Thoughts on WebAuthn?

edited June 2022 in General

Recently “big tech” (I hate the term, but its use is sometimes justified) has been making a push towards replacing passwords with WebAuthn, a password less authentication technology.

For those unfamiliar, your phone or laptop asks you for your system password or biometrics to verify that you want to sign up or log in to a website, and then shares a site-specific private key to that website for authentication.

While improving the end user's security is a noble goal, I can't help but feel that this is another move by big tech to consolidate its power:

  • Since it's locked to your on-device credentials, good luck when you want to switch platforms. Or when you realize that you have to buy that iPhone to go along with your Mac (or a Chromebook to go along with your Android) so that it can sync the site-specific keypairs across devices.

  • You're completely fucked if your devices get stolen. You can't even use borrow your friend's or neighbours phone to complete some essential tasks.

  • Websites can ask for "attestation", or a verification of the kind of device you're using. Great way to increase user tracking, while at the same time preventing Linux/*BSD (or any other niche OS) users' from logging onto any website asking for said attestation, such as a bank.

  • Netflix and co are rubbing their hands with glee now that you can't share passwords any more.

  • I found this really insightful comment on HN, and I'll quote it verbatim:

Once practically everyone has accepted and adopted this system, governments (having already banned E2EE messaging apps by this point) will complain that Big Tech are allowing cyber-terrorists to maintain anonymous identities online and not doing enough to protect the children.

The offices of Apple, Google, and Microsoft would then receive calls from the national tax/anti-trust authorities saying the government was thinking of launching an audit/investigation into those companies and wouldn't it be a shame if something happened to their profit margin that year.

Within a few months we'd see these companies all "voluntarily" release software updates which add a "Citizen ID" field to every FIDO interaction, with those IDs being issued by a government API and verified using a bank card and facial recognition.

What do you think about it?

Comments

  • Isn't using a password manager with finger print login and autofill and generate huge random passwords for each new registration basically the same thing?

  • bikegremlinbikegremlin ModeratorOGContent Writer

    My workaround for the device lost/damaged/stolen is using Authy.

    WebAuth used as an additional security layer along with a strong password is safer than only using a strong password.
    But I doubt that WebAuth by itself is much more secure than just using strong passwords.

    In theory.

    In practice:

    • Most users use the likes of admin123, which is IMO the main reason for the widespread introduction of WebAuth (and companies' insisting on it for some services).
    • Using 2FA is more complicated than using only one method.
    • Using either a strong password, or WebAuth is reasonably secure - but see the first point.
    • Hence, it makes sense for the companies to opt for only one authentication method, that is less prone to user stupidity related problems, yet still secure enough - and very simple to use.

    The privacy-related problems mentioned in the OP are only an additional bonus as far as corporations and governments are concerned.

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @vovler said:
    Isn't using a password manager with finger print login and autofill and generate huge random passwords for each new registration basically the same thing?

    It is. Sadly, webauthn is being pushed with really shaky justifications about how passwords can be stolen from servers and how passwords can be phished. If everything is already in a password manager, you aren't really thinking about passwords.

    This is where I think the GDPR's data breach notification is a good measure; so well, if you couldn't be bothered to read about password hashing and you end up leaking data, you pay up for it.

    @bikegremlin said: But I doubt that WebAuth by itself is much more secure than just using strong passwords.

    Using public key cryptography is undeniably secure though, as there is no shared secret for the user to give up. When you log in to a website, it gives you a random number which you encrypt using your private key and send it back to the server. Next, the server uses your public key to decrypt your message, which it compares to the number that it sent out to you. If both of those match, then you're good to go.

    BTW, this is also how SSH keys work, sans the centralization and dependence on Big Tech.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited June 2022

    @stevewatson301 said:

    @vovler said:

    This is where I think the GDPR's data breach notification is a good measure; so well, if you couldn't be bothered to read about password hashing and you end up leaking data, you pay up for it.

    @bikegremlin said: But I doubt that WebAuth by itself is much more secure than just using strong passwords.

    Using public key cryptography is undeniably secure though, as there is no shared secret for the user to give up. When you log in to a website, it gives you a random number which you encrypt using your private key and send it back to the server. Next, the server uses your public key to decrypt your message, which it compares to the number that it sent out to you. If both of those match, then you're good to go.

    BTW, this is also how SSH keys work, sans the centralization and dependence on Big Tech.

    How does this differ from (properly implemented) passwords?

    Sure - there's only a 30 to 60-second window for decrypting the WebAuth code, but that's a 4 to 8 digit code, compared to a password that can (and should?) be 30+ characters long.

    Am I missing something?

    Don't even get me started on GDPR... :)

    EDIT:
    I'd also add that security is only as good as its weakest link.

    That's why I wrote how it makes sense to use WebAuth - for an average idiot Jane/Joe.

    However, if we're talking about security concerned/educated folks, relying too much on those portable pocket surveillance devices isn't the best thing in terms of security, IMO.

    And I don't mean the tin-foil hat reasoning (that, after Snowden's testimony, can no longer be considered to be tin-foil hat by the way). I mean the more common scenarios: stuff getting stolen, social engineering etc.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin you’re thinking about one time passwords/verification codes sent via email or SMS. This is something different, where the browser manages keys for you to log into each website and because of how asymmetric crypto works, you don’t need to have a shared secret like a password — making it virtually “unphishable”.

    Also I was the guy who posted a big ass rant about GDPR on OGF, just that I think the data breach reporting requirements are reasonable (it’s just that the rest of the law is quite, well, you know what’s wrong with it).

    Thanked by (1)bikegremlin
  • If X is faster, comfortable and simpler than Y - people will use it. Always correct logic.

  • Well I can see the general idea behind this, but as you suggest it's yet another example of the trade-off between freedom and security, a debate that goes way beyond web technology.

    WebAuthn hardens the traditional concept of 2FA, something you know (password) and something physical you have (phone?), and yes maybe forces it on the end user. Using TOTP apps on a phone kind of fudges that concept and becomes more like 2 things you know if your TOTP app or secrets (or backups thereof) become compromised.

    It forces the 'something physical you have', as the interaction with the hardware device, such as the TPM chip in a Windows 11 PC (remember that requirement?), cannot be replicated or replayed. It can even be used for passwordless logins where the hardware device is the sole authenticator to the service, remembering you also have to authenticate locally with the device itself using a fingerprint or PIN.

    TOTP or password managers are unlikely to catch on voluntarily with non technical users, who will just use plain passwords until forced into 2FA, and simply registering their device seems a relatively pain free way for them.

    • Since it's locked to your on-device credentials, good luck when you want to switch platforms.

    • You're completely fucked if your devices get stolen.

    I can't see any service, that relies on customers, not having the ability to change devices relatively easily, the obvious fallback is to register more than one hardware device, e.g. phone and laptop, but there will surely be many who only have say a phone, and those break or get stolen far too regularly.

    Myself, I use WebAuthn (YubiKey) when available, as it's way quicker than TOTP codes and clearly more secure, but keep TOTP secrets offline as a fallback. However I agree with the potential bigbrother-ish aspects of it, if it were to become the ONLY authentication method permitted.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @stevewatson301 said:
    @bikegremlin you’re thinking about one time passwords/verification codes sent via email or SMS. This is something different, where the browser manages keys for you to log into each website and because of how asymmetric crypto works, you don’t need to have a shared secret like a password — making it virtually “unphishable”.

    We're talking about Google authenticator and/or Authy and the likes (so not SMS or email)?

    Regarding the passwords, if implemented properly, they too work using asymmetric encryption - only (salted) password hash should be stored.

    Also I was the guy who posted a big ass rant about GDPR on OGF, just that I think the data breach reporting requirements are reasonable (it’s just that the rest of the law is quite, well, you know what’s wrong with it).

    Yup, I know. :)
    And I agree.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said: We're talking about Google authenticator and/or Authy and the likes (so not SMS or email)?

    No, those are TOTP. This is different.

    Thanked by (1)bikegremlin
  • @bikegremlin said: Regarding the passwords, if implemented properly, they too work using asymmetric encryption - only (salted) password hash should be stored.

    Password hashing isn't encryption. Password hashing is a one way process that only makes it possible to verify whether the user provided password equals the hashed one on the server, whereas encryption is supposed to make the original data recoverable by the use of keys.

    In general, it's a bad idea to "encrypt" your passwords. You'd also need to decrypt them to verify, and that means whoever has access to the application -- a SRE doing maintenance or a hacker who infiltrated the server -- would just have everyone's passwords.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @stevewatson301 said:

    @bikegremlin said: Regarding the passwords, if implemented properly, they too work using asymmetric encryption - only (salted) password hash should be stored.

    Password hashing isn't encryption. Password hashing is a one way process that only makes it possible to verify whether the user provided password equals the hashed one on the server, whereas encryption is supposed to make the original data recoverable by the use of keys.

    In general, it's a bad idea to "encrypt" your passwords. You'd also need to decrypt them to verify, and that means whoever has access to the application -- a SRE doing maintenance or a hacker who infiltrated the server -- would just have everyone's passwords.

    Not necesserily, as far as I know.

    Hash is a one-way process (asymmetric). You shouldn't be able to determine the password from the given hash.

    You needn't decrypt them on the server, there's nothing to decrypt. During log-in, the entered password is hashed and if the hash value matches the stored hash for that user, then it's either a matched password, or a very very very very (un)fortunate set of circumstances. :)

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said: one-way process (asymmetric)

    These are two separate concepts though. "Asymmetric" is used to refer to public-private key based encryption, whereas "one way" is used to refer to refer to the property of functions (such as hash functions) where it's easy to go from the input to the output but not the other way round.

    All this talk is making me revisit my math classes, we'd say that the hash function is not "invertible" and it is not trivial to find the "preimage" given the "image" :smile:

    Thanked by (2)bikegremlin Unixfy
  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited June 2022

    @stevewatson301 said:

    @bikegremlin said: one-way process (asymmetric)

    These are two separate concepts though. "Asymmetric" is used to refer to public-private key based encryption, whereas "one way" is used to refer to refer to the property of functions (such as hash functions) where it's easy to go from the input to the output but not the other way round.

    All this talk is making me revisit my math classes, we'd say that the hash function is not "invertible" and it is not trivial to find the "preimage" given the "image" :smile:

    English isn't my native.
    "Not reversible" is what I mean - if that's the right way to put it.
    My long-winded drivel on the hash function. :)

    Thanked by (1)pikachu

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @stevewatson301 said:
    Recently “big tech” (I hate the term, but its use is sometimes justified) has been making a push towards replacing passwords with WebAuthn, a password less authentication technology.

    For those unfamiliar, your phone or laptop asks you for your system password or biometrics to verify that you want to sign up or log in to a website, and then shares a site-specific private key to that website for authentication.

    While improving the end user's security is a noble goal, I can't help but feel that this is another move by big tech to consolidate its power:

    • Since it's locked to your on-device credentials, good luck when you want to switch platforms. Or when you realize that you have to buy that iPhone to go along with your Mac (or a Chromebook to go along with your Android) so that it can sync the site-specific keypairs across devices.

    • You're completely fucked if your devices get stolen. You can't even use borrow your friend's or neighbours phone to complete some essential tasks.

    • Websites can ask for "attestation", or a verification of the kind of device you're using. Great way to increase user tracking, while at the same time preventing Linux/*BSD (or any other niche OS) users' from logging onto any website asking for said attestation, such as a bank.

    • Netflix and co are rubbing their hands with glee now that you can't share passwords any more.

    • I found this really insightful comment on HN, and I'll quote it verbatim:

    Once practically everyone has accepted and adopted this system, governments (having already banned E2EE messaging apps by this point) will complain that Big Tech are allowing cyber-terrorists to maintain anonymous identities online and not doing enough to protect the children.

    The offices of Apple, Google, and Microsoft would then receive calls from the national tax/anti-trust authorities saying the government was thinking of launching an audit/investigation into those companies and wouldn't it be a shame if something happened to their profit margin that year.

    Within a few months we'd see these companies all "voluntarily" release software updates which add a "Citizen ID" field to every FIDO interaction, with those IDs being issued by a government API and verified using a bank card and facial recognition.

    What do you think about it?

    Netflix won't do shit, they still allow sharing with members of your household

  • havochavoc OGContent Writer

    @stevewatson301 said:

    You're completely fucked if your devices get stolen.

    There was a post on hn the other day about this.

    Basically guy's house burned down and basically just ran for their lives. yubikeys, passports etc all extra crispy

    Locked out of everything

  • yokowasisyokowasis Services Provider

    @stevewatson301 said:
    In general, it's a bad idea to "encrypt" your passwords. You'd also need to decrypt them to verify,

    Why in the world would you want to decrypt a user password just to verify whether a password is correct.

    You don't need to decrypt a user password, like at all. There is no reason to.

  • skorupionskorupion Services Provider

    the biggest minus with this is that you are fucked without a smartphone, and if you loose your phone number you are double fucked

    Crunchbits Technical Support, Technical Writer, and Sales
    Contact me at: +1 (347) 518-1661 or [email protected]

Sign In or Register to comment.