A path to a world without passwords
HTML-код
- Опубликовано: 1 окт 2024
- Developers know that passwords are not the best way to protect users' accounts. But what are the other options available to make them more secure, ideally towards a future without passwords? Walk through various sign-in options available now and in the near future, so you can build a strategy for a passwordless future.
Resources:
FIDO and passkeys → goo.gle/fido
SMS OTP forms best practices → goo.gle/3jpKflh
Participate in an origin trail for FedCM for IDPs → goo.gle/fedcm
Speaker: Eiji Kitamura
Watch more:
All Google I/O 2022 Sessions → goo.gle/IO22_A...
Web at I/O 2022 playlist → goo.gle/IO22_Web
All Google I/O 2022 technical sessions → goo.gle/IO22_S...
Subscribe to Google Chrome Developers → goo.gle/Chrome...
#GoogleIO
What about the cold start problem? For example, how can I access my data if my phone breaks on a vacation, but I still need to login into my bank account?
As long as you can sign-in to Google account, you can recover the passkey.
developers.google.com/identity/fido/#what_happens_if_a_user_loses_their_device
I think there has to be more than one authentication method/device for each layer. Like let's say you have a Yubikey with a fingerprint reader, you should also have a password generated by a password manager and 2FA with an authenticator app i.e. This way no matter what happens you can still access whatever it is you're protecting in different ways
@@agektmr What if you can't get into your google account?
@@unicodefox You call the LockPickingLawyer to unlock it, cause no device is ever truly safe 😉
But to be honest, at the extremely ill scenario (nothing else to be done), they might want from you your actual personal data, that you have kindely provided in the first place to actually show them you are the genuine person, idk. or...
You step into a Google box (kinda like a self secured atm machine, locking you inside for the duration of the process) that vertifies you and prints out one piece of paper where a unique link and code is provided that you have to enter in 3-5 minutes to get back your account. 🙃😉
I think regular passwords still need to be an option(in most contexts). What about users on platforms without support for this stuff? Or on devices without tpm:s? What about people who don't want to allow platforms to manage their identities for them? What if your tmp turns out to have a vulnerability? Like, passwordless is a great usability and security improvement, but for any old app or website passwords are the best long-term option for a number of reasons, even with their weaknesses. Passwordless I see as an optional enhancement rather than the primary/only way(besides enterprise and things like that).
True, there is also the backwards compatibility and how much it will cost to keep things safe. If you have an external site that manages and keeps your data, that doesn't cost you anything. If you have the user to manage and keep his/her's own data it doesn't cost you anything. But when you go into the teritory of you being the one who has control over someone elses very personal data, then that can become costly, both for you (keeping data safe and secure) and them (keeping up with technology to keep up having their end safe and secure), not to mention trust.
For example, a common thing in say banking. On one side you have the security of the bank, on the other you have the security of the user. Internally banks will always be able to keep up with their end being secure (likewise Google), but they can not ensure the user to be secure. So they make it more convenient for the user to access their data by providing, lets say apps methods. In time the devices that run those apps become obsolete and the user is forced to change their device (additional secret cost). Now while banks are desipte all facts more local environment with local crowds, big tech companies are not. So who will take over the cost to enable everyone (normal people) to keep up and use this, as @MihkalJouste said, optional enchancement?
Every website could give an option to use password or passkeys. If you don't want to use it.
Doesn't your google/microsoft/apple account then become the password manager?
It's bad. I trust apple keychain, but I use a macbook. I somewhat trust google, but pw autofill is not there outside of browser
@@li_tsz_fung you can copy your passwords from your google account web page. Yeah, not quickest way.
Maybe I'm not getting it: In the example, doesn't your Google account become a single point of failure? Like when you get a new phone cause your old one is broken: You log into your google account with the password on the new phone and it becomes your a new authentication device. What keeps someone from getting a hold of that one password from your google account and logging in on e.g. a phone, which will sync with all the stored data for authentication in different services. So basically they now have an auth device in their hands to authenticate themselves to all the services you have linked with your account... idk, feels kinda too centralized for my taste.
The primary purpose is to decrease phishing attacks.
Account recovery is improved under some of these methods and worse under others. But all of the techniques you are familiar with for account recovery (multiple devices, third-party services, email, call on the phone) may still be used.
Decrease phishing attacks... while giving an intensely political corporate monopoly the ability to unplug your bank account, financial records, tax information, social media, and contact information.
@@jonmichaelgalindo There are several solutions here and I'm not sure which one concerns you, but none of them are proprietary. If you don't like one provider, choose another. The FIDO/WebAuthn is hardware that you own, and some of the hardware options lack any internet connectivity by which somebody _could_ manipulate it.
You and Luft are right to not trust a single provider for everything, and fortunately that is not the case here.
@@logankennelly No system can solve the authentication problem at all. A human's mind is where you have to store the cryptographic key (secret, AKA password).
I was referring specifically to Google's passkey (centralized identity does not solve authentication and is a nightmare trust scenario), but there are zero solutions here. Physical keys can be manipulated by force, just like police use FaceId to get into phones without a warrant, but the real problem is any device relied on for key storage will be lost / damaged, inevitably. It has to be the brain.
@@jonmichaelgalindo It really depends on your threat model. The vast majority of identity compromises are due to credential sharing, phishing, and credential re-use. The solutions here address that 99% problem.
If you are trying to protect yourself against a nation state actor, first of all, good luck. Second, learn how to disable biometric authentication quickly (it's easy on Android and iOS). Also, use 2FA to augment hardened login (which may include a password ... not quite sure how that's going to shake out yet).
Brains are notoriously bad at remembering thousands of distinct, shifting, and complex items. It's also the reason password recovery mechanisms are often the weakest link. A standard by which your "password" manager is literally incapable of providing incorrect credentials (which is really what this is) seems like an obvious improvement. It's not about a single, final solution, but improving upon the layers that exist today.
Your scenario where you haven't taken steps to protect your phone and it's compromised and you haven't enabled 2FA and your phone's app/browser doesn't auto-login is vanishly rare ... and you should probably just take steps to protect yourself
You are correct that lost devices are a problem, but email-based (and phone for some services) account recovery is now essentially universal. Passkeys attempt to plug that hole by treating account recovery as more locked down than email, but essentially everyone is incentived to support _some_ method of account recovery.
Here’s the thing though: you cannot be coerced/forced into giving a password. You can be tricked into giving a password, but someone can’t physically force you to type it in or tell them. But you can be forced to put your finger on a fingerprint reader, or look at something, and you don’t even have to be involved if someone nabs your security key (unless it has some sort of biometrics on it).
And let’s be real: end users will sacrifice security for convenience. Even if they know they shouldn’t. It’s why we have this problem with password reuse.
You are much more likely to be tricked into giving away your password. Phishing attacks are very prevalent and can look quite convincing. All it takes is not noticing a small typo in the address bar and you're screwed. This method at least prevents it.
@@Andrew-jh2bn true
Awesome Eiji, thank you for sharing it!
I like WebAuthn, but I am afraid it will not be widely adopted any day soon. There are just too many issues, for developers and for end users.
It is great that you are working on solutions, as so far I have not seen any implementation that would be usable for common user.
What kind of developer issues do you see?
I truly hope that a password-less future is within our grasp. I don't want to trust a password manager app/service, but I also don't want to create complex unique passwords for every site, service and app I use, which ends up in dozens if not hundreds of combinations I need to remember. But then we've also seen even most complex and long passwords don't mean much if there is a data breach and personal data is leaked out.
I just play this video. For now I'm pretty sure word "password" is for make starting point to the rest of things he wanna say. That's my starting point ¯\_(ツ)_/¯
why not have the authenticator randomize passwords, remember it for the specific websites and you have to authenticate to use the device. And it can have 100 digit passwords. Easier.
it must be a fingerprint authenticator for the human to the device. Otherwise if someone steals it, they have access to everything.
Just this morning, my Son suggested that I would find sign-in life easier by using an Authenticator. Wow! I'm in dire need of this techology, since Passwords quickly slip away from my recall.
Everybody: My home was broken into...
Nobody: was there a lock on your front door?
Google: There’s the problem, we must get rid of locks
🧐🤦🏾♂️🤦🏾♂️
Oh, I know! A lock that only we have the key to. We'll lend you the key whenever you need it, as long as you keep using our services and your public actions align with our political agenda. Problem solved. :-)
Thanks
yeah using an external dongle is similar to metamask/ethereum stuff with ledger and trezor etc
Lots of awesome stuff incoming.
No, no not only is this way worst for security, if you get hacked ones that finger is useless after that, and having many accounts, and companies can identify users way easier by just using your fingerprint. I will never accept this I'll do everything to never use nor allow this
The website would not get your actual fingerprint. The device would generate a cryptographic key associated with the specific combination of that user and that website, which allows the website to trust that the fingerprint was scanned successfully without ever gaining access to the fingerprint data.
@@aidanbrumsickle Won't that just mean getting a user's fingerprint ones will compromise them? regardless of what the website sees you can get a person's fingerprint pretty early compere to knowing what password they may use
@@thexg0d833 for it to work you would need the fingerprint AND the registered device. You can't use the fingerprint on other devices. And yes, that's probably possible: if you steal someone's phone it's probably already full of their fingerprints. But it's still better than any password you could remember if you're mainly concerned about Indian scammers and not the local expert hacker living nearby that for some reason hates you personally.
I appreciate the move towards passwordless internet. The login confirmation on my phone has replaced my google password for months now, and it's been great 👍
I'm not sure if I'm alright with giving you my biological data
If someone wants to hack something, they will find a way.
So, I don't see the point. Many things have been "hacked."
And those responsible for one of those hacked things received a 7.2 billion uncontested contract extension.
For example, password store on chrome cannot be used in other browsers.
So people in Google do know their "Password Manager" is not complete?
Google should make a real password manager
Use their website and access your passwords on different browsers
Thanks, great stuff, and work. Keep going guys !
No it's horrible
Thank you so much.
what a way to move forward
Passwords are not a problem. People's culture is the problem.
Spot on! Instead on working on a technical improvements to passwords and auth processes, let's just change the human psyche, how hard can it be????
so now basically google got our finger print as well
No. The fingerprint data never leaves the device.
TheHorror.