Follow

As a ploy to make our future passwordless Big-Tech is trying to use phones as an alternative to a USB stick to incorporate FIDO.

krebsonsecurity.com/2022/05/yo

SSO has definitely eased the option of making multiple accounts for multiple services and I wish there were more open source alternatives out there compared to the two big ones: Google and Facebook.

Afaik all what Big-Tech is trying to do is use the ssh key pair that most developers use as their daily standard, available to the common person. This is definitely a win in that regards.

Though it seems like it opens the door to more tracking and easier data compromise if the phone is taken away from oneself. Most people probably use fingerprint or facial unlock for convenience to get into their phones, which is a very poor security feature. The swipe or pin (length 4) options are a bit more secure, though can easily be brute forced. The password is still the most secure option to unlock a device.

The problem I see is that although Big-Tech is trying to tackle phishing attacks on common users, they really aren't educating the user. Since they are putting one more obstacle in the potential attackers way from the off-site attack. But they are also removing one obstacle from on-site attacks.

Time will tell if this security change will be an improvement or not.

I can imagine that attackers will use similar strategies as they do now to get access to Google accounts. Plus it seems like that attacks onto Google accounts will be more rewarding, since Google stated that they will be storing these keys in every users account. Looks like this might create an even bigger gold mine once a Google account has been hacked.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.