No smilies, no avatars, no flashing gifs. Just discuss the issues of the day, from last night's telly via football to science or philosophy.
Started by Tinymcsmithy on May 16, 2022 1:49:22 AM
Apple, Microsoft, and Google want you to go passwordless — what could possibly go wrong?

It’s not an especially new concept - some websites already use an email verification only login. Although, no financial services sites AFAIK.

How do we feel about all this? Will it really make life easier? What about privacy? And, most importantly, is it more secure (and are passwords really that insecure?)?

https://finance.yahoo.com/news/what-going-passwordless-means-203926527.html

Previous
|
Next
|
Top
|
Bottom
Tinymcsmithy - 16 May 2022 01:52:48 (#1 of 44)

The technology comes via the FIDO (fast identity online) Alliance, and allows you to use your phone rather than a password to authenticate who you are

The idea is for you to register your identity via your smartphone using its facial recognition, fingerprint ID, or your passcode. Once you’ve stored your identity on your phone, it stays there.

Yeah OK, that’s not at all a creepy open invitation to data brokers and others. Is this the real motivation for the tech companies?

From then on you’ll be able to log into websites and apps that use FIDO’s standard by entering your username and then using your phone to tell the app or site that you’re you.

And that’s more convenient how?

Catspyjamas17 - 16 May 2022 06:17:38 (#2 of 44)

It feels to me that the tech, an/or tech security,and certianly wifi/broadband/data coverage is often not up to the ambitions of financial.institutions. And also forgets that humans are involved who do not learn new processes so quickly and make errors.

I still haven't had an answer from my bank as to why a payment to Aldi (for a click and collect order) was refused from my account when funds were available and it had been pre-authorised when I ordered using their additional security measures which they have just introduced - which is to log into the app with a fingerprint and authorise the individual transaction. Which was a proper faff last time as I was in an area with poor data coverage. Plus I shop at Aldi in this way every fucking week. They bank introduces additional security and the system fails.

So yes, I share your concerns, as banks can't even deal with their current systems without fucking it up.

ReverendBlueJeans - 16 May 2022 07:34:46 (#3 of 44)

Oddly, at work we're being prepared for some new two-stage login process that's password-plus and includes some chuffing 'apse' on one's phone.

I get the impression that tech moles keep coming up with answers to questions no one has asked yet. That may be prejudice, of course.

upgoerfive - 16 May 2022 07:36:57 (#4 of 44)

The cynic in me assumes it's just an excuse for them to get access to your phone.

Dementor - 16 May 2022 07:42:07 (#5 of 44)

You’re supposed to use certificates rather than passwords to log into other computers using SSH - having a standard to extend that to websites might well be a good idea … ?

Tinymcsmithy - 16 May 2022 07:59:21 (#6 of 44)

#2

Indeed. Similar assumptions are made by Apple and others, that you are living in Cuppertino with a perfect wifi connection.

Oldbathrobe1 - 16 May 2022 08:21:51 (#7 of 44)

I get the impression that tech moles keep coming up with answers to questions no one has asked yet.



As the Fonz might say, correctamundo. I currently log into a financial app with my thumbprint, which automatically fills in the password. That's quite a lot of sophisticated tech for a very small improvement.

HorstVogel - 16 May 2022 07:36:31 (#8 of 44)

choices, one day someone will ask for your password, or your thumb.

tasselhoff - 16 May 2022 08:09:20 (#9 of 44)

You’re supposed to use certificates rather than passwords to log into other computers using SSH - having a standard to extend that to websites might well be a good idea … ?

Exactly. FIDO using PKI means it can't be used by a phishing site, unlike the likes of Authenticator apps where an authenticator code can just be used as something you know like a second password (so in effect it is multi-step rather than multi-factor for phishing sites).

This is NOT an answer to questions no one has asked yet.

Tinymcsmithy - 16 May 2022 09:12:47 (#10 of 44)

Is it more secure than a secure password and third party auth?

thisonehasalittlehat - 16 May 2022 09:32:41 (#11 of 44)

Passwords are not intrinsically insecure. However people are intrinsically bad at using passwords securely.

Agaliarept - 16 May 2022 09:44:44 (#12 of 44)

The only problem I have with using my face or thumb as a password is when there is a password and I've been opening my bank app for 5 years with my face then suddenly I'm in a situation where I need to enter the password manually and I can't remember it.

If the password becomes face or thumb only then you won't be able to log in on a device that doesn't have this tech surely?

tasselhoff - 16 May 2022 09:47:00 (#13 of 44)

#10 Yes, if using a FIDO device.

FredDee - 17 May 2022 15:38:03 (#14 of 44)

if it involves compulsory ownership of a smartphone then fuck it in a real sense.

Antimatter - 17 May 2022 15:46:46 (#15 of 44)

I agree with FredDee. Also, My friend K, who was used to unlocking her smart phone with her thumb print ran into problems when she burned her thumb on the stove. Obviously she had also forgotten her password. It took quite a bit of sorting out.

Lento_ - 17 May 2022 16:12:05 (#16 of 44)

I worry that I'll completely forget my banking password by the next time I need to actually use it, because of how often I just use finger print authentication for it.

Lento_ - 17 May 2022 16:14:52 (#17 of 44)

Oddly, at work we're being prepared for some new two-stage login process that's password-plus and includes some chuffing 'apse' on one's phone.



This is how logging in works for several things in my job, including for logging in to my work laptop itself. I'll enter my username and password, and then get a notification pop up on my phone. If I click yes on that, it lets me through.

On the one hand, I don't like having work related things on my personal phone. On the other hand, it's fairly non-obtrusive, and easy to use so not a big problem.

The biggest flaw in it all is that if my phone breaks then I'll have trouble logging in to anything until I can get hold of IT support.

helbel - 17 May 2022 17:00:44 (#18 of 44)

I take the view that if work want me to use authentication they provide the means for me to do so. So I have a work phone. TBF my work do offer a hard token for any refuseniks.

lammaMia - 17 May 2022 17:19:54 (#19 of 44)

Most devices can register multiple FPs so even if you lose a hand and have your memory wiped, you can still survive.

lammaMia - 17 May 2022 17:26:51 (#20 of 44)

In the 90s, I had to carry a device that gave a long digit sequence upon a button press which had to be entered in addition to the password to gain access to certain machines, and that sequence only worked for 60 seconds.

Now we have easier two way authentication and much easier automated password resets in addition to the convenience of FPs. Isn't tech at least sometimes great?

Previous
|
Next
|
Top
|
Bottom
Check Subscriptions
|
Home » IT & Computers