Microsoft Accounts Now Support Hardware-based Login via FIDO 2

[Raevenlord]

FIDO 2 has been making the rounds for a while as a hardware solution that replaces the dated usage of passwords. Via a hardware token, users with a FIDO 2-enabled drive are able to skip manual introduction of any authentication in both Windows (version 1809 and up) or any supporting website (with a browser that supports the FIDO 2/WebAuthn API. It basically creates a security key using cryptography, where the user only has to press a button on the security key to log into a website. Microsoft has partnered with Yubico for a while now on developing this security mechanism, and the company's FIDO 2 keys are now compatible with the OS.





This approach has the advantage for users not to have to remember passwords and their variations for a million websites, and also makes sure that you have a physical way to keep your passwords in your possession. Since communication and insertion of your password is now always cryptographically secured, malicious hackers should no longer be able to steal login credentials unless they find a way to infect the FIDO 2 key itself with malware. As an added bonus, websites supporting this sort of authentication won't keep any passwords on their servers - that can be hacked or leaked. So it's an additional piece of mind. And now? On Windows as well.

View at TechPowerUp Main Site

 

[dorsetknob]

with enterprise generally locking Down USB ports to prevent unauthorized usage
Cannot see the use for this

 

[silentbogo]

Haven't heard from Yubico for awhile now, especially after their v4 fiasco. The idea was good, the implementation is awful as usual.
Firstly, having a button (even a captouch) on a pluggable device - that's just asking for broken USB ports.
Secondly, their approach to security has changed from "open and progressive" to the old shitty "security by obscurity".
Not only the firmware is now closed-source and not available for independent evaluation, but also in case of a vulnerability there is no way to patch the device.
Basically the devs at Yubico rolled with an easy path of not implementing a secure DFU mechanism, but instead chosing to make insecure devices disposable.
Lastly, it's a convoluted mess. Just a regular 2FA with a phone or biometrics is a lot simpler. Security measures are always reliable if users can actually understand how to use them without a lengthy manual.

... and here's one more thing just for fun:

 

[MrGenius]

"A physical way to keep your passwords in your possession." LMAO!

Yeah...until you lose it or somebody steals it. Then the finder or the thief has all your passwords for everything.

Do you have any of your passwords written down somewhere or stored in a handy little device that you can accidentally lose or have fall into the wrong hands by other means? I know I don't. For good reason. So yeah...I'll pass on that.

EPIC STUPIDITY!

 

[R-T-B]

EPIC STUPIDITY!

I assume your home has keys?

Physical security. It's not a new or even bad idea, though yubico has a bad implementation for several reasons noted above.

 

[bug]

I assume your home has keys?

Physical security. It's not a new or even bad idea, though yubico has a bad implementation for several reasons noted above.

The thing is, when you lose one key, you change the lock and get a new set of keys. What can you do when you lose one of these sticks or it gets hacked? Can you disable its usage all over the place? Fast enough? What happens when if physically dies on you? Can you get a replacement? Fast enough? Do you need to pay for a new set of credentials?

I don't have anything against the idea, I'm just saying there's a number of factors to consider before taking the plunge.

 

[SoNic67]

What happens when if physically dies on you? Can you get a replacement? Fast enough? Do you need to pay for a new set of credentials?

Google sells two keys already set-up for this case. One to carry with you, the other to keep in a safe.
https://cloud.google.com/titan-security-key/

 

[R-T-B]

What can you do when you lose one of these sticks

invalidate it on the account end.

One of these sticks being "hacked" is also way less likely than simply losing one.

 

[silentbogo]

The thing is, when you lose one key, you change the lock and get a new set of keys. What can you do when you lose one of these sticks or it gets hacked? Can you disable its usage all over the place? Fast enough? What happens when if physically dies on you? Can you get a replacement? Fast enough? Do you need to pay for a new set of credentials?

It's a bit more complex than losing your keys. Most devices of this type are tied to a user or a PC, so they have to be re-initialized if used elsewhere. With Yubikey products you can set up a PIN code(which is lame but still gives an extra layer of protection). That's why i like biometric keys better.

 

[MrGenius]

I assume your home has keys?

I'm not going to confirm or deny that. But I will say that if I wanted to lock my doors I can choose between having keyed or keyless locks installed in them. Namely keyless locks that require a numerical code(similar to a password) to open. These things do exist you know?

Point being...nobody can steal a password stored in your brain cells. And I'm not very much more likely(if at all) to forget my passwords than my PIN number(s), phone number(s), address, date of birth, SS number, etc., etc., etc.. And if I were to forget a password(which I'll admit has happened a time or 2), they're easy enough to retrieve or change with a simple email. Negating these "security features" is the trade off when using one of these password storage devices. There's no denying that. As such, they create just as many problems as they solve. And because of that I would argue they're not a better solution to password security. Just a different solution. I'm totally satisfied with my current password security solution. It's been working just fine for me for as long as I've had them. So...if it ain't broke...I ain't fixing it. Since...IMO...that would be stupid.

So...maybe EPIC STUPIDITY was an overstatement. I suppose just plain STUPID would suffice.

 

[silentbogo]

Point being...nobody can steal a password stored in your brain cells.

Brain cells are also prone to be predictable and vulnerable. Not all people are physically capable of memorising dozens of random alphanumericspeicalchar passwords, so they tend to use predictable patterns for their passwords (or use one password for everything).
Also, when you have to deal with lots of accounts at work, it gets even harder to the point where even the brightest brains with super-memory cannot keep up with two dozen FTP account passwords which change every month, half-a-dozen SSH login/password combinations, credentials to five different web-hosting or co-location service providers, e-mail, etc. etc. etc. That's where all these password keepers and hardware password managers come in. All you need is to memorise one re-e-e-eally strong password (like WrBg@E/D<5zF(ZrQ@]) and you are good to go.
If you think that something like 1@M/mRG3n|U5 is safe and not brute-forceable - you are wrong. Modern dictionary attacks can and will account for character substitutions, variations, common patterns and other stuff.

There is a huge demand for such devices. The only problem is that there is still no good and flexible implementation of one.

 

[bug]

Brain cells are also prone to be predictable and vulnerable. Not all people are physically capable of memorising dozens of random alphanumericspeicalchar passwords, so they tend to use predictable patterns for their passwords (or use one password for everything).

A thousand times this. Password work nicely when instead of a human, we transform into random string generators, preferably using the extended ASCII charset (except for cases when a website can't handle that). Humans don't work like that.

It was more than decade ago where I read this article by a security auditor where he said in most cases he doesn't even get to touch the computer: a thorough search around the cubicle will reveal a notebook, post-it, sheet of paper with password(s) on it. Theory meets real life

 

[tspokas]

nobody can steal a password stored in your brain cells. And I'm not very much more likely.

Despite what works for you, passwords are a huge pain in the industry.
The thing is that FIDO2 is not a password storage device. It's a completely different technology removing passwords altogether or augmenting them. Shame, they make advertising videos where it's impossible to understand anything about the product...
Losing FIDO2 security device is not a problem from a security perspective, because it will be additionally secured by a PIN code. Also, FIDO2 brings many more nice things you cannot get by using passwords, like phishing resistance, man-in-the-middle protection, etc.

 

[Arjai]

Being a automotive mechanic, Biometric, fingerprint readers, don't work reliably. I have evolving fingerprints. They eventually go back to working but, I don't use them. I was set up on a friends computer, that we shared for a bit. I couldn't use it sometimes, because of a burn or cut that it did not recognize.

When I sit down at my desk, I don't want my finger's to stop me!! LOL. I use Lastpass, and change my global password regularly, and I use a VPN, CyberGhost Pro, to surf my bank and such. I have no problems with it except Youtube, where I have to open it up and change the setting. It also allows me to be a local, all over the world.