remote phishing attack. Gain access to a person’s phone remotely, steal the 2FA secrets from the phone.
You can’t remotely deactivate a phone that doesn’t have signal. Anyone can block the signal with a piece of foil.
For a typical person who had their phone lost or stolen by some random thief, probably not an issue. But if you became a target and the stalker took their time, they’ll eventually find a way to gain access to your phone remotely or bypass your security pin/biometrics. Phones can be and are compromised, yubikey cannot(in theory). That’s the difference.
Software and hardware is getting better at resisting and limiting compromises, but they’re not quite there yet. When we start seeing applications running in separate encrypted memory space from the host OS and mach kernels where parts of the kernel are isolated from each other, and system code is written in memory safe languages, then phones will start to become trustworthy.
You all seem to know a lot more than me about this area. I would however like to suggest something.
The Webauthn standard clearly talks about using a mobile phone as an authentication touch point. So the authors of the standard clearly see this as viable.
You do not need to disable a device remotely, you would disable it’s access to the central repository. This would eliminate the need for the remote device to have signal.
Once again I would iterate that the device not hold the “keys”, the device would simply be an authentication touch point to authorize the repository to send authentication.
The security of the system could also be improved through the use of AI to run conditional access, blocking access to sensitive entries for suspicious activity. This is already done in many systems including Microsoft’s AzureAD. It will check things such as location, device, device health, whether the device is up-to-date, whether anti-virus/anti-malware is installed and up-to-date, etc.
These scenarios are a bit far-fetched, if not implausible, for the average user. For the average Joe, biometrics are probably much safer than remembering passwords at least.
And taking photos of someone from across a room, particularly IR images, to obtain fingerprints or retina scans - I call BS. Do you have any idea how expensive a sensor you would need to do this? Do consumer-grade imaging devices capable of doing this even exist? Sounds pretty James Bond to me. What I worry about is some dude from Russia hacking into my computer to steal passwords, not some Russian dude infiltrating a house party I attend to take photos of my retina with a high-res IR imaging device.
While I agree that passwords will never completely die, we have already seen that day-to-day authentication is slowly being replaced by biometrics (think iPhones, MacBooks, etc.). For the average user, that’s probably a very big step up in personal security.
The problem with common biometrics is they have to allow a certain amount of fuzzing. In other words, modern biometric scanners are easy to trick, and the only information you need can be easily acquired technology already built into smartphones.
Biometrics won’t always be this way, but for now they are.
The problem is the quality of the senors. I think it was MIT that recently released that they could listen into a conversation in a room across a street with $700 of equipment just by watching the vibrations of a light bulb. Being that sound is compression waves, they cause objects to move, like your ear drum. A lightbulb in a room with sound not only moves, but it emits a bunch of light. They can measure the micrometers of movement the surface of the bulb moves, turn that into sound with enough clarity for shazam to name that song.
It just comes down to threat modeling. What threats are you concerned about. Does the attack require advanced skills or is there a turn-key package ready to attack you. For example. I saw a youtube video of a guy who hacked his child’s wifi connected toy, reprogrammed the software radio to cycle through garage opener codes and was able to open almost any garage door in a manner of seconds. It was easy for him using a $30 toy, but I have never heard of a rash of people breaking into garages using such cheap and “easy” methods.
I would have the system scream at you through push notifications if you do not have MFA enabled.
The 28 limit of yubikeys concern only TOTP feature of yubikeys which is another thing: it is a second factor only.
Passwordless is part of FIDO2 project, and there is no limit on the accounts you can use with a single device.
Why don’t bitwarden start to implement a fido key generator ?
What does i mean by that ? pretty simple, generate an unique key for fido (passwordless) for every app who use it).
Because many will do THE mistake, and use the key from windows, mac or linux (if they implement it), and once they will lose their computer pouf no access to account anymore.
I was wondering why Bitwarden doesn’t push using something like the credential management API (Credential Management API - Web APIs | MDN) instead of passwords. I guess that wouldn’t truly be passwordless (you’d still need a password for Bitwarden), but it seems like it would be a significant improvement over buggy autofill