• chevron_right

    How Apple, Google, and Microsoft will kill passwords and phishing in 1 stroke / ArsTechnica · Friday, 6 May - 18:33 · 1 minute

How Apple, Google, and Microsoft will kill passwords and phishing in 1 stroke

Enlarge (credit: Getty Images)

For more than a decade, we’ve been promised that a world without passwords is just around the corner, and yet year after year, this security Nirvana proves out of reach. Now, for the first time, a workable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google, and Microsoft that allows for cross-platform and cross-service passkeys.

Password-killing schemes pushed in the past suffered from a host of problems. A key shortcoming was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones tied to an account. Another limitation was that most solutions ultimately failed to be, in fact, truly passwordless. Instead, they gave users options to log in with a face scan or fingerprint, but these systems ultimately fell back on a password, and that meant that phishing, password reuse, and forgotten passcodes—all the reasons we hated passwords to begin with—didn’t go away.

A new approach

What’s different this time is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for everyday end users to use, and it's less costly for big services like Github and Facebook to roll out. It has also been painstakingly devised and peer-reviewed by experts in authentication and security.

Read 17 remaining paragraphs | Comments

  • Ga chevron_right

    Microsoft, Apple, Google, and hundreds of tech companies accelerate push to eliminate passwords, supporting standards developed by the FIDO Alliance and the W3C

    Danie van der Merwe · / gadgeteerza-tech-blog · Thursday, 5 May - 20:14 · 1 minute

Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.

We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We're going to also have to finalise, or have options between biometrics vs device specific. Many don't want biometrics (or their hash) saved, not because it's invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.

But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.


#technology #security #passwords #authentication

  • Sp chevron_right

    Kickbox: Can I Share My Sending Domain? / spam_resource · Monday, 20 December - 13:00

Over on the Kickbox blog , my colleague Jennifer Nespola Lantz talks about sending domains and what you need to think about if you want to share domains between multiple email provider platforms. It's a common thing, right? You are probably using more than one service provider, CRM or automation platform. You've probably also got a corporate email system in the mix. Can you send from more than one platform using the same domain? And if so, should you? What are the limitations and concerns around using the same domain to send from multiple systems? Jen walks us through it .

Značky: #authentication, #Network, #kickbox, #domains

  • Ga chevron_right

    If you’re still using texts for 2FA, it’s time to change to an app - Many banks are ditching the use of verification via texts

    Danie van der Merwe · / gadgeteerza-tech-blog · Monday, 10 May, 2021 - 17:18

Good article explaining the risks today of using texts for second-factor authentication. E-mails are no better as they can be delayed and are usually in plain text.

Note too that although there is often mention of the Google Authenticator app, you can actually use any authenticator app, even to authenticate into Google services. I prefer to use Authy as it has consistently been ahead of Google's own app, having search capability, easily replication between multiple devices (or to new devices) including my desktop.

Some password managers like LastPass, 1Password and Bitwarden have built-in support for 6-digit authentication already that not many folks are aware of.

Most popular services on the Internet today offer authenticator app support, so you want to spend a minute on each just setting it up - you won't have to thank yourself later as you're probably unlikely to have those accounts hacked in future.


#technology #security #2FA #authentication #Authy

  • Sc chevron_right

    On Risk-Based Authentication / Schneier · Monday, 5 October, 2020 - 16:47

Interesting usability study: “ More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication “:

Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.

Paper’s website . I’ve blogged about risk-based authentication before.

  • Wa chevron_right

    Keycloak and OpenLDAP / warlord0blog · Friday, 24 July, 2020 - 17:39 edit

After getting Keycloak up and running, it’s a breeze to connect it to LDAP and use the users from there, but there were a few things I missed about group membership and there’s a fun quirk to fix about the user name. Synchronising Users First task after creating a new realm is to go to &ellipsisRead the full post »

Značky: #Linux, #authentication, #nginx, #security, #single-sign-on, #Linux

  • Wa chevron_right

    Keycloak Container Set / warlord0blog · Wednesday, 22 July, 2020 - 19:27 edit

Single Sign On from a simple docker container set. The container might be simple but the complexities of OAuth2, SAML and identity services are far from straight forward. For some time we’ve been using applications that can provide OAuth2 services as authenticators. This needed to change as we were looking to broaden the capabilities of &ellipsisRead the full post »

Značky: #Linux, #Web, #authentication, #security, #single-sign-on, #Linux

  • Wa chevron_right

    MediaWiki and OAuth2 / warlord0blog · Tuesday, 21 July, 2020 - 16:22 edit

With a move to a more joined up authentication using Single Sign On (SSO) I deployed a Keycloak service in a docker container – that should probably form part of a later article. Keycloak provides the bridge between OAuth2/SAML and LDAP authentication. Rather than relying on the same passwords and having to type the same &ellipsisRead the full post »

Značky: #Linux, #php, #Web, #authentication, #security, #single-sign-on, #Linux