I agree with all of this except password managers. If you use a lot of different public computers or temporary work laptops they don’t always let you install LastPass, so I frequently ended up being unable to access my accounts.
It would be really cool if you could plug your phone in and it appeared as a USB keyboard device and you could "type" the password from the password manager that way without ever giving the computer access to anything except that password.
Maybe some sort of simple USB dongle (like a yubikey) could be fed by the phone via bluetooth or nfc to do this?
All the QR code needs to encode is a URL pointing to their authentication endpoint. If it's reasonably standardized, any password manager could implement it.
Login would be:
* scan QR code, sees https:/ /megacorp.com/login?session=hexhexhex
* Password manager asks that you want to log in with account X.
* Negotiates with auth service
* Website recieves your confirmed token via websocket
* You're logged in.
And, of course, if you don't have an account, the password manager can get you started creating one.
Which, to be fair, is close to how it works inside Apple's walled garden. Logging into iCloud on a new computer will cause the iPhone attached to that account to pop-up a "confirm login" dialog, so the second factor for login is as unobtrusive as possible.
No you still need a password, which also makes it insecure on a public computer (where keyloggers might be installed).
Instead, the better solution would be, you point your phone to a QR code on the computer screen, press “confirm”, the computer is magically logged in, until you then press “log out” on your phone and the computer is logged out.
The signature of the QR code would need to be accepted by your mobile, not the public computer. I don’t think mitm the QR code process is possible if they sign it. But if the public computer is compromised, anything you log into from that computer is accessible by the attacker anyway, as long as the session is valid.
That’s true regardless of the login method. The benefit of the method I described is that you can 100% log out without any MITM, as you initiate the logout from a trusted device
No idea. Presumably a push notification. Within less than a second providing your email (on fast US data) you get a prompt on your phone that shows the browser model and approx location and asks you to approve or disapprove the login.
They initially rolled it out as a 2FA option, then as an optional for 1FA.
Exactly. Google already asked for email alone and then password on the next page so that they could support sending enterprise emails to custom login systems.
Yeah, I actually like the way Microsoft and Google do it when it just displays notification or number on my phone. Recently I logged in to a new Windows 10 computer and I didn't even have to type a password anywhere.
Unfortunately I don't see the need to actually fill and type passwords going away any time soon.
I'm mostly complaining about having to either:
1) Install the password manager on a computer to fill in passwords. You end up typing the password manager's password into the computer which could compromise the entire database as well as give the computer other information about your accounts and website usage.
2) Otherwise you have a password manager on your phone. You have to view the password and type it into a keyboard. Typing complex passwords is a pain in the butt. It would be nice if the password manager on my phone could just somehow type it for me. Then the only thing that goes into the computer is the exact password I'm trying to use.
Oh hell that would be amazeballs if it's open source and worked on Windows, OSX, Linux, and could work with a 2FA device like Yubikey. I'd put $20 down for that in a heartbeat.
This seems to be the default for web apps here in China, such as Taobao or JD. Either the home page or the login page presents a QR code, and the mobile app has a scan icon.
I had high hopes for Clef, but unfortunately, it never got the traction it needed.
That would require each site to implement server-side components to talk to Clef, and most sites have been ice age slow to implement basic TOTP never mind yet another method.
Now, if the big existing OAuth sites, your Google, Facebook, Okta, etc implemented a QR code method like Clef then it might work.
The QR code would only contain a login challenge, the phone would complete the challenge. Of course that would mean the auth server must be publicly reachable or the phone must be in the same network.
The EspUSB Tiny can pretend to be a USB keyboard and mouse, and it fits inside a USB socket. I've built prototypes already, and I've found a manufacturer for scaling up, but it's stalled since August because of certification issues.
It wouldn't be hard to add encrypted password storage to the EspUSB firmware. The difficulty is that you need to know the keyboard layout of the destination computer.
Keyboards don't send a letter "A", they send "shift" + "a". If your computer's language setting is French, or German, or Chinese, etc - things get complicated fast.
To make it worse, passwords need to use special characters (not just a-z). Sure, it's not unreasonable to ask you to change the keyboard layout, because you're on Hacker News and are therefore pretty good with computers. But this would limit an average user.
The other problem is that it types the password as plain text, which is a bit insecure. If I have to carry a dongle and change settings on the client, why not make the dongle do some sophisticated key pair exchange with the client app?
It's a good idea for another EspUSB demo app, but I worry that it couldn't find mass market adoption as a product. Without sales of over 10,000 devices, it's not possible to pay off the FCC certification lab, and I haven't got a solution for that.
> The other problem is that it types the password as plain text, which is a bit insecure. If I have to carry a dongle and change settings on the client, why not make the dongle do some sophisticated key pair exchange with the client app?
I kinda prefer simplicity. What if the dongle breaks, gets lost, or some change in the environment makes it impossible to run the client or perform this sophisticated key pair exchange? Locked out, fun.
My keyboard can generate passwords, but I could generate the same passwords on paper (or, more likely, using a piece of software running on some other device) without ever connecting to the device where I'm going to enter that password.
Very doable. I also want(ed) this. There are some old kernel patches on github that extend the android USB driver to also be able to register as an HID device.
I also tried kicking the android driver and just using (iirc) usbfs or what is was called so you could implement HID in userspace and repurpose old phones while kicking android. But the vendor kernel stopped compiling :/
This woul imo be a really interesting application to repurpose old android phones.
I also looked into this but was disappointed when I found that android support for USB HID only goes in one direction. You can attach a keyboard to your phone, but your phone cannot act like one. There are so many useful usecases for a phone like a keyboard it is too bad...
Yeah, this is why you either need to disable the android usb driver and use default linux ones (enabling which, broke the compile for the vendor kernel on my device)
> Your grandpa could use it to secure his crypto wallet.
For a certain sense of "secure". Because fingerprints aren't. Not just because you leave them everywhere, but because the way we examine fingerprints doesn't have a result that is particularly unique.
Not even at the criminal case-law level [0][1].
That fingerprints are unique is an assumption, but it doesn't match our reality. They're useful for eliminating from a known small pool, not matching against a large group.
Many of the elements we match against run in families.
I guess what I wonder about there is how do you deal with various password "rules" when generating the passwords? I really have no idea what that thing is doing. How does it know which password goes to which website? How do you create multiple passwords from your fingerprint?
you can use a teensy. i have a prototype that communicates to a teensy over serial connection and types in a pw from an app. could use wifi or bluetooth too.
Pardon my ignorance but if you're worried about the computer being compromised so that they could somehow access your LastPass, why would you even use it for any authenticated work in the first place?
They used to have a mobile page you could login to. It was really plain but it did what it did best: provide an easy and clean way to access your passwords when you are somewhere.
It was something like https://lastpass.com/mobile ...
I have a hard enough time typing 4mfkD.Q.27cC8,'@eG}a4{\* , I am very much not worried about a "shoulder surfer" either seeing the cleartext password on my tiny phone screen, or watching all of those keystrokes without me noticing them.
What if you store passwords for non-ssl sites in your password manager? I have passwords for some really old mailing lists that don't use SSL and had a big warning that they're completely insecure on the page. I especially don't want to use a shared password if it has a decent chance of being compromised, but if I cared if that account got compromised I wouldn't have set it up.
For scenarios like this, where the hardware is untrusted, Yubikey type devices are really the only solution (where the device can present as a user input device, and provide the necessary string secret). Everyone else can use a password manager.
EDIT: If you're on an untrusted device, should you really be putting secrets into it? Maybe not!
I had an employer that blocked access to lastpass.com to discourage that sort of thing. I guess the idea is you shouldn't be using a work computer for personal stuff and you shouldn't put work passwords on a 3rd part site. In reality, things aren't split that cleanly, so the block was annoying.
That actually sounds pretty secure, if the computer had a reasonable password and FDE you've just implemented a hacky password manager. Even without FDE you're better than anyone who writes it down on a sticky or uses something trivial.
Unless they're using Excel functions to generate password{n++} . That'd be clever and yet horrid at the same time.
Although at most workplaces your documents are just a folder on a shared drive somewhere, which may not be secured well and in some cases not secured at all.
If the script is accessible to other people I suppose you have to worry about it being hacked, especially if you let php get out of date or take input in say password length?
