Windows 10 Update Will Support More Password-Free Logins (engadget.com) 66
An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.
Something you have and something you know (Score:4, Informative)
From the summary it looks like they are reverting to only using something you have, which is, normally, a lower level of security.
Re:Something you have and something you know (Score:5, Interesting)
Re: (Score:3)
Computers are to blame. What used to be good enough is now easy to bypass because of increasing computer power. You think your random 64-characters password is safe? Wait until quantum computers become commonplace.
Re:Something you have and something you know (Score:5, Informative)
You think your random 64-characters password is safe?
Not just the number of random characters... I've recently found a few websites that ignore password case altogether so it would be even easier to brute force a password now than it should be. I would hope that they look for brute force attacks but since they go so far as to ignore password case I wouldn't be so sure.
I'm looking at you americanexpress.com
Re: (Score:2)
I had this checked. It's true. WTF Amex?
Re: Something you have and something you know (Score:2, Funny)
Yes, but some sites like Slashdot are better. Passwords typed out in the comments section are starred out, for example: My password is ************.
Re: Something you have and something you know (Score:4, Funny)
you can go hunter2 my hunter2-ing hunter2
Even the name is relevant.
Re: (Score:3)
Reference
http://bash.org/?244321 [bash.org]
Re: (Score:2)
You think your random 64-characters password is safe? Wait until quantum computers become commonplace.
My password will be safer then. All the bad guys will be trying to break into the fancy new quantum computers instead of my 386 desktop with a 64-character password.
Re: (Score:3)
If your system is using the right algorithms, your random 64-bit character password should be as safe as [wikipedia.org] a random 32-bit password was pre-quantum. Quantum computers have theoretical limits.
Re: (Score:2)
And a 64-character password will be even safer.
Re: (Score:2)
Yeah, I noticed that last night after hitting submit. Point stands.
Re: (Score:2)
Yep.
Re: Something you have and something you know (Score:2)
They're coming right after the flying cars, right?
Re: (Score:2)
Re: (Score:3)
It's neither the users nor the IT people. The IT people taught the lesson, many users learned it.
The thing is that typing a STRONG password with seemingly random lower and upper case characters, numbers, and signs, all while effectively blindfolded, is hard. Do it wrong a couple of times? Congrats, now you're locked out. Oh, and you have to do it a dozen or more times a day.
Is it any wonder people settle for a good-enough password that they can easily remember and actually feel if they're typing it wrong, e
Re: (Score:2)
Re: (Score:1)
we need tongue print scanners
Re: (Score:3, Funny)
Because you like licking your computer? You don't know who else has licked it, you know. It's like you're licking everyone who has ever used that computer.
I'm gonna go set up a Kickstarter for tongue condoms. I'll be rich!
AKA... (Score:1)
Re: (Score:2)
What is the security saying about having physical access to a machine to plug in a USB dongle?
Re: (Score:2)
What is the security saying about having physical access to a machine to plug in a USB dongle?
"Physical access is no access to remote resources when you still have to validate against a different remote server."
That ol' chestnut?
Re: (Score:1)
Re: (Score:2)
That's why you should always use financial institutions and credit/debit cards that come with free online fraud protection. Then you are not liable for any unauthorized credit card or banking transactions.
Re: (Score:2)
My cat is named Mr. Tibbles, you insensitive clod!
Re: (Score:2)
Yes, preferably FIDO + password would be an option
If history repeats itself, people will just fight over whether to use passwords OR something else, and every major consumer implementation will make configuring both painful if not impossible. Witness every OS WPA supplicant save for wpa-supplicant, and every OS IKEv2 client save for strongswan.
Oh... (Score:3)
https://www.javaworld.com/arti... [javaworld.com]
Re: (Score:2)
Those were cool for their time. I knew one dot.com that used those instead of contactless badges for door entry because they didn't trust RFID transponders.
So... (Score:2)
...nothing new?
Re: (Score:3)
Remember, kiddies! (Score:3, Funny)
What is safer (Score:2)
The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.
Re: (Score:2)
The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.
Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.
Re: (Score:2)
The US government has already proven and the courts agreed that a finger print can be compelled. I'd like to use a combination of facial recognition, a finger print and a password, and maybe even a physical device. A voice recognition option would be an effective addition as well. Any less and you might as well just not use any security at all.
Why not add a duress password/phrase/keystroke/specific fingerprint that induces a deep wipe pf the device.
IANAL, but using it would probably generate an obstruction of justice, or destruction of evidence, charge against you.
The law says you don't have to help LEOs, but you can't hinder.
Re: (Score:2)
The law says you don't have to help LEOs, but you can't hinder.
Or how about developing systems that work only on something you know (passwords), which can't be compelled, and induce a complete wipe if authenticating with something you have (which can all be compelled). Naturally, architect the system with no back doors or failsafes.
Then, in court, you argue against having to provide the, "something you have", on the grounds that it violates your rights. When you inevitably lose, the courts compel you to use the, "something you have". Then, when the wipe is done and
Re: What is safer (Score:3)
How about a duress password/etc that loads in "fake/misleading data" mode? You could have eg a drive with two encrypted partitions, password silently selects which one gets loaded, other one remains hidden (and encrypted).
Congrats, you just described TrueCrypt.
Re: (Score:2)
You have a legal right to refuse to provide a password under your 5th amendment rights. Purposefully wiping the drive would get you an obstruction of justice charge. You can refuse to speak but lying is a crime. When in doubt just do nothing.
2009 just called (Score:2)
What they really mean: (Score:2)
FIDO? (Score:2)
On the Internet, nobody knows you are a dog.
Retina anyone ?? (Score:1)
Fingerprint reading support (Score:2)
However... fingerprint setup requires me enter a secondary PIN code, presumably so if it can't read my print after a number of tries it can challenge for the PIN. This seems extraordinarily dumb to me because I already have a password it could prom