Android Receives FIDO2 Certification to Usher in a World Without Passwords

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
19,819
The FIDO Alliance has announced that compatible devices running Android 7.0+ are now FIDO2 certified. FIDO2 certification allows these devices to have simpler, stronger authentication capabilities as users can utilize the device's built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols. Web and app developers can enable support for FIDO with a simple API call. Web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge already support the standard, while Apple Safari has preview support. FIDO2 is comprised of the World Wide Web Consortium's (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. "Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant devices such as fingerprint readers, cameras and/or FIDO security keys."

"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks. Today's announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users," said Christiaan Brand, Product Manager, Google.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.

A balancing act isn't it?

By more secure against hackers and risk the government forcing you to unlock your phone, or protect yourself against the government by sticking with passwords and get raped by hackers ........ I suppose you have to put your fears aside and do an honest risk profile.

Where do you stand the most to lose? (don't answer this, it's your business not mine :ROFLMAO:)
 
Last edited:

Paladin21

Gawd
Joined
Jun 22, 2004
Messages
529
As long as this doesn't force either face or finger unlocking, because I will never enable either of those functions due to both security risks and their lack of legal protections when compared to passwords.

I will have to read more about the FIDO security keys and how that authentication process works / is secured.
It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.

Not me, see I can't have my phone with me where I work. Other people have the same problem, so while the world wants to run headlong towards using a phone as two-factor auth, it's actually impractical for many people. Besides, it's not really two-factor auth anyway.

But don't tell anyone, they'll take offense.
 

Paladin21

Gawd
Joined
Jun 22, 2004
Messages
529
I certainly wasn't trying to imply that the other methods of implementing this should go away, just that it's convenient for me personally to have this as an option. Also, I'm curious about your statement that this wouldn't constitute 2FA. What are you basing that on?
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
I certainly wasn't trying to imply that the other methods of implementing this should go away, just that it's convenient for me personally to have this as an option. Also, I'm curious about your statement that this wouldn't constitute 2FA. What are you basing that on?
It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

I'll shorten this to Know, Have, and Are. The first factor commonly still in use is "know", or your password. They are using your phone to send you a code and calling this "have" but it is technically just something you "know", again. Neither is it something you "are".

By relying on two forms of the same thing, you leave yourself open to the fact that what you know could still be compromised in the same manner, ie..... if your phone is no longer secure, then attackers could gain access to both the password and the code even if you did just get that SMS message. They just have to be quicker than you are to put it into use and they are in. What's more, they can use it against you as well. I'm your bank, please log in and we'll send you a code ... to our fake site.

Something you have is supposed to be along the lines of a Smart Card Certificate token. You put it into a reader and the reader pulls the token and this is the second form which is not just another version of something you "know".

Is it better than just a password, yes it is. And does it work well for many people, yes, it's still better than just a password even given it's limitations. But it is not truly two factor authentication.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
It's for 2-Factor Authentication, so there will still be a password or some other authentication mechanism. I currently have a Yubikey and one of Google's Titan keys, they're both fine. I'd still rather use my phone for a second unlock with the same tokenized protections (ie, not SMS) just because I always have it on me.
According to the article, this has nothing to do with 2FA.....:
"This gives users the ability to leverage their device’s built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites"


It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

I'll shorten this to Know, Have, and Are. The first factor commonly still in use is "know", or your password. They are using your phone to send you a code and calling this "have" but it is technically just something you "know", again. Neither is it something you "are".

By relying on two forms of the same thing, you leave yourself open to the fact that what you know could still be compromised in the same manner, ie..... if your phone is no longer secure, then attackers could gain access to both the password and the code even if you did just get that SMS message. They just have to be quicker than you are to put it into use and they are in. What's more, they can use it against you as well. I'm your bank, please log in and we'll send you a code ... to our fake site.

Something you have is supposed to be along the lines of a Smart Card Certificate token. You put it into a reader and the reader pulls the token and this is the second form which is not just another version of something you "know".

Is it better than just a password, yes it is. And does it work well for many people, yes, it's still better than just a password even given it's limitations. But it is not truly two factor authentication.

Why is 2fa being brought up? The article has no references to 2fa, and explicitly states this is to give passwordless access to sites, not an extra factor of authentication.
 

Guarana [BAWLS]

[H]ard|Gawd
Joined
Oct 3, 2001
Messages
1,796
Not me, see I can't have my phone with me where I work. Other people have the same problem, so while the world wants to run headlong towards using a phone as two-factor auth, it's actually impractical for many people. Besides, it's not really two-factor auth anyway.

But don't tell anyone, they'll take offense.
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication
I'm guessing he means SMS is not really 2FA since it is not secure at all, and has a BIG vulnerability that was all over the tech blogs recently.

Google auth using RFC 6238 TOTP is true 2FA, and similar to what those Yubi keys do.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
Why is 2fa being brought up? The article has no references to 2fa, and explicitly states this is to give passwordless access to sites, not an extra factor of authentication.
2Fa is being brought up because someone brought it up. Paladin21 said that FIDO was being used as part of a 2Fa security scheme, and remarked about how he preferred using his phone to some other methods. I simply commented that the practice of sending auth codes via SMS wasn't truly 2Fa.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
how is a phone authenticator not really 2FA?

Edit: Meaning Google Authenticator or similar app, NOT text authentication
Never used Google Authenticator or a similar app. Perhaps my made an uninformed assumption that he was talking about SMS text authentication codes.

I'll have to look into Google Authenticator to see what it's doing.
 

Darth Ender

Limp Gawd
Joined
Oct 11, 2018
Messages
501
Something you have + something you are + something you know.

That's generally accepted as the best means to authenticate. Picking any less than 3 of those 3 options opens you up unnecessarily to someone who isn't you gaining access.

That means any marketing spiel professing to do away with the password is weak security.
 

Galvin

2[H]4U
Joined
Jan 22, 2002
Messages
2,695
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it
 

Paladin21

Gawd
Joined
Jun 22, 2004
Messages
529
I brought up 2FA because the certification was for FIDO(2). Current keys that support this are all for 2FA systems. While the article mentions passwordless transactions, the immediate effect is that you don't need a Yuibikey or whatever device you are currently using, you could use biometrics off your phone sensors. I also specifically mentioned that this is not SMS, and as far as I can tell from the puff piece requires a biometric input of some type. I don't believe that you could even get certified if they were just sending you a code or having you type in a PIN, FIDO requires tokenized access.
 

1_rick

Gawd
Joined
Feb 7, 2017
Messages
852
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it
I'll use my fingerprint or iris when I can get it changed after a security breach, and not before.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
I brought up 2FA because the certification was for FIDO(2). Current keys that support this are all for 2FA systems. While the article mentions passwordless transactions, the immediate effect is that you don't need a Yuibikey or whatever device you are currently using, you could use biometrics off your phone sensors. I also specifically mentioned that this is not SMS, and as far as I can tell from the puff piece requires a biometric input of some type. I don't believe that you could even get certified if they were just sending you a code or having you type in a PIN, FIDO requires tokenized access.
It's using your finger/face to unlock the token on your device with some kind of anti-fishing protection. There is nothing about 2fa in the article in regards to FIDO2.

Never used Google Authenticator or a similar app. Perhaps my made an uninformed assumption that he was talking about SMS text authentication codes.

I'll have to look into Google Authenticator to see what it's doing.
It's using RFC 6238 TOTP, which is true 2fa. That's my preferred method for second factor auth.

I dislike hardware devices as they tend to drift and eventually require to be resync'd. Your phone should keep it's time close enough to the server (assuming it's using time-sync), so it should never drift out of range.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
Problem with face and finger prints. You can't change them like a password. Finger print probably more secure since they can't just take a picture of you and use it

Soldiers used to bring me their biometrics systems for updates and before I did the updates, I'd make sure that they didn't have "enrollment" data that had not processed and submitted to the database servers. Part of that process was checking each "new enrollment" to see if the person already existed in the database. It was common for new enrollments to give false matches on fingerprints alone, specially if not all of the finger prints were captured. So in short, prints are OK for being something different, but they sure aren't the best. An Iris is generally far superior to prints. but the software behind it all has to be good.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
It's using your finger/face to unlock the token on your device with some kind of anti-fishing protection. There is nothing about 2fa in the article in regards to FIDO2.



It's using RFC 6238 TOTP, which is true 2fa. That's my preferred method for second factor auth.

I dislike hardware devices as they tend to drift and eventually require to be resync'd. Your phone should keep it's time close enough to the server (assuming it's using time-sync), so it should never drift out of range.

Just spent like 30 minutes hashing this out with the guys here at work. I must relent on this. I can't stand on the idea that if you have to type in the code, that it must be something you know. It can be, but it doesn't have to be.

So as sometimes happens, I must admit when I'm wrong and on this one, I mostly am.
 

Zarathustra[H]

Official Forum Curmudgeon
Joined
Oct 29, 2000
Messages
29,485
I'm open to crypto authentication. I've used it on a couple of cases with my SSH servers, but most of the time I just keep passwords.

If I am going to use it I'll need it to be completely transparent, and for it to give me the means to set things up manually, and not rely on any kind of cloud storage.

I don't trust black boxes, and I don't trust anything that stores data on someone else's server.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
I don't trust black boxes, and I don't trust anything that stores data on someone else's server.

This x100000000000000..... After working in it/security, you realize how little most companies spend time/money on it, until they are breached. Every day it's a new article about a misconfigured S3 bucket, or some kind of data dump of plain text passwords, etc. I trust myself, and if that fails then I know exactly who to blame.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
This x100000000000000..... After working in it/security, you realize how little most companies spend time/money on it, until they are breached. Every day it's a new article about a misconfigured S3 bucket, or some kind of data dump of plain text passwords, etc. I trust myself, and if that fails then I know exactly who to blame.

No company like AWS wants to tell companies that along with saving all that money on IT overhead, they need to budget for some IA guys in order to make sure that they aren't going to get fucked in the process.

It just doesn't sell quite the same :sneaky:
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
No company like AWS wants to tell companies that along with saving all that money on IT overhead, they need to budget for some IA guys in order to make sure that they aren't going to get fucked in the process.

It just doesn't sell quite the same :sneaky:
Because of the 'cloud' buzzword that management throws around like that will solve all their problems. Funny thing is, running infrastructure in the cloud is ridiculously expensive, and still takes someone skilled to be able to set it up properly/securely. That's what I do at work. Create templates to deploy complex aws/azure infrastructure for multiple different applications. There's a reason devops is one of the higher paid tech jobs. I have to wear a LOT of hats and understand system administration, network administration, security etc. Not enough companies understand that need, and end up getting fucked like you said.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,595
Because of the 'cloud' buzzword that management throws around like that will solve all their problems. Funny thing is, running infrastructure in the cloud is ridiculously expensive, and still takes someone skilled to be able to set it up properly/securely. That's what I do at work. Create templates to deploy complex aws/azure infrastructure for multiple different applications. There's a reason devops is one of the higher paid tech jobs. I have to wear a LOT of hats and understand system administration, network administration, security etc. Not enough companies understand that need, and end up getting fucked like you said.
Our boss who has every cert there is and no experience in the data center is pushing us toward HCI as hard as he can ........ boy is he going to fuck up.

I'm in a race, I want to collect all the retirement savings as I can before the government here can come up with the money to buy into his foolhardy machinations.

The customer doesn't need that shit, he just wants to sell them on it for his resume.
 
Top