Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google

Google's Login Chief: Apple's Sign-In Button Is Better Than Using Passwords (theverge.com) 78

After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them." RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password...

Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there...

People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

This discussion has been archived. No new comments can be posted.

Google's Login Chief: Apple's Sign-In Button Is Better Than Using Passwords

Comments Filter:
  • " While the login buttons are relatively simple, they're much more resistant to common attacks like phishing " - Wtf. Like phishers can't skin the button graphic and link it to anywhere on their own pages? Fucking genius claims again...

    • Like phishers can't skin the button graphic and link it to anywhere on their own pages?

      Ok, let's say they did - what does that do for them?

      It's not like they can put up a copy of a site and add that button, as it will not pass them credentials for the real site.

      It's not like they can set up a site and get credentials from a real login button on a fake page, because again the fishers would not get credentials they could use to gain access to other sites.

      In fact a fisher would be way better off putting up a

      • It's not like they can put up a copy of a site and add that button, as it will not pass them credentials for the real site.

        What does Apple sign-in do to prevent this? Standard o-auth doesn't prevent it.

        • by guruevi ( 827432 ) on Sunday June 16, 2019 @09:03PM (#58773714)

          It doesn't use username + password to authenticate. Google/Facebook etc, by default, simply generate a login page to Google/Facebook within your browser and then perhaps do two-factor authentication. Everything stays within the browser and that can be phished, the attacker sends you to a "login" page where you enter your Google/Facebook credentials which it then could use that information to modify your Google/Facebook second-factor authentication settings, you then get a 'push' to authenticate the attacker into adding another second authentication device. It works with Duo two-factor as well, I've seen a number of institutions hacked that way.

          When you click the Apple button, it sends a challenge to Apple which then forwards it to your device and only to your device so you never enter your username or password in your browser session. It's basically doing the second step of two-factor authentication first. Moreover, Apple doesn't communicate "your" username or e-mail (which Google/Facebook does and which is information that could be leveraged for immediate or future attacks on your account or for spear-phishing). Apple generates a brand new identity on the fly for that particular website and it doesn't disclose any information other than what you choose to share.

          • When you click the Apple button, it sends a challenge to Apple which then forwards it to your device and only to your device so you never enter your username or password in your browser session

            Nice, Apple's on top of it.

      • by Luthair ( 847766 )
        For an attacker phishing a SSO would be a lot more valuable than phishing a password for most random websites.
  • by Anonymous Coward

    No, they're not necessarily more secure than (well-managed) passwords. They do cost you-the-user a lot of control. Google is "surprisingly sunny" about this because even if the market (for "login") is split five ways, hey, that's only four other parties to deal with. Not several hundred million users that keep on forgetting their passwords.

    The spiel is "security", but the actual gain for google et al. is control.

    • They do cost you-the-user a lot of control.

      What I like about Apple's button is that you gain a lot of control over what the login gives the company you are logging in to. Look at the videos in the WWDC keynote of how it works, or watch the first part of the WWDC 19 Introducing Sign In with Apple [apple.com] video to see in more detail how it works. This is Slashdot, wouldn't you want some technical detail?

      You can choose if you want to give them any aspect of the information they are looking for. If you only want th

  • So the guy who runs the bank says the best place for your money is the bank. Go it.

    • by Freischutz ( 4776131 ) on Sunday June 16, 2019 @03:05PM (#58772654)

      So the guy who runs the bank says the best place for your money is the bank. Go it.

      No, it's more like he said that putting your money in a bank vault is better than hiding it in cardboard boxes, books and other nooks and crannies all over your house. Furthermore he's saying that Apple's bank vault is better because they don't let Tom, Dick and Harry in there to borrow your money without your consent and they don't make your financial data to anybody wilting to pay them for it:

      Apple today announced a "Sign in with Apple" button -- that is similar to sign-in buttons from Twitter, Facebook or Google that allow users to quickly login to a range of services using their social media account. But unlike any existing solution, Apple is focusing on privacy. From a report:

      More importantly, you can choose to hide your email address, and Apple will generate a random email ID visible to only to that particular app that'll forward all emails to your main email ID. Plus, this method creates a unique random email for each app, so that they can't track you and your personal data. The new sign-in feature is available across MacOS, iOS, and websites.

      • by Anonymous Coward

        Even more important, they're tracking EVERY TIME you come to the bank. Any deposit, any withdrawl, they're writing it down and making that available to marketers around the world - for any purpose. They don't ask why.

        On top of that, the bank is now trying to sell you fake Gucci purses and trick you into spam raffles and ridiculous home furnishings you don't need or want.

        I don't know about you, but I always thought the wealthy and successful strove to have some measure of discretion and privacy rather than m

    • Comment removed based on user account deletion
      • by dgatwood ( 11270 )

        And regarding the putting all your money in one basket problem, the FDIC is the reason that it is safe to put all your money in one bank. Before that, you would have needed to have several banks to be safe from, for example, the run on banks during the Great Depression.

        A similar concern exists here. What I want most in terms of website authentication is for every website to allow me to authenticate my website account using more than one of these login buttons. That way if one of those accounts (Facebook

  • by Anonymous Coward

    It's about me not giving Apple, Facebook, Google, et al even more power over me.

    It's about me not giving even more info about my online behaviour to the data scrapers of the internet.

    But no... the constant mantra is, "Just trust us! Tell us everything!"

    Mark Zuckerberg put it best: "They trust me... the dumb fucks."

    • Why are you lumping Apple in with Google and Facebook in the same basket of distrust?

      I agree with you about those two, I don't use login with Google/Facebook if I can avoid it (and have dropped signing into many services because that was all they offered for login). I don't want them mining my data.

      But Apple is a very different case, we know they don't mine data. Why? Because they have no motive to. I don't trust what companies say, I fundamentally value motivation - I know Facebook and google both have

      • by AmiMoJo ( 196126 )

        They could easily sell that data to other companies. I have no evidence that they do, but then again no-one has any evidence that Google does and are still happy to assume that it's happening anyway.

        If we apply the same absurd standard to both, we must conclude that Apple is also evil and selling your data.

        In fact, I think the only one of the three that does is Facebook.

        • by N1AK ( 864906 )
          I think SuperKendall was overstating the difference, and I'm not a massive fan of apple generally, but I do think there is a notable position between Google and Apple even ignoring what they may do but we aren't aware of.

          Google makes most of its money by giving other companies ways to target me with products. Done properly this may well mean that the individual companies don't have knowledge about me, but it still means that information Google gathers about what I do is mined aggressively for insight abo
          • by AmiMoJo ( 196126 )

            Google has always been good about presenting useful information, with a few ads along side. For example you can't pay them to appear high in the search results, only in the advertising areas on the page.

            I take your point though. Personally I block Google ads and trackers anyway, so while they still get some information about me it seems like a decent trade off for the services I get. I could pay for Apple stuff to use their system, but I dislike being locked into that payment to avoid the hassle of changing

  • It's a bad idea to have all your money at one financial institution.

    A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

    • It's a bad idea to have all your money at one financial institution.

      It is still better than having it all in one cookie jar.

      • by Anonymous Coward

        Actually it's not. The cookie jar doesn't snitch you out to the world of marketers and it doesn't take 30%.

  • Google's Login Chief

    CLO: Chief Login Officer!

  • There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

    Sounds great, until someone steals your ATM card number and drains your bank account. Then those 12-inch thick steel doors do nothing to protect you. The vulnerability is never the hardened bank vault, its the shoddy technology around the electronic systems. It pains me that there's still no commonly available way to get physical currency out of an ATM than to trust the security of an easily copied magnetic strip and an almost as easily clonable 4-digit number.

    I cancelled all of my "debit" cards a few ye

    • No common way to do that in the USA. Everyone else moved on to chip and pin ages ago. The stripe on my Canadian bank card really only exists just in case I travel to the states. Why American banks are stuck in the past is beyond me. (I guess that's not actually true; I know they're greedy and cheap.)

      • by guruevi ( 827432 )

        a) The banks in the US are insured for those kind of occurrences, you always get your money back. In the EU they simply say "we got chip and pin, no way you got hacked"
        b) Chip and pin attacks have been known for about a decade before chip and pin was demanded in the EU. Chips can be cloned and there are various other attack vectors, it's relatively easy to find methods and gangs in South America and Europe.

        Obviously the banks in the EU never have to pay up for those hacks even though it requires only a litt

        • by N1AK ( 864906 )
          I've lived in Europe and had cards since before chip and pin came in. I have never heard a first hand story of someone not being funded. Each of the, perhaps 4-6, cases of card fraud I know was handled without issue for the user.

          my father in law had his wallet stolen on the train from Naples to Amalfi. He noticed within 30 minutes but they'd already managed to spend a few hundred euros on a debit card before he could reach the bank and lock it out. The card had already been stopped because of other trans
      • Comment removed based on user account deletion
    • by rtb61 ( 674572 )

      The real problem is when the for profit corporation controlling all access to all your internet accounts decides to take it away. One corporation controlling all your access and whether or not you can log in any more, to your bank, to your internet, to insurance, to shopping, to anything. You are now the child and the corporation is your parent, deciding who you can or cannot not login to.

  • > A better metaphor might be a bank

    Minus the two *most critical parts* of banking - there is *insurance*, and there is *liability*. You will never convince me that you are interested in maintaining your locks and 12" thick steel doors if you have no liability in the case of failure.

    A proper risk assessment of federated SSO makes it a completely untenable solution as a practical matter given the current regulatory and legal environment.

  • (Also known as the most colossal blunder of all time.)

  • Apple always on top
  • There are several people who logs into "apps" using Google sign in or Facebook sign in and use them on all platforms. Think of Instagram. Where is Apple login SDK for Android apps that will offer same login experience? Hate or not, Facebook won a lot of users&developers that way.

  • Are these guys basically inventing OpenID [wikipedia.org], or is there some important difference?

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...