Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Netscape Privacy Security Silicon Graphics Cellphones Network

Silicon Valley Legends Launch 'Beyond Identity' To Eliminate All Passwords (securityweek.com) 143

SecurityWeek editor wiredmikey shares new that Jim Clark and Tom Jermoluk (past founders of Netscape, Silicon Graphics and @Home Network) "have launched a phone-resident personal certificate-based authentication and authorization solution that eliminates all passwords."

Security Week reports: The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications). It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new. The biometric access ties the phone to its user, and the Beyond Identity certificate authenticates the device/user to the service provider, whether that's a bank or a corporate network...

"When this technology was created at Netscape during the beginning of the World Wide Web, it was conceived as a mechanism for websites to securely communicate, but the tools didn't yet exist to extend the chain all the way to the end user," commented Jermoluk. "Beyond Identity includes the user in the same chain of certificates bound together with the secure encrypted transport (TLS) used by millions of websites in secure communications today...."

With no passwords, the primary cause of data breaches (either to steal passwords or by using stolen passwords) is gone. It removes all friction from the access process, takes the password reset load off the help desk, and can form the basis of a zero-trust model where identity is the perimeter.

Though they're first focusing on the corporate market, their solution should be available to consumers by the end of 2020, the article reports, which speculates that the possibility of pre-also installing the solution on devices "is not out of the question."
This discussion has been archived. No new comments can be posted.

Silicon Valley Legends Launch 'Beyond Identity' To Eliminate All Passwords

Comments Filter:
  • by Mal-2 ( 675116 ) on Saturday April 18, 2020 @04:40PM (#59962956) Homepage Journal

    I refuse to pay to carry around a tracking device at all times. If someone insists that I do so, they can pay for both the phone and the contract. This already causes problems with certain services -- Yahoo mail, my bank -- who keep pestering me for a cell number and "I don't have one" is not an option.

    • Mal-2, we need to verify your ID before approving this post. Please present for anal-scan in t-minus 15 minutes!
    • by backslashdot ( 95548 ) on Saturday April 18, 2020 @05:24PM (#59963080)

      Me too. I don't ever use the internet either. Never have, never will.

      • by NFN_NLN ( 633283 )

        How come this, and almost all other Slashdot posts are a 1/3 of the size of the "Claim That Covid-19 Came From Lab In China Completely Unfounded Scientists Say" post?

        Does "Beyond Identity" not have pockets as deep as the CCP?

    • by Darinbob ( 1142669 ) on Saturday April 18, 2020 @07:13PM (#59963440)

      I refuse to pay to carry around a tracking device at all times. If someone insists that I do so, they can pay for both the phone and the contract. This already causes problems with certain services -- Yahoo mail, my bank -- who keep pestering me for a cell number and "I don't have one" is not an option.

      I like certificates, vastly superior to passwords. But, two factor authentication has a major flaw - you have a device you can lose, forever. What's the backup for when you drop your phone in the river by mistake? I've got to use two factor at work, and it's very annoying to pull the phone out 10 times a day just to give approval. But if I lose it, I have an IT department to figure out how to get back in. (it's unclear how the system works for those without phones)

      Also - top notch security is NOT needed for the vast amount of stuff that's on the internet. Most of it is fluff. So what if someone steals my slashdot account, it's much less important than my bank account. So my more complicated passwords are for the bank, and the dumb passwords for those sites that demand that I register before I can look at it. When the highest security is needed for fluff sites, then users will start treating security like an inconvenient bother; that's why so many re-use passwords because so many sites require them to register so that they can be monetized.

      I doubt people pushing for two factor here are concerned about the users as much as they just want more users to register more often and more conveniently so that more ads can be served up to target them.

      • What's the backup for when you drop your phone in the river by mistake?

        You go to the service provider (T-Mobile in my case), present a physical ID card, and tell them your security code. Then they sell you a new phone with the same phone number. Then you set up new certificates on your new phone.

        • So the cert has the phone number on it? Good for easy tracking across all your apps and web sites so that you get served up the right ads.

          • So the cert has the phone number on it?

            Of course not. Why would it?

            • Then to keep your credentials with a new cert you need to know what they are, and they'll be credentials not tied to a phone. If it's just your account name, then that varies with every site (unless people use their email everywhere and never change emails or use fake throwaways).

        • Oh boy... sim-jacking version 2.0.

          • Oh boy... sim-jacking version 2.0.

            Sim-jacking would only get you the phone number, not the certs.

            If your old phone had a cert from your bank, you will still need to authenticate yourself to your bank to get a new one. The obvious way to do this is to go to a branch and authenticate with 3 factors: Your physical ID card with a photo that matches your face (something you are), your ATM PIN (something you know), and your phone (something you have).

            Sim-jacking would only get you 1 out of 3.

            Additional factors could also be used. My bank has a

      • The technology used is not new, being based on X.509 certificates

        So in other words it's failed before it even started.

        Sheesh, this is exactly what certificates were supposed to do in X.509v1 in 1987. We've been trying for over thirty years to get these things to work for this purpose and failed every time, what makes them think it'll magically work now?

        • by AmiMoJo ( 196126 )

          The certificates are not the problem, managing them is. To make this practical they need to have come up with a practical, easy way to manage certificates, which is what they are claiming to have done.

          They aren't the first. Google had this sorted a few years ago. Certificate stored on your phone, uses Bluetooth to talk to your computer, log in by unlocking your phone and tapping a prompt that automatically appears. The certificate is managed as part of your Google account and synced with all the devices you

          • They're vastly superior to pre-shared keys. The infrastructure for trusted CAs is the hard part. So public certificate authorities can be iffy, and the IT guy who annually forgets to renew is inevitable. But we have a private set of CAs for devices and customers and it provides good security.

      • I like certificates, vastly superior to passwords.

        True, but still need a master password. Biometrics have their own problems. You can be forced to scan your fingers, face, eye, whatever. Even if courts decide evidence obtained that way is inadmissible, bad guys will still do it.

        Granted passwords are subject to "$5 wrench" cracking, but that requires more effort on the part of the bad guys.

        • No, master password either if used right. You can do an entire security system based around it. Each new device has to both acquire a new certificate of trust and then trust the cert strongly. it's not the same necessarily as what's done on the web now.

      • by AmiMoJo ( 196126 )

        2 factor auth should provide you with a set of backup codes. The idea is you save them once somewhere secure, like a safe in your house or well backed up and encrypted password manager. If you ever lose your second factor you can use those codes to get into your account and set up a new one.

        The codes are long enough as to be impractical to brute force.

        For work they should set you up with something more convenient. With Android you can use Bluetooth on your phone to avoid having to copy/paste codes. Even bet

      • It seems to me that this problem is already solved, as has nothing to do with passwords.
        All of my important accounts (Amazon, Paypal, my password manager..)
        use hardware 2FA in the form of a FIDO key.
        You can have as many as you want, so losing your phone won't lock you out.
    • by gweihir ( 88907 )

      I do carry a phone sometimes, but why would I be so insane as to trust it?

  • Heh (Score:5, Insightful)

    by Rockoon ( 1252108 ) on Saturday April 18, 2020 @04:40PM (#59962958)
    Lose your phone... lose your identity...
    • Comment removed based on user account deletion
      • And I hope they'll include a way of de-authorizing a phone for all services at once if it gets stolen and the thief forces you to give the passcode. Otherwise they'll have perpetual access to everything.

    • Re:Heh (Score:5, Insightful)

      by lgw ( 121541 ) on Saturday April 18, 2020 @05:28PM (#59963098) Journal

      Or if your phone gets hacked, which is where most attention is focused these days. It's getting to be pretty hard to find a new browser exploit these days, but it's easy to put a look-alike app with a malware payload on an app store. People run all sorts of shit on their phone, thoughtlessly. Already phone-based two-factor systems are discouraged, as phones are so easily compromised.

      • by AmiMoJo ( 196126 )

        Security on phones hasn't been that primitive for a long, long time. They don't just store the cert in a random file that any old app can access.

        The cert will be stored in the phone's secure element. Only verified, signed code is allowed to access it. Unless the malware author also hacks Apple or Google they can't sign their code with an Apple or Google chain of trust.

        If malware does get that far them you are completely screwed anyway and no alternative will be any better.

        • Yeah... it says "biometrics".
          And you believe those boneheads can develop anything that can't be trivially circumvented?
          Maybe leave that mind box of yours, I don't know... ;)

          This will be the same as with FaceID again. Where the son(!!) of a woman could unlock it with his face.
          Or, for an Android example: Where the malware came with it straight from the factory!

          Any "secure enclave" the user doesn't have full access to, will be one where an outside element that the user should not trust will have access to. Hac

          • by AmiMoJo ( 196126 )

            So what is more secure in your mind, a password that has probably been re-used 20 times already and leaked at least a dozen, or a certificate stored in the phone's secure element and protected by biometrics?

            On the one hand some random person on the other side of the world can get that password from a leak or just guess it and access your account. On the other they need to somehow physically steal and unlock your phone, or infect it with some zero day malware that is worth millions but for some reason they d

        • by lgw ( 121541 )

          If malware does get that far them you are completely screwed anyway and no alternative will be any better.

          You have the great and excellent alternative of not trusting your phone for anything important! Phones are simply toxic when it comes to security. Do not use them in any way in any security context.

          And yet, financial institutions everywhere are still sending texts to phones as a TFA approach. Texts!

      • by sad_ ( 7868 )

        indeed, my biggest concern.

        mobile devices certainly are not the most secure, just because they are mostly always not up-to-date with their security patches, if you're still lucky enough to get them. i alread avoid doing anything involved with money on them, so i don't see me using them for replacing my passwords to everything.

    • by Jahta ( 1141213 )

      And, of course, it's perfectly reasonable to want to have different identities for different activities, rather than "one ring to rule them all". Who wants to use the same identity for both online banking and social media, for example?

      • That's a feature. When you post on social media, we can then properly credit or debit your bank account, depending on how socially acceptable your content is deemed.
    • Drop or otherwise break it and you are in a similar situation. No need to actually lose the thing. One accident=one nightmare.

    • Re:Heh (Score:5, Interesting)

      by Solandri ( 704621 ) on Saturday April 18, 2020 @09:48PM (#59963916)
      That problem is solved if you scale this back one notch from "eliminate all passwords" to "eliminate all but one password." The app on your phone which validates your identity needs a password. That's the only password you ever need to remember (so make it a good one). if you lose your phone, you just install the app on your new phone. Tell it who you claim to be, and the app restores your (encrypted) personal cert from a backup. You then enter your password. If your password is correct, then your stored certificate decrypts properly and you're back in business. If you enter the wrong password (or someone trying to claim they're you enters the wrong password), then your backup cert decrypts into gibberish and is useless.
    • by AmiMoJo ( 196126 )

      This was solved decades ago for 2FA. When you set it up you also get backup codes you can use to recover your account. You keep them somewhere safe and never use to them to log in.

  • by fred911 ( 83970 ) on Saturday April 18, 2020 @04:42PM (#59962964) Journal

    Now I feel good because we all know how secure TLS is. No MITM attacks have ever been found and all the certificates are surely safe.

  • so... (Score:3, Insightful)

    by Your Average Joe ( 303066 ) on Saturday April 18, 2020 @04:43PM (#59962968)

    when a three letter agency clones your phone and eSIM they can get your identity as well to check your bank account... What stops the bad guys from doing the same?

    • Re:so... (Score:4, Interesting)

      by lessSockMorePuppet ( 6778792 ) on Saturday April 18, 2020 @04:48PM (#59962978) Homepage

      What stops the bad guys from doing the same?

      What stops my kids from buying all the things, now that we've done away with all passwords? We're expected to use biometrics as the root of this, like the fingerprint readers that don't work if your finger is modestly wet or the print just changes a bit over a month?

      • like the fingerprint readers that don't work if your finger is modestly wet or the print just changes a bit over a month?

        That's why we should use a finger prick like in Gattaca [imdb.com]. Perfectly foolproof.

      • The password to unlock your phone is not covered by this tech. This tech is for all the sites your cell phone talks to. Keep your phone locked and your kids (or anyone else) can't get into it.
        • by Calydor ( 739835 )

          So forgetting to lock your phone once because, oh, the dog wanted to be let in means EVERYTHING is unlocked.

    • by AmiMoJo ( 196126 )

      They aren't talking about using your SIM for anything. The certificate will be stored in the phone's secure enclave and the phone will communicate over Bluetooth or the internet to supply 2nd factor authentication. You don't even need a SIM or an active phone contract, it will work with devices like tablets that don't even have a cellular modem.

    • when a three letter agency clones your phone and eSIM they can get your identity as well to check your bank account... What stops the bad guys from doing the same?

      The same thing that stops the “good guys”: that none of this info is stored in a place that would get cloned. If you clone a phone, this info would still be secure on the original device, having not been copied.

      To be clear, this isn’t stored in the phone’s flash or SIM. This is stored in a dedicated Secure Enclave chip that can be written to but which does not permit direct reads. You can ask the Secure Enclave for things like a 2FA OTP or an authorized/unauthorized response to a bio

  • Three questions: (Score:4, Interesting)

    by ludux ( 6308946 ) on Saturday April 18, 2020 @04:51PM (#59962982)
    How does it preserve user privacy? What happens if you lose your phone? Without passwords how do you securely change between accounts?
  • OK let me get this (Score:5, Insightful)

    by oldgraybeard ( 2939809 ) on Saturday April 18, 2020 @04:56PM (#59963000)
    straight. I am supposed to keep all my credentials, work, private whatever in a device under someone else's control. ie smartphones?

    Just my 2 cents ;)
  • by Generic User Account ( 6782004 ) on Saturday April 18, 2020 @05:00PM (#59963006)
    That's not "beyond identity". It is literally the complete erosion of anonymity. Shove it where the sun don't shine. There will be a cold day in hell before I cryptographically sign everything I do online. If Amazon or anyone else doesn't want my business then, they'll lose it.
  • by richardtallent ( 309050 ) on Saturday April 18, 2020 @05:11PM (#59963040) Homepage

    A large percentage of people these days change their cell phones more often than they change their passwords. I'm all for replacing passwords, but this isn't it.

  • by theurge14 ( 820596 ) on Saturday April 18, 2020 @05:18PM (#59963058)

    Many vendors already offer this. ADFS + MDM + SCEP/Identity Cert based solutions abound. I fail to understand how this new announcement is different?

    • by 93 Escort Wagon ( 326346 ) on Saturday April 18, 2020 @05:22PM (#59963076)

      But those existing solutions don't benefit the venture capitalists behind Jim Clark and Tom Jermoluk!

      • Must be. I just read the entire thing again and am taken aback at how these two describe IDP authentication as if they invented it.

        • by jezwel ( 2451108 )

          Must be. I just read the entire thing again and am taken aback at how these two describe IDP authentication as if they invented it.

          Jim Clark and Tom Jermoluk (past founders of Netscape

          The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape...

          When this technology was created at Netscape

          Is the summary at all correct? 'Cause that might answer your question.

          • Is the summary at all correct? 'Cause that might answer your question.

            I just dug through several of the RFCs which define the use of X.509 certificates, and neither of these guys' names appear anywhere. Nor do their names appear in the RFCs related to SSL, nor anywhere in the "History" section of Wikipedia's Secure Sockets Layer page.

            • Did a little more reading... Tom Jermoluk had nothing to do with Netscape. James Clark was a computer scientist and one of the founders of SGI, but his role with Netscape appears to have been mostly as a funding source for Andreesen. He invested 4 million at the beginning, which eventually earned him more than a billion dollars.

              • *made*. Not earned.

                Don't confuse the two.
                The latter implies you actually worked for it just as much as the ones paying you that money. And I don't think it is even physically possible to work enough hours of a work being worth that much per hour in one's entire lifetime, to *earn* one billion dollars.
                It is profit. Profit is what you made. The opposite of what you earned.

          • Just SSL, not IDP/SP, X.509, SAML or any other parts of actual identity management.

    • "The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications). It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new."

      Yeah, who greenlighted this nonsense? Every MDM/UEM vendor out there already does all of this, and has for several yea

  • I'll bet I'll still have to log in three times on my work computer. 1) log on to laptop 2) log onto VPN 3) log onto SolidWorks PDM vault. If I'm really quick with the VPN log in I don't have to log in to the PDM vault. It's a game of quick reaction.
  • by DaveV1.0 ( 203135 ) on Saturday April 18, 2020 @05:28PM (#59963096) Journal
    All someone will have to do is steal one's personal certificate which will be on a device of questionable security. What could possibly go wrong?
  • by Rick Schumann ( 4662797 ) on Saturday April 18, 2020 @05:53PM (#59963194) Journal
    I also don't believe having the 'keys to the kingdom' for everyone stored in one place is ever going to be secure, it's more likely to just make it easier to steal. Considering the dismal record just about everyone has for data security, shit like this would just be setting up another Equifax breach-style theft situation that will screw everyone. No thanks, I'll stick with passwords.
    • I can't live without my (a) smartphone, but I applaud your insistence. Keep it up!
  • I had this exact setup about 15 years ago and know of many that did the same, it was a fucking pain in the arse, worse than passwords. We used it for various custom apps. Lose your device, forget your device, need to replace your device and you are suddenly up shit creek.
  • I mean yes, I want to go passwordless...but the companies that let us log in to their servers must set their system up for it.

    I guess this is a way to package up the method, and advertise the idea. But I'm honestly pissed we're still using the security ideas from NASA in the 60's or whatever it was (when they created the password rules we still live by).

    And I'll fully say the few times I tried to work with certificates were hellish. I just thought that was enterprises having special expensive tools I don'

  • ID card = ID phone (Score:3, Interesting)

    by gavron ( 1300111 ) on Saturday April 18, 2020 @06:41PM (#59963338)

    TL;DR - Having a charged updated "accepted" phone is a problem. Have to be online even in the desert or on water or airports. Biometrics suck for authentication since everyone knows where your finger (or retina is) and how to get it.

    FIRST: The phone has to be there and it has to be charged and updated.
    It used to be we didn't have to carry an identification document (ID). Then cops decided they get to ask us for our driver's license whether we're driving or not. Now apparently we'll have to carry a SMARTPHONE and YOU BETTER KEEP IT CHARGED if you know what's good for you. In Nazi Germany they would say "Papers?" then "Your papers... are not in order." I can see it now "You phone?" "Your phone is not properly charged or updated or running our favorite OS of the day be it Android, or something stupid." I can't imagine if they start saying "Oh your huawei phone no longer qualifies so go buy a new phone." Or if Trump's phone-selling buddies make theirs the required phone to have. /yeck

    SECOND YOU HAVE TO HAVE A NETWORK:
    I live in Arizona. It's a beautiful state (we have the Grand Canyon) and nice people. In some areas though there is NO network coverage. That means I can't verify a certificate chain, log into a website, generate a validation code, or do much more than observe the time.

    THIRD BIOMETRICS ARE AN ATTACK VECTOR
    Biometrics are useful as ONE part of a multi-factor authentication scheme. To be the only scheme is to require everyone to have their password emblazoned on their shirt. Maybe on the inside of the shirt. Sure, we don't know what your password is, but if we grab your shirt and open up the buttons, there it is. Like fingerprints. Or retinal scans. Anything that is FIXED FOR LIFE and CAN'T BE CHANGED and is known to the black hats as to where it is is a BAD AUTHENTICATION SCHEME.

    The concept of fixing 'the password' problem is good. The conceptualization they've articulated is entirely worthless.

    Security researchers (who didn't start Netscape or other has-been firms) are blanching.

    E

  • by netik ( 141046 ) on Saturday April 18, 2020 @06:42PM (#59963340) Homepage

    This should be handled as U2F and FIDO was handled. There shouldn't be a new company for this.

    Adoption of this should be standards based and should be a cooperative effort across the industry.
    (Also this sure feels like reinventing FIDO/FIDO2 for profit.)

    Also, once your certificate is stolen, unless it's strongly encrypted (which, what's that? You need a password and PIN for) you're hosed. I'd really rather have a Yubikey.

     

    • by Bengie ( 1121981 )
      Modern phones can act as a FIDO device. As long as it's protected with a PIN that will self-destruct on too many failed attempts, sounds valid. Just wait for the first parent who gives their phone to their child and gets too many failed attempts and bricks their phone for authentication to all of their sites.
      • Modern phones can act as a FIDO device. As long as it's protected with a PIN that will self-destruct on too many failed attempts, sounds valid.

        This isn't necessary. A much less destructive brute force mitigation is to enforce exponentially-increasing delays between allowed authentication attempts. Set it up so that it would take a decade or two, on average, to brute force a four-digit PIN and that should be good enough. It's unlikely that a device could be kept alive and functioning long enough to give the attacker significant odds of guessing (assuming a randomly-chosen PIN).

        Just wait for the first parent who gives their phone to their child and gets too many failed attempts and bricks their phone for authentication to all of their sites.

        I call this the "toddler attacker". Luckily, a simple exponential ba

        • by Bengie ( 1121981 )
          Exponential backoff won't help when someone clones your phone, captures the memory, and can bypass any runtime. The whole point of bricking is to protect against offline attacks where the environment cannot be trusted. At least for security keys, the point is to destroy the secrets if an insecure environment is detected. It technically doesn't brick the device, it just makes it useless until reset, at which point you have to re register the device as it will now have a new randomly generated identity.
  • by scdeimos ( 632778 ) on Saturday April 18, 2020 @07:22PM (#59963460)

    ... wait until we have to use PKI certificates for everything.

    Remember these things don't last forever - they expire after some period of time, e.g.: 12 months. Currently we have password managers that allow us to have a different password on each of hundreds (/thousands) of accounts and it's relatively easy to change a password on a given site if and when the need arises. Once we replace passwords with PKI we now have to visit each and every one of those hundreds (/thousands) of accounts every 12 months to provide our new public key - before the old one expires! Do not want, thanks.

    • Nobody likes PKI certs because people like doctors and accountants share their passwords with their personal assistants. PKI's are more diffiiclt than post-it notes. Secondly Microsoft, and a few others recently patched some certificate checking flaws that did not check. iterate down. Boy, what a backdoor, up there with heartbleed. Thirldly the USA CLOUD Act allows silent compromise of the private key issuers/signers who all seem beholden to US law. Compromise right there. Fourth: Phone Tools.Professiona
  • I hear some devices are starting to come with integrated FIDO2 security keys. Think a Yubikey like feature built into every device.
  • by WaffleMonster ( 969671 ) on Saturday April 18, 2020 @07:50PM (#59963560)

    I don't understand why people keep attempting to (poorly) reinvent client certificates. They've been around now for what now ... two decades? Why not just use them and dispense with all the "patented" proprietary bullshit? What's the point in any of this?

  • Anyone see a problem with this?
  • Maybe the exact way U2F (or whatever the latest version of that thing is actually called these days) works isn't perfect but the basic idea seems good.

  • Police can require you to give your fingerprints and face image. They cannot currently require you to cough up your passwords.
  • The name is 100% Orwellian, it 100% requires that you constantly confirm your identity via you personal spy device.

    You know what is beyond identity? - A f***ing PASSWORD.

  • I stopped reading at "biometric".

    These people know nothing.

  • by Plugh ( 27537 )
    Surely I cannot be the only geek who l follows Steve Gibson and Security Now! THIS is how you do secure passwordless auth, on ALL devices https://www.grc.com/sqrl/sqrl.... [grc.com]
    • SQRL is too simple and secure of a design to wind up at most people needing a chip implant to avoid the key management headaches.

  • I don't hear any scientific or technical information, only business. When you ask all the questions posed here, their answer is ... crickets

"Pull the trigger and you're garbage." -- Lady Blue

Working...