Bad Dog—Everyone HATES This FIDO Passwordless Idea
Behold! The next steps to passwordless nirvana. The FIDO Alliance is happy to present its plan for ridding us from the yoke of passwords.
But scratch the surface and FIDO2-WebAuthn seems to let “privacy invading megacorps” profit from your private data. The usual suspects—Amazon, Apple, Google, Facebook, Microsoft—have taken over. And they’re trying to lock you into their ecosystems, with their regular brand of “hot corporate garbage.”
Usually in SB Blogwatch, I try to tell both sides of the story. But today, I couldn’t find anyone who thinks FIDO is a good thing.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Trek vs. Wars mashup.
Dog’s Breakfast of a Plan
What’s the craic? Lily Hay Newman reports—“A Big Bet to Kill the Password for Good”:
“Make phishing a thing of the past”
The FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle [to] a passwordless future. … After years of investment to integrate … the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.
…
Part of the challenge simply lies with the enormous inertia passwords have built up. … They’re the devil you know. Educating consumers … and getting them comfortable with the change has proven difficult. … Most users will conclude that it’s too much of a hassle to change.
…
To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past. [But] while FIDO’s proposal is a major security improvement … it isn’t infallible. … After almost a decade of work, [we] are left to hope that at this point FIDO is too big to fail.
For example? Ben Lovejoy fangirls full-steam ahead—“Passkeys in iCloud Keychain could make automatic website login even easier”:
Apple gave its backing to FIDO (Fast IDentity Online) back in 2020, and … calls its own implementation Passkeys in iCloud Keychain. But it is simply FIDO by another name.
…
[It] would work in exactly the same way as when your Apple Watch unlocks your Mac or iPhone, or your iPhone unlocks your Watch. You don’t need any additional verification, because you have already confirmed your identity by unlocking the first device.
Wave your hands up in the air, got the feeling and ain’t got a care. A rock-steady jonah wails: [You’re fired—Ed.]
“A lot of hand waving”
This is (kinda) progress. It’s not progress for the people [who] already use a password manager. It’s progress for the bazillions of others who don’t.
There is, however, a lot of hand waving away things that are going to cause an incredible amount of friction. I expect nothing less from a PR release covered by Wired.
But it seems like Dean ain’t buying it:
It will never replace my Yubikey because my Yubikey can be used on any device. In addition, if I lose my … device, I’m not at risk of being locked out. Even if I lose my Yubikey, I have a backup key.
So why is FIDO better? arglebargle_xiv misquotes my great-grandfather:
“Every attempt to replace them has failed”
To paraphrase Churchill, “Passwords are the worst authentication mechanism, except for all the others.”
There’s a great paper by Herley and van Oorschot on the capabilities required of a mechanism that will be able to successfully supplant passwords. Turns out there’s only one single mechanism that does all that: Passwords.
There’s a reason why they’ve stuck around forever. And why pretty much every attempt to replace them has failed.
And dane-pgp feels even more strongly:
[FIDO2 is] a system that forces you to carry around a device … which sites can identify the make and model of using a DRM-like system to ensure you have bought it from an approved … vendor.
…
Instead of supporting half a dozen … vendors, the new idea is to become dependent on just three large US-based operating system vendors (Microsoft, Apple, and Google), who will lock up all your keys and make it awkward to switch to a competitor. … Just make sure you check what the Terms of Service updates say, and read the National Security Letters that those companies are sent.
Pick up that baton and run with it, @ForIamCJ:
“****ing awful”
This will not happen any time soon. … All of the PW-less solutions rely on trusting “identity providers” who ‘vouch’ for you … (all of whom have been guilty of hot corporate garbage).
…
Google & Apple devices are designed to be barely functional if you’re not logged into an account on their ecosystem. Microsoft is envious of this and will be trying to force “Microsoft account logins” with Windows 11 at some point.
…
Letting one of these megacorps be the arbiter of … digital identity is ****ing awful. So you’re never going to get most people to buy into a password-less world that relies on these companies as identity providers.
Wait, doesn’t anyone like it? Rosco P. Coltrane is inclined to, but falls at the last hurdle:
FIDO is generally a good thing. What I wonder though, considering the fine collection of privacy invading sumbitches above, is: In what novel and odious ways will it be used to put people under even more intense corporate surveillance?
…
You can bet your *** all of those Big Data companies wouldn’t come together to promote something they didn’t see as a major treasure trove of private data and surveillance opportunities to monetize. Just because of who actively promotes FIDO makes me suspicious of it.
Cui bono? SixDegrees follows the money:
So, not available for Linux, but available for Android? I sense a great disturbance in the profits.
Meanwhile, codemonkeyuk puns up a storm:
It seems like the the FIDO Alliance came up with a dog of a solution.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Matthew Henry (via Unsplash; leveled and cropped)
