Google's Login Chief: Apple's Sign-In Button Is Better Than Using Passwords (theverge.com) 78
After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them."
RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password...
Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there...
People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!
Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there...
People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!
#Security Marketing - BE SECURE, TRUST BUTTON! (Score:1)
" While the login buttons are relatively simple, they're much more resistant to common attacks like phishing " - Wtf. Like phishers can't skin the button graphic and link it to anywhere on their own pages? Fucking genius claims again...
Walk us through how that works... (Score:3, Insightful)
Like phishers can't skin the button graphic and link it to anywhere on their own pages?
Ok, let's say they did - what does that do for them?
It's not like they can put up a copy of a site and add that button, as it will not pass them credentials for the real site.
It's not like they can set up a site and get credentials from a real login button on a fake page, because again the fishers would not get credentials they could use to gain access to other sites.
In fact a fisher would be way better off putting up a
Not defending Apple here (Score:2, Interesting)
knee-jerk defense of Apple fangirlism
My post has nothing about Apple in it. Seems like you are the one with the knee-jerk reaction?
There are login buttons from Google and Facebook in addition to (soon) Apple, the original post was attacking the concept of login buttons, I was responding asking for more details on how they saw such an attack working generically with login buttons as we know and use them today. That could be Google as well as anyone...
So again, I wonder why Apple came to mind here for you
Re: (Score:2)
It's not like they can put up a copy of a site and add that button, as it will not pass them credentials for the real site.
What does Apple sign-in do to prevent this? Standard o-auth doesn't prevent it.
Re:Walk us through how that works... (Score:5, Interesting)
It doesn't use username + password to authenticate. Google/Facebook etc, by default, simply generate a login page to Google/Facebook within your browser and then perhaps do two-factor authentication. Everything stays within the browser and that can be phished, the attacker sends you to a "login" page where you enter your Google/Facebook credentials which it then could use that information to modify your Google/Facebook second-factor authentication settings, you then get a 'push' to authenticate the attacker into adding another second authentication device. It works with Duo two-factor as well, I've seen a number of institutions hacked that way.
When you click the Apple button, it sends a challenge to Apple which then forwards it to your device and only to your device so you never enter your username or password in your browser session. It's basically doing the second step of two-factor authentication first. Moreover, Apple doesn't communicate "your" username or e-mail (which Google/Facebook does and which is information that could be leveraged for immediate or future attacks on your account or for spear-phishing). Apple generates a brand new identity on the fly for that particular website and it doesn't disclose any information other than what you choose to share.
Re: (Score:2)
When you click the Apple button, it sends a challenge to Apple which then forwards it to your device and only to your device so you never enter your username or password in your browser session
Nice, Apple's on top of it.
Re: (Score:2)
Think about that one for a minute (Score:1)
No, they're not necessarily more secure than (well-managed) passwords. They do cost you-the-user a lot of control. Google is "surprisingly sunny" about this because even if the market (for "login") is split five ways, hey, that's only four other parties to deal with. Not several hundred million users that keep on forgetting their passwords.
The spiel is "security", but the actual gain for google et al. is control.
Look at details of how Apple plans to work this (Score:2, Informative)
They do cost you-the-user a lot of control.
What I like about Apple's button is that you gain a lot of control over what the login gives the company you are logging in to. Look at the videos in the WWDC keynote of how it works, or watch the first part of the WWDC 19 Introducing Sign In with Apple [apple.com] video to see in more detail how it works. This is Slashdot, wouldn't you want some technical detail?
You can choose if you want to give them any aspect of the information they are looking for. If you only want th
Hold up, what now? (Score:3)
And they don't exactly have a stellar track record with the privacy.
Can't respond to anything else you wrote because of the absolute absurdity of this statement. Goes against everything we know and has been reported about Apple.
It's not Apple minis my data for ads, it's Apple advocating against that... it's Apple pushing for machine learning on device so they get no data.
Weird flex dude and it undermines anything else you have to say, I just stopped reading...
Re: (Score:1)
Goes against everything we know and has been reported about Apple.
Goes against everything about image that Apple has been cultivating recently.
Just don't use an iPhone in China. The whole privacy deal disappears in a puff of greasy smoke.
Says the guy who runs the "bank." (Score:2)
So the guy who runs the bank says the best place for your money is the bank. Go it.
Re:Says the guy who runs the "bank." (Score:5, Informative)
So the guy who runs the bank says the best place for your money is the bank. Go it.
No, it's more like he said that putting your money in a bank vault is better than hiding it in cardboard boxes, books and other nooks and crannies all over your house. Furthermore he's saying that Apple's bank vault is better because they don't let Tom, Dick and Harry in there to borrow your money without your consent and they don't make your financial data to anybody wilting to pay them for it:
Apple today announced a "Sign in with Apple" button -- that is similar to sign-in buttons from Twitter, Facebook or Google that allow users to quickly login to a range of services using their social media account. But unlike any existing solution, Apple is focusing on privacy. From a report:
More importantly, you can choose to hide your email address, and Apple will generate a random email ID visible to only to that particular app that'll forward all emails to your main email ID. Plus, this method creates a unique random email for each app, so that they can't track you and your personal data. The new sign-in feature is available across MacOS, iOS, and websites.
Re: (Score:1)
Even more important, they're tracking EVERY TIME you come to the bank. Any deposit, any withdrawl, they're writing it down and making that available to marketers around the world - for any purpose. They don't ask why.
On top of that, the bank is now trying to sell you fake Gucci purses and trick you into spam raffles and ridiculous home furnishings you don't need or want.
I don't know about you, but I always thought the wealthy and successful strove to have some measure of discretion and privacy rather than m
Re: (Score:2)
The bank accounts have federally backed deposit insurance so that if the bank is robbed or isn't too big to fail, and actually fails, your money is still safe.
Where's the insurance saying that Apple will cover any losses you incur if their vault is breached and your life gets turned upside down?
No, promises and apologies aren't good enough. We need actionable contracts with solid backing.
It's an analogy, don't overthink it.
Re: (Score:2)
Good post. You definitely point out a flaw in my comment. I implied that the google spokesperson was simply being self-serving but you point out that that is not entirely true because the article is about apple's "password bank," not google's.
As far as the rest, my only comment is that for now, we can often use a password for every site and password managers may be just as trustworthy as google SSO. But eventually, only large party SSO will be allowed. The internet and WWW are becoming less and less decentr
Re: (Score:2)
Just a typo. It was supposed to be "got it" but slashdot doesn't allow edits.
Re: (Score:3)
Re: (Score:2)
And regarding the putting all your money in one basket problem, the FDIC is the reason that it is safe to put all your money in one bank. Before that, you would have needed to have several banks to be safe from, for example, the run on banks during the Great Depression.
A similar concern exists here. What I want most in terms of website authentication is for every website to allow me to authenticate my website account using more than one of these login buttons. That way if one of those accounts (Facebook
It's not about eggs in a basket (Score:2, Insightful)
It's about me not giving Apple, Facebook, Google, et al even more power over me.
It's about me not giving even more info about my online behaviour to the data scrapers of the internet.
But no... the constant mantra is, "Just trust us! Tell us everything!"
Mark Zuckerberg put it best: "They trust me... the dumb fucks."
Speaking about a single basket... (Score:3, Informative)
Why are you lumping Apple in with Google and Facebook in the same basket of distrust?
I agree with you about those two, I don't use login with Google/Facebook if I can avoid it (and have dropped signing into many services because that was all they offered for login). I don't want them mining my data.
But Apple is a very different case, we know they don't mine data. Why? Because they have no motive to. I don't trust what companies say, I fundamentally value motivation - I know Facebook and google both have
Re: (Score:2)
They could easily sell that data to other companies. I have no evidence that they do, but then again no-one has any evidence that Google does and are still happy to assume that it's happening anyway.
If we apply the same absurd standard to both, we must conclude that Apple is also evil and selling your data.
In fact, I think the only one of the three that does is Facebook.
Re: (Score:2)
Google makes most of its money by giving other companies ways to target me with products. Done properly this may well mean that the individual companies don't have knowledge about me, but it still means that information Google gathers about what I do is mined aggressively for insight abo
Re: (Score:2)
Google has always been good about presenting useful information, with a few ads along side. For example you can't pay them to appear high in the search results, only in the advertising areas on the page.
I take your point though. Personally I block Google ads and trackers anyway, so while they still get some information about me it seems like a decent trade off for the services I get. I could pay for Apple stuff to use their system, but I dislike being locked into that payment to avoid the hassle of changing
I make sure I have money in other places ... (Score:2)
It's a bad idea to have all your money at one financial institution.
Re: (Score:2)
It's a bad idea to have all your money at one financial institution.
It is still better than having it all in one cookie jar.
Re: (Score:1)
Actually it's not. The cookie jar doesn't snitch you out to the world of marketers and it doesn't take 30%.
CEO, COO, CFO, CIO . . . and now . . . (Score:2)
Google's Login Chief
CLO: Chief Login Officer!
Physical security is not the issue... (Score:2)
There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!
Sounds great, until someone steals your ATM card number and drains your bank account. Then those 12-inch thick steel doors do nothing to protect you. The vulnerability is never the hardened bank vault, its the shoddy technology around the electronic systems. It pains me that there's still no commonly available way to get physical currency out of an ATM than to trust the security of an easily copied magnetic strip and an almost as easily clonable 4-digit number.
I cancelled all of my "debit" cards a few ye
Re: Physical security is not the issue... (Score:3)
No common way to do that in the USA. Everyone else moved on to chip and pin ages ago. The stripe on my Canadian bank card really only exists just in case I travel to the states. Why American banks are stuck in the past is beyond me. (I guess that's not actually true; I know they're greedy and cheap.)
Re: (Score:2)
a) The banks in the US are insured for those kind of occurrences, you always get your money back. In the EU they simply say "we got chip and pin, no way you got hacked"
b) Chip and pin attacks have been known for about a decade before chip and pin was demanded in the EU. Chips can be cloned and there are various other attack vectors, it's relatively easy to find methods and gangs in South America and Europe.
Obviously the banks in the EU never have to pay up for those hacks even though it requires only a litt
Re: (Score:2)
my father in law had his wallet stolen on the train from Naples to Amalfi. He noticed within 30 minutes but they'd already managed to spend a few hundred euros on a debit card before he could reach the bank and lock it out. The card had already been stopped because of other trans
Re: (Score:2)
Re: (Score:2)
The real problem is when the for profit corporation controlling all access to all your internet accounts decides to take it away. One corporation controlling all your access and whether or not you can log in any more, to your bank, to your internet, to insurance, to shopping, to anything. You are now the child and the corporation is your parent, deciding who you can or cannot not login to.
Not a bank (Score:2)
> A better metaphor might be a bank
Minus the two *most critical parts* of banking - there is *insurance*, and there is *liability*. You will never convince me that you are interested in maintaining your locks and 12" thick steel doors if you have no liability in the case of failure.
A proper risk assessment of federated SSO makes it a completely untenable solution as a practical matter given the current regulatory and legal environment.
"provided you trust the network offering them..." (Score:1)
(Also known as the most colossal blunder of all time.)
Apple always on top (Score:1)
Don't they use Analytics? (Score:1)
There are several people who logs into "apps" using Google sign in or Facebook sign in and use them on all platforms. Think of Instagram. Where is Apple login SDK for Android apps that will offer same login experience? Hate or not, Facebook won a lot of users&developers that way.
So this is basically... (Score:2)
Are these guys basically inventing OpenID [wikipedia.org], or is there some important difference?