this post was submitted on 22 Nov 2023
498 points (98.6% liked)
Technology
59739 readers
3838 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Windows Hello didn't. The hardware wasn't implemented correctly allowing the authentication to be bypassed. You misunderstood the issue here
They sync the public key with iCloud, not the private key. You misunderstood how it works.
There is no "keys deep" there is a public/private key pair that authenticates a single device with a single account. You have misunderstood how a local key store works.
Which means someone trying to access my account requires physical access to my device. Passwords, no matter how strong leave you open to remote attack.
Open the authencator app and remove the account. Or uninstall the authenticator app. Or delete your local phone account. Or factory reset if you want to go nuclear.
Alternatively if you lost your phone, go to the account online. Browse to the security section and delete the device from the list. Most services have the ability to sign out remotely. All that's doing is revoking the key. The phone doesn't have to do anything. The fact you think something needs change in the "blob" shows you do not understand how encryption works.
Again physical access, not remote access. Much smaller attack vector than a password.
You think passwords take power from the company that stores your passwords remotely? You have no idea how they are storing that password. You don't have to trust the company, you just have to trust the open standard these companies are implementing and that public/private key encryption is the standard used to secure the entire Internet.
Virtually no one uses a password manager. It's too much hassle.
Except I didn't. I outlined a real fucking issue and you're waiving it away without addressing how it's wrong. You realize that Microsoft's own branded laptops have this issue right? If Microsoft cannot create a product that isn't compromised to their own standard then don't you think there's a problem with it?
Here's the relevant quote if you would have read the article instead of yapping about how "I" don't know anything and misunderstand everything.
If Microsoft can't implement their own security standard of Windows Hello. You CANNOT trust it to do anything reasonable let alone be secure. Period.
You cannot validate a public key without a private key to sign for it, public keys are definitionally public and cannot be used to secure anything. This is like saying that the key in you see in an SSL cert is the only thing you need to prove you're the server... Not even close. You MUST have the private key for the sync to do anything useful. I've misunderstood nothing. The alternative here is that one device simply signs or validates another device being added so now there's 2 sets of keys to an account... The more passcodes/passwords that can access an account the more likely someone can bruteforce in. Either way this becomes more and more of a risk.
I've not, because I've explained literally in the same post how it actually works. You're being obtuse.
This assumes you trust the chip.... which implies trust in the manufacturer, parts vendors, and software lying on top of it.
You can't... you've lost your phone to authenticate you into the account. Actually... better yet, login to your google account now... Head over to "your devices", looking at mine, I see 2 devices in there that it REFUSES to let me remove.
Yes... a Session key... Not public/private key. You can simply use the same public/private keys to instantiate a new session! And since you've lost your phone and can't authenticate yourself anymore... The person who found your phone certainly can.
So you've chosen to limit one vector of attack at the risk of completely opening another one... Genius! Especially in this day and age where first party repair shops regularly get found out for stealing customer data...
Companies store password hashes... not the passwords remote... and you want to tell me I don't understand cryptography. Since passwords are transparent and known to me... I can take actions based on that. I can prove that keys aren't being shared across different platforms, etc... I can see exactly what's being passed because I'm the one passing it. And remember... these companies fuck up regularly.
So there's no password manager built into browsers... and companies that don't make millions providing that exact service? Lastpass, Bitwarden, dashlane, etc?
I'll stick to passwords that I can track and operate(which are likely to be more secure than whatever data they're passing as a key). I'll stick to actually functional 2fa tokens via TOTP, and yubikey (which doesn't have sole access to do anything on it's own, unlike a phone). I will not give up my passwords. Trading off 100% of your physical security for what is arguably at worst sidegrade in digital security seems insane to me.
I realize I made an edit to my previous post you might not have seen. Please refer to that as well. But finally I noticed you've completely skipped answering any of the actual scenarios I've posted. Almost like you realize that there's a huge flaw here...
Lastly... I actually taught, researched, and created cryptography at an academic level for a while. I have a feeling I have a deeper knowledge of cryptography than most people do. If you still want to tell me I "misunderstand" everything I would suggest you actually go through my post and actually address the problems I've brought up, then realize that yes... "passkeys" can minimize risk for those who do passwords lazily... but well done passwords and 2fa, are significantly better than passkeys alone. Forcing people into passkeys forces people to only operate under a specific platform that must be trusted to work further eliminates other valuable security features in the process as well. As someone who's security conscious... as you present yourself to be... you should not be de-facto trusting these organizations at all... but for some reason you are. And that's odd.