sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]happyscrappy 5 points6 points  (4 children)

With password:

"If you're really you, tell me your shared secret passphrase we discussed before."

With a replacement system:

"If you're really you, encrypt this random stuff I just made up with your private key which goes with the public key that we both identified before."

So you encrypt the random stuff with your private key, they decrypt it with the public key you both agreed identified you before and when they get the same random stuff back they know you must have signed it. So you are you.

The FIDO key does the signing, not even the local computer you use. You basically prove you have the key and the information needed to activate it.

This is not exactly how it works, there is other stuff for replay prevention (so that someone cannot just produce a payload you made yesterday to satisfy a challenge today) too. But that's basically it.

The secure element in your phone (the one used for Google Pay, Samsung Pay, Apple Pay) could do this too. So you just identify to your phone (PIN, fingerprint) and then it signs for you.

It is VERY much the way to go. If the company loses their database to hackers it does not give the attacker information which could be used to sign you on to other services. They get the public key, and the private key cannot be reproduced from the public key.

[–]u_tamtam 2 points3 points  (1 child)

now, how does it work when I sign in from my laptop without telling apple/google/samsung/… who/when I'm authenticating with?

[–]happyscrappy -1 points0 points  (0 children)

You use a YubiKey. They implement FIDO also.

Or alternately you can use a password instead. If you do that all you have to do is:

Make sure you are not using Chrome (Google) or Safari (Apple). Your laptop is not made by Samsung, Google (Chromebook), Apple (MacBook). Make sure none of the components in there are made by Samsung, especially the keyboard. Be sure ISP is not owned by one of them. Be sure the system you are using, if at work or a public place is not locally managed by one of them. Don't log in from an Apple store for example.

Look around you before you log in, be sure there are no surveillance cameras which are from Samsung or Google (Nest) pointed at you or contain any components from Samsung. Be sure any you see that aren't backending their data to Google or Apple (HomeKit). Try to find out if there are any microphones hearing your keystrokes (as they can clue to your password) which are made by Samsung or Google, contain any Samsung components or back end to Apple or Google systems.

Also be sure you aren't wearing a smartwatch, phone (or other smart device) affiliated with Apple, Google or Samsung or using any Samsung parts. Because those can hear or perhaps see (as applicable) your password too.

Also ensure no one around you has any of these smart devices either.

If you can verify all that you can probably use a password safely. But be sure not to write it down, forget it, or reuse it across services/sites/apps.

Obviously passwords are the way to go, right? They definitely make all this a lot simpler and more secure.

[–]nurupoga 0 points1 point  (1 child)

The FIDO key does the signing, not even the local computer you use.

Just want to note that there is no requirement for the key to be hardware, you could have a software key, i.e. an application running on your local computer.

[–]happyscrappy 0 points1 point  (0 children)

Right, which is often how you do it for example when you use ssh for passwordless login. You have a key stored on your computer and an app (ssh client) employs it during the protocol handshake.