@beausimensen I totally get that. Like I said, I think we were on the same page just using slightly different explanations. I've never taken "something you are" as a means of authentication due to the immutable nature of identifiers. Even beyond someone stealing a fingerprint or whatnot, there are serious issues.
My brother and I are 6 years apart by age. Everyone thinks we're twins. Apparently so did his Samsung phone that unlocked for me. ;-)
FaceID and TouchID (and the non-trademarked implementations) merely prove presence, not intent. See also: toddlers unlocking phones while their parents are asleep, fingerprints compelled by law enforcement, etc.
@beausimensen @heiglandreas @ramsey Whether it's a username, email address, account number, or biometric - these are all identifiers. Part of authenticating to a system is identifying who you are. Then you verify that identification with further factors (i.e. password, TOTP, FIDO token).
That's where the "something you are" comes from - it's your identification.
It removes the something you know (password) from the flow. The confounding factor is that an iPhone used for FIDO 2FA will let you unlock the device with biometrics. But those biometrics are to unlock the device. Not to auth to an app/service.
Again, Yubikeys, you unlock those just by pressing a button. No biometrics at all.
FIDO is a universal second factor API that leverages keys stores in secure hardware for auth. A good example: Yubikeys.
The broad support by MS, Apple, and friends is to leverage the hardware/software implementations they manage to support the protocol. With phones/laptops you can use biometrics to unlock them.
But is to unlock the machine, and the secure implementation is what's used to auth.
@heiglandreas @ramsey The nuance here is that the "something you have" isn't the biometric. It's the device. Well, specifically an interface on the device. The biometric is used to unlock the device to auth to another service.
I do get your point, tho. But the fingerprint/selfie isn't the auth factor here. It's the device itself that supports FIDO.
@heiglandreas @ramsey That being said - I still vastly prefer 3 factors (are, know, have) to 2. Identity is already public, so relying on only 2 factors means you're only as secure as that second factor - which is either your memory (passwords) or your device (hardware token or other FIDO integration).
Having all three makes it harder to steal your account. But if _only_ using 2, leveraging device security is likely stronger than a memorized password anyway. It's all about your threat model ...
@heiglandreas @ramsey There always at least two factors. "Something you are" is your username/email identity. Up til now we've relied on "Something you know" (password) and relegated "Something you have" to an additional factor.
But human memory sucks and passwords are super fallible. FIDO has already been leveraged (successfully) as the "something you have" leg in authentication. This broader support means it can (maybe) remove the reliance on human memory (passwords) entirely.
@Stoori Two reasons I stayed:
1) I wanted this platform to be a success
2) I paid for a 3-year server lease to run my instance ;-)
@ramsey Yeah, this was a 32yo Corolla. Great car, but it didn't move for over a year and we were getting tired of needing to jump it to keep things functional. Made a deal with a friend who will take good care of it 🙂
Early into the stay-home orders, we realized we didn't really need 2 cars. Because we expected things to open up, we suspended coverage on my wife's Toyota. Great, premiums go down!
Now we've sold the car. Reached out to my agent to remove it entirely. Great! Premiums went up.
Wait, WENT UP?!?! wtaf?
(Removing a vehicle with suspended coverage apparently INCREASED my premium ...)
Browser-based crypto gets a bad rap because of how easily broken the secrecy part of it has become. Every browser could have tens of men in the middle (other browser extensions) eavesdropping on your side of the conversation.
The question is whether this is "good enough" security for this particular use case. I think it could be ...
It's not _quite_ OTR (but similar). It's also not a double ratchet (Signal) but the ephemeral keys provide similar utility and allow for multiple parties in the convo.
Everything could be implemented using the SubtleCrypto API as it stands today with broad platform/browser support.
The only thing to think through is threat model.
Ephemeral keys mean each message is independent. Even if you somehow decrypted one message in the convo you won't be able to read any others (i.e. perfect forward secrecy).
Given the way things are structured, such a scheme could fit into Mastodon today with minimal changes - maybe even as a browser extension to test it out?
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!