#Passwords must die. On that we’re all agreed. Amirite?
#FIDO and W3C want to set the standard for 21st-century #authentication. They seek to do away with phishing, credential breaches, and MITM attacks. And the major browsers seem to be playing along.
But is anyone experiencing déjà vu here? In #SecurityBlogwatch, we’ve heard it all before.🤣
by @richi at #TechBeacon #cososec
https://techbeacon.com/webauthnctap-final-countdown-passwords-dont-count-it
@richi Personally, I'm least enthused by attempts to get rid of passwords via biometrics. It's kind of like Social Security numbers as they're set up now: once it's lost somehow, there's no good way to undo the damage.
Changeable Passwords/PIN numbers plus cryptographic authentication (e.g. U2F/Yubikeys) seem extremely solid to me as a combination.
@JWilliams yes. Yubi is part of the FIDO Alliance, so that's their vision also
@richi Right -- should have made that clear.
My biggest complaint is that more entities that supposedly care about security--banks, etc.--don't allow the use of U2F keys (and many won't even get away from SMS 2nd factors. I guess they need a major breach to drive the point home).
I don't agree. They won't implement these changes because they have insurance to cover their breaches and they make so much money that they are still on the side of the tipping point where the insurance is cheaper than change.
@JWilliams @richi
Yes, and in the US we still don't have the securest version of the chips because they went with the older technology.