Not just phishing, server side attacks can hoover up passwords all day long. Also XSS can extract passwords from password managers, etc. Passwords are dumb. The static/symmetric nature of passwords makes authentication fully transitive, where if A can be tricked into logging into system B, then an attacker on system B can use A's credentials to log in to system C. This is fundamentally broken.
We've had asymmetric authentication for nearly 30 years now, it's insane that people are still using passwords to authenticate to stuff.
> We've had asymmetric authentication for nearly 30 years now, it's insane that people are still using passwords to authenticate to stuff.
The thing is, anything but passwords is extremely challenging for non-tech users. Even SMS-based 2FA is too much for tech illiterate people.
You do not want to be the support staff for a service that has 2FA enabled. It's utter madness - people lose their 2FA devices, get them stolen, drop them in water, run over it with their cars, have them eaten by your pets (Yubikeys seem to have a particular attraction to cats and dogs as toys), forget them at home before a vacation, of course no one prints out their 2FA recovery codes... and then there are the scammers who pretend one of these events has happened and the account needs to be unlocked, or those who fell victim to a phishing scam and now 2FA is under the control of the attacker.
> The thing is, anything but passwords is extremely challenging for non-tech users.
People usually manage to not loose/destroy the keys to their houses/cars very often. A FIDO token is very similar. You just need to understand that it's important to not loose it and that you should have a second backup key. I don't think this problem has anything to do with being a "non-tech" user.
> People usually manage to not loose/destroy the keys to their houses/cars very often.
Lol. Friend of mine works in real estate... losing keys is very common.
> You just need to understand that it's important to not loose it and that you should have a second backup key.
And how many people have that? Know that? Don't skip the dialog warnings because they've been conditioned to do so? And on top of that, what about the services that only support one 2FA device like Amazon AWS with Yubikeys?
> Lol. Friend of mine works in real estate... losing keys is very common.
Ok, fair point. That's why it'd be good to have a second key somewhere safe. The FIDO token also is just one key that can be used for multiple websites. That's like having many houses and all can be unlocked with one key.
> And how many people have that? Know that? Don't skip the dialog warnings because they've been conditioned to do so?
I don't know, you're right perhaps not that many. But the problem is maybe also that people do not want to pay ca. 60$ for two yubi-keys just to be able to use the same websites their using with a password already. Perhaps the passkeys login using android/ios (e.g. authentication via fingerprint with your smartphone) is going to be much more popular because it's more convenient and "free" (except you pay with your data).
> And on top of that, what about the services that only support one 2FA device like Amazon AWS with Yubikeys?
Yeah, services that do that or even have 2FA as a paid-only feature need to change that. It's just a system flaw on their side in my eyes. Hopefully, such bad practices will bring those services a big enough competitive disadvantage in the future that they're forced to implement 2FA properly.
The attacker controls the login form. They could use javascript to just scrape it out of the password field if they wanted to. Those solutions might get in the way of existing tools for logging password forms, but there are trivial workarounds.
Hardware keys are vulnerable to other things. Like getting stolen, getting lost, getting broken or getting hacked. Uasually at a moment where you can't readily replace them.
"Phishing is possible to avoid" is almost as true as "it is possible to write safe C code." Technically true, but practically not so much.
Now, I grant that for most of us, if you are the target of any nation state level actor, not much you can do. For the most part, they can just compel the party that has your data. That said, security keys are far safer than portable data.
I don't mind to differ on this one. Your reaction certainly didn't address any of my concerns about practicality of HW keys in any scenario where you're not just sitting at home and can lose your key, and will be fucked if you'll not be able to recover or downgrade your security for a little bit until everything's normal again.
Maybe to secure corporate accounts against phishing, or whatever. But for my personal stuff, I need to be able to recover in many ways at any time with just a random computer and internet access without any special HW that may not be readily obtainable the moment I need it.
I don't think you are wrong, but I do find it funny how the threat models get built so differently.
My personal feel is I'm ok not having my key with me when I'm "out and about." Is no different than my not having some of my ID cards with me. Such that, I'm already "locked out" of many of my financial accounts and such when I am not at home. But, I fully ack that that is a personal choice here. I just can't think of any situation I've been in, in a LONG time, where I was needing to randomly use a computer.
Edit: It also occurs to me that keeping keys to get back into your home is almost certainly similar in concern here. As somewhat crazy as I think the "keychain" nature of these tokens is, it does address a large part of this problem.
I just realized that there are a lot of kids out there with all the balls necessary to hold their parent's keys hostage.
Even if you would never be tricked into giving up or losing your key, there are other people in your life who can do it either for themselves or be tricked or compelled into doing it for someone else while you're asleep or in the shower or any of 1000 opportunities every day. Would you immediately detect a good fake substitution? When would be the next important login that needed it?
Phishing/MITM-resistance is not specific to hardware keys. Software can implement the same primitives that a hardware key does. Indeed, the phishing resistance of WebAuthn comes from the browser rather than anything really specific to the authenticator.
I think(?) token binding would have moved more of the validation to the authenticator, but I'm not sure, and I think it was dropped.
What a hardware key can do is make it so even if someone has your device and PIN code, they theoretically _still_ can't steal or clone your passkeys, and the RP can implement attestation which is very useful in an enterprise scenario. Though, I wouldn't trust either of those guarantees in the case of a state level adversary...
True, but password managers can potentially reduce the risk of phishing, since they're the ones autofilling. There's probably work that would improve the UX here but even still.
Of course, it's not nearly as good as being totally phishing resistant like U2F, but IMO it's a big enough win that we should still be pushing password managers very hard.
