Tuesday, November 20th 2018
Microsoft Accounts Now Support Hardware-based Login via FIDO 2
FIDO 2 has been making the rounds for a while as a hardware solution that replaces the dated usage of passwords. Via a hardware token, users with a FIDO 2-enabled drive are able to skip manual introduction of any authentication in both Windows (version 1809 and up) or any supporting website (with a browser that supports the FIDO 2/WebAuthn API. It basically creates a security key using cryptography, where the user only has to press a button on the security key to log into a website. Microsoft has partnered with Yubico for a while now on developing this security mechanism, and the company's FIDO 2 keys are now compatible with the OS.
This approach has the advantage for users not to have to remember passwords and their variations for a million websites, and also makes sure that you have a physical way to keep your passwords in your possession. Since communication and insertion of your password is now always cryptographically secured, malicious hackers should no longer be able to steal login credentials unless they find a way to infect the FIDO 2 key itself with malware. As an added bonus, websites supporting this sort of authentication won't keep any passwords on their servers - that can be hacked or leaked. So it's an additional piece of mind. And now? On Windows as well.
Source:
Tom's Hardware
13 Comments on Microsoft Accounts Now Support Hardware-based Login via FIDO 2
Cannot see the use for this
Firstly, having a button (even a captouch) on a pluggable device - that's just asking for broken USB ports.
Secondly, their approach to security has changed from "open and progressive" to the old shitty "security by obscurity".
Not only the firmware is now closed-source and not available for independent evaluation, but also in case of a vulnerability there is no way to patch the device.
Basically the devs at Yubico rolled with an easy path of not implementing a secure DFU mechanism, but instead chosing to make insecure devices disposable.
Lastly, it's a convoluted mess. Just a regular 2FA with a phone or biometrics is a lot simpler. Security measures are always reliable if users can actually understand how to use them without a lengthy manual.
... and here's one more thing just for fun:
Yeah...until you lose it or somebody steals it. Then the finder or the thief has all your passwords for everything.
Do you have any of your passwords written down somewhere or stored in a handy little device that you can accidentally lose or have fall into the wrong hands by other means? I know I don't. For good reason. So yeah...I'll pass on that.
EPIC STUPIDITY!
Physical security. It's not a new or even bad idea, though yubico has a bad implementation for several reasons noted above.
I don't have anything against the idea, I'm just saying there's a number of factors to consider before taking the plunge.
cloud.google.com/titan-security-key/
One of these sticks being "hacked" is also way less likely than simply losing one.
Point being...nobody can steal a password stored in your brain cells. And I'm not very much more likely(if at all) to forget my passwords than my PIN number(s), phone number(s), address, date of birth, SS number, etc., etc., etc.. And if I were to forget a password(which I'll admit has happened a time or 2), they're easy enough to retrieve or change with a simple email. Negating these "security features" is the trade off when using one of these password storage devices. There's no denying that. As such, they create just as many problems as they solve. And because of that I would argue they're not a better solution to password security. Just a different solution. I'm totally satisfied with my current password security solution. It's been working just fine for me for as long as I've had them. So...if it ain't broke...I ain't fixing it. Since...IMO...that would be stupid.
So...maybe EPIC STUPIDITY was an overstatement. I suppose just plain STUPID would suffice.
Also, when you have to deal with lots of accounts at work, it gets even harder to the point where even the brightest brains with super-memory cannot keep up with two dozen FTP account passwords which change every month, half-a-dozen SSH login/password combinations, credentials to five different web-hosting or co-location service providers, e-mail, etc. etc. etc. That's where all these password keepers and hardware password managers come in. All you need is to memorise one re-e-e-eally strong password (like WrBg@E/D<5zF(ZrQ@]) and you are good to go.
If you think that something like 1@M/mRG3n|U5 is safe and not brute-forceable - you are wrong. Modern dictionary attacks can and will account for character substitutions, variations, common patterns and other stuff.
There is a huge demand for such devices. The only problem is that there is still no good and flexible implementation of one.
It was more than decade ago where I read this article by a security auditor where he said in most cases he doesn't even get to touch the computer: a thorough search around the cubicle will reveal a notebook, post-it, sheet of paper with password(s) on it. Theory meets real life ;)
The thing is that FIDO2 is not a password storage device. It's a completely different technology removing passwords altogether or augmenting them. Shame, they make advertising videos where it's impossible to understand anything about the product...
Losing FIDO2 security device is not a problem from a security perspective, because it will be additionally secured by a PIN code. Also, FIDO2 brings many more nice things you cannot get by using passwords, like phishing resistance, man-in-the-middle protection, etc.
When I sit down at my desk, I don't want my finger's to stop me!! LOL. I use Lastpass, and change my global password regularly, and I use a VPN, CyberGhost Pro, to surf my bank and such. I have no problems with it except Youtube, where I have to open it up and change the setting. It also allows me to be a local, all over the world. ;)