• chevron_right

    How Apple, Google, and Microsoft will kill passwords and phishing in 1 stroke / ArsTechnica · Friday, 6 May - 18:33 · 1 minute

How Apple, Google, and Microsoft will kill passwords and phishing in 1 stroke

Enlarge (credit: Getty Images)

For more than a decade, we’ve been promised that a world without passwords is just around the corner, and yet year after year, this security Nirvana proves out of reach. Now, for the first time, a workable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google, and Microsoft that allows for cross-platform and cross-service passkeys.

Password-killing schemes pushed in the past suffered from a host of problems. A key shortcoming was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones tied to an account. Another limitation was that most solutions ultimately failed to be, in fact, truly passwordless. Instead, they gave users options to log in with a face scan or fingerprint, but these systems ultimately fell back on a password, and that meant that phishing, password reuse, and forgotten passcodes—all the reasons we hated passwords to begin with—didn’t go away.

A new approach

What’s different this time is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for everyday end users to use, and it's less costly for big services like Github and Facebook to roll out. It has also been painstakingly devised and peer-reviewed by experts in authentication and security.

Read 17 remaining paragraphs | Comments

  • Ga chevron_right

    Microsoft, Apple, Google, and hundreds of tech companies accelerate push to eliminate passwords, supporting standards developed by the FIDO Alliance and the W3C

    Danie van der Merwe · / gadgeteerza-tech-blog · Thursday, 5 May - 20:14 · 1 minute

Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.

We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We're going to also have to finalise, or have options between biometrics vs device specific. Many don't want biometrics (or their hash) saved, not because it's invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.

But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.


#technology #security #passwords #authentication

  • chevron_right

    A big bet to kill the password for good / ArsTechnica · Sunday, 20 March - 10:37

A big bet to kill the password for good

Enlarge (credit: Elena Lacey)

After years of tantalizing hints that a passwordless future is just around the corner, you're probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle.

On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO's members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems—Google, Microsoft, and Apple.

Read 16 remaining paragraphs | Comments

  • chevron_right

    New Yubico security keys let you use fingerprints instead of passwords / ArsTechnica · Tuesday, 5 October, 2021 - 14:55

Security experts have long abhorred passwords. They’re hackable, forgettable, and, sometimes, guessable (looking at you, password1). As companies like Microsoft and Google move to embrace passwordless logins, Yubico thinks it has the key to keeping things simple. The YubiKey Bio Series announced today is the company’s first hardware security key to offer fingerprint logins.

Yubico’s Bio Series introduces biometric authentication to the hardware security key maker’s lineup. The new keys support the latest FIDO2/WebAuthn and U2Fopen authentication standards to which Yubico contributes.

Fit for either your USB-C (left) or USB-A (right) port.

Fit for either your USB-C (left) or USB-A (right) port. (credit: Yubico )

The keys target desktop PCs, which are typically stationary, making it easy to leave the key in a USB Type-A or USB-C port, depending on the model you pick. Each key has a built-in fingerprint reader, so you can log in with the tap of a finger instead of having to remember your password. The key could also serve as a form of two-factor authentication.

Read 6 remaining paragraphs | Comments

  • Ga chevron_right

    The Postmortem Password Problem - Google, LastPass, Bitwarden, etc allow you to set Emergency Contacts

    Danie van der Merwe · / gadgeteerza-tech-blog · Wednesday, 1 September, 2021 - 19:33 · 1 minute

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

The article below is food for thought certainly, but not comprehensive at all in terms of what services offer this. Emergency contacts are trusted users you nominate, who will either gain access by default if you are not using the account for a period and fail to respond to prompts, or else they can request access. A good password manager will quickly enable the accesses they need to get to photos, documents, social media accounts, etc. It's your choice, but it's worth also considering from your family's perspective too. Or yes you could save the master password on a piece of paper in your safe (assuming your family knows what to find where - you've planned all that haven't you...).


#technology #death #passwords

  • chevron_right

    Passwords in Amazon Echo Dots live on even after you factory-reset them / ArsTechnica · Friday, 2 July, 2021 - 12:55 · 1 minute

Passwords in Amazon Echo Dots live on even after you factory-reset them

Enlarge (credit: Getty Images)

Like most Internet-of-things devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says , users can “remove any ... personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data.

Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND—which is short for the boolean operator " NOT AND "—stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error correcting code.

Reset but not wiped

NAND is usually organized in planes, blocks, and pages. This design allows for a limited number of erase cycles, usually in the neighborhood of between 10,000 to 100,000 times per block. To extend the life of the chip, blocks storing deleted data are often invalidated rather than wiped. True deletions usually happen only when most of the pages in a block are invalidated. This process is known as wear-leveling .

Read 29 remaining paragraphs | Comments

  • Ga chevron_right

    These are the Best Free Password Managers: Bitwarden, KeePass, and more!

    Danie van der Merwe · / gadgeteerza-tech-blog · Tuesday, 27 April, 2021 - 11:24 edit

Having a password manager is one of the best courses of action if you want to keep your online presence secure, and it’s one of the very first recommended apps we should be installing on our phones. It has been known for a long time that keeping the same password (or just slight variations of the same password) across several websites, is insecure as once someone manages to get their hands on your password, they can have easy access to all of your other accounts.

But some things you need to consider are:

  • 2FA for app - very necessary now to prevent someone taking control of your password manager itself

  • Sync across devices - not only for convenience but also as backup if primary device gets lost

  • Automated backups - certainly needed if not syncing across devices

  • Cross-Platform - to auto-fill on desktop browser, iOS, Android

  • Independent audits - essential to know the app has been independently tested and verified

  • 2FA Auto-Fill - nice to have for many sites that now use 2FA and where you don't want to run a separate 2FA app


#technology #security #passwords #passwordmanager

  • chevron_right

    Demand for fee to use password app LastPass sparks backlash / ArsTechnica · Monday, 8 March, 2021 - 16:04

Demand for fee to use password app LastPass sparks backlash

Enlarge (credit: Leon Neal | Getty Images)

A popular app that promised to eliminate the burden of remembering passwords has sparked a backlash by demanding, weeks after it was acquired by two private equity firms, that users pay up or face restrictions on access to their online accounts.

LastPass has encouraged millions of people to replace weak passwords on retail websites, internet banks and other online services. Instead, the software handles authentication automatically using long, complex passwords that are impossible to guess—or remember.

Two investment firms, Elliott Management and Francisco Partners, acquired the service as part of their $4.3 billion buyout of internet software group LogMeIn in September last year.

Read 18 remaining paragraphs | Comments