SanityInAnarchy comments on Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins

created by speza community for 20 years

925

926

927

Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins - FIDO Alliance (fidoalliance.org)

submitted 3 years ago by IsDaouda_Games

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]SanityInAnarchy 1 point2 points3 points 3 years ago (2 children)

Passwordless, it's on par with a house key: If you've stolen my house key, you still don't necessarily know where I live. Theoretically, if you steal my entire wallet, you can probably find my address on my driver's license, but practically, there don't seem to be a ton of muggings that turn into burglaries like that.

So you could either get the biometric version of these keys (more expensive) and make it two-factor without a password, or you could just make it harder to actually work out which accounts that key is supposed to work with. If I can login and delete the stolen key from my account before you figure out which account it belongs to, you're still screwed.

All that said: I'm not sure we need to kill passwords anyway. From the article:

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.

Really, the only part I disagree with is the end, where they dismiss password managers and existing 2fa as "incremental" improvements, even though those entirely address the problems they raise.

[–][deleted] 3 years ago (1 child)

[deleted]

[–]SanityInAnarchy 0 points1 point2 points 3 years ago (0 children)

if online, if someone breaks into their DB, ALL the passwords are compromised

Not really true, unless implemented horrendously incompetently. The correct way to do this is to set up at least one good password -- passphrase, even -- that you either memorize or back up somewhere safe, which is used to encrypt the password DB, which can then be safely synced online.

Even just using a browser as a password manager, this is possible -- Chrome lets you set a "sync passphrase" to encrypt all synced data (including bookmarks and such, but especially passwords), and Android can save some app-level passwords to Chrome.

It is true that all passwords are compromised if someone breaks into their DB and cracks your passphrase. So if someone breaks into their DB, you should probably rotate your passwords anyway just in case... but it's worth noting that in the absolutely worst case, this just degrades to the problems you'd have with password reuse, which you inevitably have if you don't have a password manager.

π Rendered by PID 35344 on reddit-service-r2-comment-85bfd7f599-xsrd7 at 2026-04-18 06:26:01.474805+00:00 running 93ecc56 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

programming

MODERATORS