If you think about it, the core problem can be described as "authentication of the biological being with an electronic system".
When passwords are used, the authentication interface is a keyboard and you don't have any actual guarantees that the person typing the password is the person who claims to be. The passwords could have been extracted in so many ways because it depends on easily transferable knowledge.
Moving the authentication interface to device2device is actually much better, you no longer assume that the easily transferable knowledge was not transferred. Instead, you assume that the biological being is capable of keeping track of the authentication device and people are naturally good at it.
You can increase the number of authentication channels to tighten it up a bit, you can restrict the authentication of the biological being with the device(FaceID) which will be used for authentication with remote systems but at the core I think it feels right to assume device(phone, key etc.) means the person.
It's also quite a human thing to do. At home, we share not only the Netflix password but one of the credit cards. For practical reason, one credit card stays with the spare keys and when there's something to buy for the house anyone can grab that card and use it. We trust each other that the card would be used properly, everyone knows the pin code but that's rarely needed since contactless payment is the norm anyway. It's much more natural than keeping track of the expenses and then pay each other the outstanding amounts. However, It's probably illegal and if the bank finds out about it, they will cancel the card.
IMHO, the IT systems desperately need to approach human behaviour by working in analogous ways with the real world. Since I'm involved with IT systems I don't struggle most of the time but people who are not that tech savvy are having hard time figuring out daily stuff like What is the iPhone's password for, What is the iCloud password for, what is the Gmail password for, why I need to enter a code in WhatsApp etc.
Actually, I think I struggle too - I never came along to understand Mastadon. I'm prbably defenceless against phishing attacks on Mastadon, I will type whatever the screen tells me to type.
> IMHO, the IT systems desperately need to approach human behaviour by working in analogous ways with the real world. Since I'm involved with IT systems I don't struggle most of the time but people who are not that tech savvy are having hard time figuring out daily stuff
I'm pretty much the website key master for everyone in my family. Since nobody else is "in computers" they really don't have a clue about what things need passwords and why. They would NEVER voluntarily complicate their lives with 2FA or even with a password manager. If it wasn't for me, they'd just use "hunter2" and share it across every single device and service they use. If I told them they couldn't just type in their Netflix password when Gmail was asking for a password, they would just look at me exasperated, like I was making their lives difficult.
The security community really needs to get a grip and start designing systems that are compatible with the extremely low-tech-interest population if we even have a hope of securing systems. If I knew what the solution was I'd be rich.
> The security community really needs to get a grip and start designing systems that are compatible with the extremely low-tech-interest population if we even have a hope of securing systems. If I knew what the solution was I'd be rich.
Most of that population seems to do fine managing house keys, car keys, locker keys, etc.
You sure about that? I inherited what feels like 1,000 keys when my in-laws passed away. Who the hell knows what any of them are for, and they sure as hell didn't.
I can't imagine that anything less than subdermal implants will be reliable, for some people.
If the implant fails, you can just go back to the government office / mega corp, show your DNA, and get a new one.
On further reflection, person a) has an evil twin who steals their identity, and person b) doesn't trust the government / mega corp. Back to the drawing board.
Because they don’t really have any other choice. You get a key with the lock. Even if they all happen to be the same blank, it’s substantial work and expense to get them all keyed alike for most people.
Maybe that’s our solution right there—when you register for a service instead of relying on users to select a secure, unique password we should generate a “correct horse battery staple” and only support rerolls, not setting arbitrary passwords. Guaranteed some minimum level of safety and complexity and no reuse.
> Because they don’t really have any other choice. You get a key with the lock. Even if they all happen to be the same blank, it’s substantial work and expense to get them all keyed alike for most people.
You have lots of other choices. You could use combination locks, time locks, biometric security measures, paired keys, etc. The simple key-based lock seems to be particularly simple and accessible to consumers.
...and there are, and they're remarkably similar to what you do with Yubikeys: you have extra keys, and when you lose one, you uses the other to get in, and then you invalidate the old keys (although in the physical world, this means getting a new lock and a new set of keys, instead of just getting one new key and removing the lost key as a valid key).
True but online accounts are usually in the dozens for most people so thats definitely more of a burden. Also, its a mental load while physical keys carry the "password" physically.
Is that true though? AFAIK they sell CC info for pennies.
The good thing about the physical device is that you can easily tell if it's stolen.
For passwords, there are numerous services that keep track of the leaks and even Apple has incorporated that into their password manager but it all depends on mass leaks to work.
> it's probably illegal and if the bank finds out about it, they will cancel the card.
In the US, anyway, this isn't illegal unless you have to sign something and sign someone else's name. So just sign your own (nobody actually checks signatures).
It might be against the CC issuer's terms of service, of course, but that's a whole lot different from being illegal.
IIRC if you give someone your card your authorizing them to charge the credit account. The bank is totally fine with this as long as you pay the statement.
All of the following are routine. We will name our example person "Bob".
1. Bob owns an important item. He believes that he knows where it is. He is wrong.
2. Bob owns an important item. He is well aware that he has no idea where it is.
3. Bob owns an important item. He knows where it is. He is right about where it is. Unbeknownst to Bob, other people frequently borrow or otherwise meddle with his item.
4. Bob has taken his important item with him, for security. Unbeknownst to Bob, it fell out of his pocket an hour ago.
5. Bob used to own an important item. When he cleaned his house, he confused it with a different, unimportant item, and he threw it away.
When passwords are used, the authentication interface is a keyboard and you don't have any actual guarantees that the person typing the password is the person who claims to be. The passwords could have been extracted in so many ways because it depends on easily transferable knowledge.
Moving the authentication interface to device2device is actually much better, you no longer assume that the easily transferable knowledge was not transferred. Instead, you assume that the biological being is capable of keeping track of the authentication device and people are naturally good at it.
You can increase the number of authentication channels to tighten it up a bit, you can restrict the authentication of the biological being with the device(FaceID) which will be used for authentication with remote systems but at the core I think it feels right to assume device(phone, key etc.) means the person.
It's also quite a human thing to do. At home, we share not only the Netflix password but one of the credit cards. For practical reason, one credit card stays with the spare keys and when there's something to buy for the house anyone can grab that card and use it. We trust each other that the card would be used properly, everyone knows the pin code but that's rarely needed since contactless payment is the norm anyway. It's much more natural than keeping track of the expenses and then pay each other the outstanding amounts. However, It's probably illegal and if the bank finds out about it, they will cancel the card.
IMHO, the IT systems desperately need to approach human behaviour by working in analogous ways with the real world. Since I'm involved with IT systems I don't struggle most of the time but people who are not that tech savvy are having hard time figuring out daily stuff like What is the iPhone's password for, What is the iCloud password for, what is the Gmail password for, why I need to enter a code in WhatsApp etc.
Actually, I think I struggle too - I never came along to understand Mastadon. I'm prbably defenceless against phishing attacks on Mastadon, I will type whatever the screen tells me to type.