Correct me if I am wrong, but passwordless login is a single-factor authentication and less secure than MFA. Depending on whenever hardware key is more or less secure than the password, the mass adoption of this could make things LESS secure.
> passwordless login is a single-factor authentication and less secure than MFA
If you go from MFA to fido2, maybe. If you go from single-factor password, to single-factor fido2 - it's likely security will improve. A lot.
> Depending on whenever hardware key is more or less secure than the password
It is:
A password can be sniffed, filmed, inferred from sound recording.
You don't know when someone knows your password; a key will be missing (or copied, but that's supposed to be Very Difficult (tm)).
A password is unlikely to encode as much entropy; certainly any password/phrase you actually type in. 128+ bits of entropy is surprisingly hard to encode in a manageable size (it's 16 completely random binary bytes).
Now, if the assumption is that the alternative is a ssh key locked on a device, additionally protected by a pin... Maybe The fido2 is slightly less secure.
But if you try and list the failure modes / do some threat modelling ; I think you'll see it ends up a close race.
It would certainly pair well with "something you know" - eg a pin/password with somehow proper rate-limiting.
I would expect things to be more secure in many cases. People are pretty good at keeping physical items somewhat safe and notice when they’re gone. Yubikeys cannot easily be cloned. The password cannot be attacked remotely. 2FA is certainly safer, though.
The standard in high-assurance applications is to present a PIN to the hardware token before it can be used, ideally through an out-of-band keypad.
In this context, it would be reasonable to have the Yubikey require a PIN entry from the computer. You could use the same PIN for all sites because it stays local; the relying party never handles it, only the Yubikey.
Passwords are utterly broken. All the entropy of memorizable passwords among humans have probably been extracted by this point. All they give you is a false sense of security. The password portion of 2FA is mostly theater, conditioned on the notion that passwords are broken. Hardware keys is the way of the future.
So in this case, arent the two factors a) physical possession of desktop/laptop and b) the Yubikey ? How likely is it you'll lose both if you keep your keyring with you?
Not sure reading the article why would I need the computer. The way I read it, you enter the key to any computer and it logs in to the account of the key owner. Am I wrong?
FTA: "Organizations will soon have the option to enable employees and customers to sign in to an Azure AD joined device with no password, by simply using a Security Key to get single sign-on to all Azure AD based applications and services."
Emphasis added. Device needs to be paired with Company's AD first.
I also imagine that there are options for making e.g. the device unlock only require yubikey, but login to SSO require 2nd factor.
What you need is a mechanism to detect loss of contact with the human and revoke. One way is to require several hardware tokens to combine their entropy to authenticate. Again, don't make a password be a part of this, use another token.
Single Factor: This only requires possession of the security Key to log in, allowing for a passwordless tap-and-go experience.
Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of operations like financial transactions, or submitting a prescription.
I think best practice will be that you can login with single-factor and see basic stuff but if you want to do anything more critical like money related or changing email depending from context you are forced to use two-factor.
Also if it's at least approximately to password security this is very welcome options. Most services I use I just want access easily.
That is confirmed in the "How does this work?" section. Your concern is addressed in the "Why is this important?" section. The key is definitely more secure against cracking than a password. It is more vulnerable to being physically stolen, but for most people, that is a lower risk.
Friends or family can't read your mind, but they can steal your physical key.
People putting pins on their phones or password on their laptop are not afraid of being pirated. This is a vague, abstract threat to them. Becoming part of a botnet is really not important to them, and they getting their credit card stolen from the web is really not credible enough for non tech saavy user.
What they are afraid of is other people looking at their stuff. Internet history. Pictures. Their clear text personal document.
Beside, a key is annoying. Where do you think they will store it when they travel ? In the same bag than the laptop. So you steal the bag, you steal the password.
Friends and family can also steal your credit card, but this is not where the majority of credit card theft comes from.
Your example of people leaving the key with the laptop is a good example of one of the potential flaws, but just like if your credit card gets lost or stolen, you report it and it becomes unusable.
I agree that there is room for 2FA, but this is also surely preferable to the current system.
> Friends and family can also steal your credit card, but this is not where the majority of credit card theft comes from.
This is a false equivalence because knowing someone's credit card data only allows you to do one thing which happens to be pretty detectable: using their credit card for yourself.
Knowing someone's password allows you to know one or more of their secrets, including many applications that are virtually untraceable for the average user. So the deterrence factor is much lower in the second example making it much more likely that a nosy parent / sibling / SO will take a person's key.
> There's no reason that using a password/key can't be just as detectable as using a credit card.
That's not my point. The status quo is that people get alerted if something uses their credit card inadvertently and don't have similar alerts for uses of their password other than in a handful of situations like Gmail logins.
It's definitely not impossible for people to keep tabs on their logins, but this isn't how the Average Joe operates.
Switching to a hardware based login system and getting centralized alerts when that login is used is likely going to be the default, not some pipe dream.
Plus, there's also the obvious solution for potentially stolen and misused keys .. just add a PIN.
Anyone in the world could crack your password. (Well, any of 2.5 billion people with an internet connection.) Requiring a physical key instead cuts the attack surface down quite a bit. If you can secure your car and house keys, you can secure this.
You use it much more often than those keys. And really people don't care abou being pirated by a stranger. Theyvcare about their spouse leeaning you still talk to your ex. Or your sibling getting a picture of you that is embarassing.
I think you should elaborate on the specific threat model you're describing. Are you assuming a dumped database? Or are you talking about a brute force against an online service?
That is exactly the question a user should ask themselves. I can't answer it for anyone else. But for your two cases, the key is more secure because there is no relatively short password that can be guessed. An attacker has to brute force the cryptographic key, which should be infeasible. Passwords are easier to crack online or offline, unless you've picked a password with 112 bits of entropy.
>brute force the cryptographic key, which should be infeasible.
Not only infeasible - physically impossible, in fact (barring quantum computers). Just 128 bits of entropy would take 1e16 (10 quadrillion) years to brute force at 1e15 attempts per second. :)
For example if you have good physical security and limit passwordless login to physically secure machines via AD computer groups, this may protect you from remote attackers.
If however organizations allow the use of this over the internet from "any" endpoint then this completely replaces a password 1:1 and theft/loss of the Yubikey could be a major problem.
This could also be used only on a single layer of your security. For example passwordless VPN authentication but then a password/2F is required for actual user login.
Unless you're asserting that the hardware token is just as crackable as a password, it's not a 1:1 replacement. The problem with passwords is that you have 10,000 users and more than one of them has a bad password. The problem with hardware tokens is that I've stolen your token. So passwords are vulnerable to bots, while the hardware token requires a human to find/steal something and connect it with a specific account.
I'd be open to hearing the right context, since I read it the same way. "Replaces PWs 1:1" is only true in the context of... the attacker only uses stolen passwords and doesn't rely on password dumps? Even in a targeted attack scenario, where the attacker would have to specifically target you to steal creds, this is better, as they'd now have to physically find you and take the key.
FIDO2 passwordless login can use a device-local PIN as a second factor, like a conventional smart card. The hardware key then acts as both first and second factor.
This is the point that I think too many people don't understand.
If your password is leaked, your username/email has probably been leaked as well.
If your hardware key is lost, assuming it wasn't stolen by someone who has specifically been trying to get your credentials, then there's nothing to tie it to you. You're still going to get a new key and change the locks, but you know it happened.
