1. 20
  1. 56

    I’ve had a battery die before. I’ve had screens and other hardware bits break. Smartphones are not good as the only key. My USB FIDO2 key on the otherhand has gone through the wash and the rain because it’s not meant to be smart. The article mentions FIDO but then title seems to be worded to excite the normies and infuriate the security-minded who already knew what hardware keys are.

    1. 1

      This is valid, but if more sites support it we can use our security keys in more places! Win-win.

    2. 18

      /me looks skeptically at his flip-phone

      1. 14

        I’m very curious how these companies address the fact that there are countries where smartphones are not universally owned (because of cost, or lack of physical security for personal belongings).

        1. 8

          At least Microsoft has multiple paths for 2FA - an app, or a text sent to a number. It’s hard to imagine them going all in on “just” FIDO.

          Now, as to whether companies should support these people - from a purely money-making perspective, if your customers cannot afford a smartphone, maybe they’re not worth that much as customers?

          A bigger issue is if public services are tied to something like this, but in that case, subsidizing smartphone use is an option.

          1. 24

            if your customers cannot afford a smartphone, maybe they’re not worth that much as customers?

            I had a longer post typed out and I don’t think at all you meant this but at a certain point we need to not think of people as simply customers and begin to think that we’re taking over functions typically subsidized or heavily regulated by the government like phones or mail. It was not that long ago that you probably could share a phone line (telcos which were heavily regulated) with family members or friends when looking for a job or to be contacted about something. Or pay bills using the heavily subsidized USPS. Or grab a paper to go through classifieds to find a job.

            Now you need LinkedIn/Indeed, an email address, Internet, your own smartphone, etc. to do anything from paying bills to getting a job. So sure if you’re making a throwaway clickbait game you probably don’t need to care about this.

            But even this very website, do we want someone who is not doing so well financially to be deprived of keeping up with news on their industry or someone too young to have a cellphone from participating? I don’t think it is a god-given right but the more people are not given access to things you or I have access to, the greater the divide becomes. Someone who might have a laptop, no Internet, but have the ability to borrow a neighbor’s wifi. Similarly a family of four might not have a cell phone for every family member.

            I could go on but like discrimination or dealing with people of various disabilities it is something that’s really easy to forget.

            1. 15

              I should have been clearer. The statement was a rhetorical statement of opinion, not an endorsement.

              Viewing users as customers excludes a huge number of people, not just those too poor to have a computer/smartphone, but also people with disabilities who are simply too few to economically cater to. That’s why governments need to step in with laws and regulations to ensure equal access.

              1. 11

                I think governments often think about this kind of accessibility requirement exactly the wrong way around. Ten or so years ago, I looked at the costs that were being passed onto businesses and community groups to make building wheelchair accessible. It was significantly less than the cost of buying everyone with limited mobility a motorised wheelchair capable of climbing stairs, even including the fact that those were barely out of prototype and had a cost that reflected the need to recoup the R&D investment. If the money spent on wheelchair ramps had been invested in a mix of R&D and purchasing of external prosthetics, we would have spent the same amount and the folks currently in wheelchairs would be fighting crime in their robot exoskeletons. Well, maybe not the last bit.

                Similarly, the wholesale cost of a device capable of acting as a U2F device is <$5. The wholesale cost of a smartphone capable of running banking apps is around $20-30 in bulk. The cost for a government to provide one to everyone in a country is likely to be less than the cost of making sure that government services are accessible by people without such a device, let alone the cost to all businesses wanting to operate in the country.

                TL;DR: Raising people above the poverty line is often cheaper than ensuring that things are usable by people below it.

                1. 12

                  Wheelchair ramps help others than those in wheelchairs - people pushing prams/strollers, movers, emergency responders, people using Zimmer frames… as the population ages (in developed countries) they will only become more relevant.

                  That said, I fully support the development of powered exoskeletons to all who need or want them.

                  1. 8

                    The biggest and most expensive problem around wheelchairs is not ramps, it’s turn space and door sizes. A wheelchair is broader (especially the battery-driven ones you are referring to) and needs more space to turn around than a standing human. Older buildings often have too narrow pathways and doors.

                    Second, all wheelchairs and exoskeletons here would need to be custom, making them inappropriate for short term disability or smaller issues like walking problems that only need crutches. All that while changing the building (or building it right in the first place) is as close to a one-size-fits-all solution as it gets.

                    1. 5

                      I would love it if the government would buy me a robo-stroller, but until then, I would settle for consistent curb cuts on the sidewalks near my house. At this point, I know where the curb cuts are and are not, but it’s a pain to have to know which streets I can or can’t go down easily.

                    2. 7

                      That’s a good point, though I think there are other, non-monetary concerns that may need to be taken into account as well. Taking smartphones for example, even if given out free by the government, some people might not be real keen on being effectively forced to own a device that reports their every move to who-knows-how-many advertisers, data brokers, etc. Sure, ideally we’d solve that problem with some appropriate regulations too, but that’s of course its own whole giant can of worms…

                      1. 2

                        The US government will already buy a low cost cellphone for you. One showed up at my house due to some mistake in shipping address. I tried to send it back, but couldn’t figure out how. It was an ancient Android phone that couldn’t do modern TLS, so it was basically only usable for calls and texting.

                        1. 2

                          Jokes aside - it is basically a requirement in a certain country I am from; if you get infected by Covid you get processed by system and outdoors cameras monitor so you don’t go outside, but to be completely sure you’re staying at home during recovery it is mandatory to install a government-issued application on your cellphone/tablet that tracks your movement. Also some official check ups on you with videocalls in said app to verify your location as well several times per day at random hours.

                          If you fail to respond in time or geolocation shows you left your apartments you’ll automatically get a hefty fine.

                          Now, you say, it is possible to just tell them “I don’t own a smartphone” - you’ll get cheap but working government-issued android tablet, or at least you’re supposed to; as lots of other things “the severity of that laws is being compensated by their optionality” so quite often devices don’t get delivered at all.

                          By law you cannot decline the device - you’ll get fined or they promise to bring you to hospital as mandatory measure.

                      2. 7

                        Thank you very much for this comment. I live in a country where “it is expected” to have a smartphone. The government is making everything into apps which are only available on Apple Appstore or Google Play. Since I am on social welfare I cannot afford a new smartphone every 3-5 years and old ones are not supported either by the appstores or by the apps themselves.

                        I have a feeling of being pushed out by society due to my lack of money. Thus I can relate to people in similar positions (larger families with low incomes etc.).

                        I would really like more people to consider that not everybody has access to new smartphones or even a computer at home.

                        I believe the Internet should be for everyone not just people who are doing well.

                    3. 6

                      If you don’t own a smartphone, why would you own a computer? Computers are optional supplements to phones. Phones are the essential technology. Yes, there are weirdos like us who may choose to own a computer but not a smartphone for ideological reasons, but that’s a deliberate choice, not an economic one.

                      1. 7

                        In the U.S., there are public libraries where one can use a computer. In China, cheap internet cafés are common. If computer-providing places like these are available to non-smartphone-users, that could justify services building support for computer users.

                        1. 1

                          In my experience growing up in a low income part of the US, most people there now only have smartphones. There most folks use laptops in office or school settings. It remains a difficulty for those going to college or getting office jobs. It was the same when I was growing up there except there were no smartphones, so folks had flip phones. Parents often try and save up to buy their children nice smartphones.

                          I can’t say this is true across the US, but for where I grew up at least it is.

                          1. 1

                            That’s a good point, although it’s my understanding that in China you need some kind of government ID to log into the computers. Seems like the government ID could be made to work as a FIDO key.

                            Part of the reason a lot of people don’t have a computer nowadays is that if you really, really need to use one to do something, you can go to the library to do it. I wonder though if the library will need to start offering smartphone loans next.

                          2. 5

                            How are phones the “essential technology”? A flip phone is 100% acceptable these days if you just have a computer. There is nothing about a smartphone that’s required to exist, let alone survive.

                            A computer, on the other hand, (which a smart phone is a poor approximation of), is borderline required to access crucial services outside of phone calls and direct visits. “Essential technology” is not a smartphone.

                            1. 2

                              There’s very little I can only do on a computer (outside work) that I can’t do on a phone. IRC and image editing, basically. Also editing blog posts because I do that in the shell.

                              I am comfortable travelling to foreign lands with only a phone, and relying on it for maps, calls, hotel reservations, reading books, listening to music…

                              1. 1

                                The flip phones all phased out years ago. I have friends who deliberately use flip phones. It is very difficult to do unless you are ideologically committed to it.

                              2. 3

                                I’m curious about your region/job/living situation, and what about is making phones “the essential technology”? I barely need a phone to begin with, not to mention a smartphone. It’s really only good as a car navigation and an alarm clock to me.

                                1. 1

                                  People need to other people to live. Most other people communicate via phone.

                                  1. 1

                                    It’s hardly “via phone” if it’s Signal/Telegram/FB/WhatsApp or some other flavor of the week instant messenger. You can communicate with them on your PC just as well.

                                    1. 4

                                      I mean I guess so? I’m describing how low income people in the US actually live, not judging whether it makes sense. Maybe they should all buy used Chromebooks and leech Wi-Fi from coffee shops. But they don’t. They have cheap smartphones and prepaid cards.

                                      1. 2

                                        You can not connect to WhatsApp via the web interface without a smartphone running the WhatsApp app, and Signal (which does not have this limitation) requires a smartphone as the primary key with the desktop app only acting as a subkey. I think Telegram also requires a smartphone app for initial provisioning.

                                        I think an Android Emulator might be enough, if you can manually relay the SMS code from a flip phone, maybe.

                                  2. 2

                                    You’re reasoning is logical if you’re presented a budget and asked what to buy. Purchasing does not happen in a vacuum. You may inherit a laptop, borrow a laptop, no longer afford a month to month cell phone bill, etc. Laptops also have a much longer life cycle than phones.

                                    1. 4

                                      I’m not arguing that this is good, bad, or whatever. It’s just a fact that in the USA today if you are a low income person, you have a smartphone and not a personal computer.

                                2. 6

                                  FIDO needs to improve their communications and marketing if they hope to gain adoption, if they can’t even get to the technical crowd. TFA also gets passwordless wrong – It says As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”) But that is not passwordless as either FIDO or ZDNet are describing it, it’s simply OpenID Connect.

                                  The announcement is specifically about FIDO2 adding support for two additional things:

                                  1. The ability to share FIDO credentials between multiple devices. Previously, it was implied and alluded to, but never stated outright, that credentials would be bound to an authenticator, like a MacBook’s Secure Enclave, which FIDO calls a platform authenticator, or a Yubikey, which FIDO calls a roaming authenticator. Now there’s explicit support for multi-device credentials. Apple recently added this feature in what it calls “Passkeys”, a name that other vendors (but not FIDO) seem to be adopting too. This is net positive. Losing a device that was bound to a credential meant that the credential was lost forever. Now, as long as the credential resides in at least one device the user has access to, there’s no recovery flow needed. Note that the vendor providing syncing services for these credentials does not have access to them. See Secure Keychain Syncing for an example implementation

                                  2. Expanded ability and commitment from vendors to use a roaming authenticator over Bluetooth Low Energy (this is already in the standard). And in particular, the ability to use a phone’s platform authenticator as a roaming authenticator in a different device. This does not mean, as TFA implies, that you’ll need a phone to sign in to services. Rather, it means that for services that allow or require FIDO credentials to sign in, a phone is now an additional option to present those credentials. You can still use a Yubikey, TouchID or any other way you interact with your existing TPM.

                                  I understand that people are concerned about new authentication standards backed by big corporations who have a history of locking users out of their platforms and services, but the current state of secure login is dire. FIDO2 is an incredibly well designed set of protocols to prevent phishing, credential reuse, and several common causes for account compromise. It was clearly designed with that in mind, at the expense of usability. These are notable and incremental improvements to enhance the usability of a standard that is head and shoulders better than existing alternatives like passwords, but still has some ways to go in terms of functionality.

                                  Personally, I’m very excited about FIDO and WebAuthn, and some of the improvements I’d like to see in the coming months are:

                                  a) The ability to share passkeys across vendors, including the ability to implement a “sync fabric” as some folks in the WebAuthn working group have called it, so it’s interoperable beyond the major vendors.

                                  b) For these vendors to strengthen their own log in experience. Apple only allows their own TOTP implementation and SMS fallback to authenticate to iCloud. I’d like to use WebAuthn exclusively here, so I could back up access to my now-precious Keychain that holds all my FIDO credentials with a YubiKey.

                                  c) A better story about backing up security keys. Implementing a) would give us that. Devices that can be initialized with a given seed like some common hardware crypto wallets would give us that, albeit not without introducing changes to the threat model – you have to store the seed and input it somehow – and This proposal would give us that as well.

                                  d) A better story for usernameless. The current methodology to have a user initiate a usernameless login and picking the right credential is a UX mess, and I don’t believe I have actually seen it implemented in a production site. I’d love to be shown an example!

                                  1. 4

                                    When you get robbed and they take your phone, will the thieves now have access to all your accounts?

                                    1. 4

                                      No, your phone is supposed to protect those behind further (high quality, so a single front facting camera on one’s android won’t do) biometry and/or auxiliary passwords.

                                    2. 4

                                      I dislike the trend of forced 2fa with no fallback: what if my phone dies or gets lost or stolen? I already use good passwords thanks to my password manager. I like the idea of 2fa as a default that one can opt-out of though.

                                      1. 3

                                        There are OTP clients for desktop and dedicated hardware. Plus, if those get stolen, most services push you to make backup codes.

                                      2. 2

                                        It says the key wkll be backed up by these companies sync services but will I be able to backup my key myself?

                                        And how do I rotate my key? Likely I need to rotate it for every website? (If supported)

                                        1. 2

                                          Let’s hope that a: there’s a fallback, b: there’s an option to keep using passwords and c: the protocol used is something open and standard so that if I want to I can write an appropriate “authenticator” application for any platform and don’t have to rely on software blessed by microsoft, apple and google (and d: the protocol isn’t some abomination which is basically impossible to implement by a single human, and e: the implementation doesn’t have to be blessed by an authority who will just deny your application because you’re a lone developer writing something for yourself).

                                          1. 2

                                            The protocol I believe is FIDO U2F. But who knows if they add some extra to it to make it unique to their platform, like MS did with Active Directory. I hope not, but history would say I shouldn’t keep my hopes very high.

                                            I also hope they allow hardware U2F keys like Yubikey, NitroKey, etc.

                                            1. 1

                                              It’s an extension to WebAuthn

                                              1. 3

                                                I’m not an expert but this article from Mozilla suggests the opposite, that WebAuthentication is an extension of FIDO. https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox/

                                            2. 2

                                              As long as there is a backup recovery mechanism, this seems fine… that said, I’m a big fan of magic links + long session expiries. Email is already a single point of failure, might as well lean into the convenience of it.

                                              1. 5

                                                I find it inconvenient to have to open my email to log into a site instead of letting my password manager handle it.

                                                1. 1

                                                  The moment you start using multiple email clients, multiple browser sessions, or a combination of the two, magic links become a gigantic pain in the ass.

                                              2. 2

                                                My phone is in harm’s way constantly. It’s at risk of getting dropped, smashed, and stolen.

                                                It needs to be treated as disposable.