Zach Faddis

Why haven't asymmetrical keys replaced passwords yet?

imagined security scheme:
1.Generate public/private key pair
2. share public key when creating account with whomever.
3. when logging in, account will send you random string
4. your browser will encrypt string with private key
5. account will decrypt string with your public key, if it is the same string they sent, you are authenticated.

- The biggest problem I see with this is not wanting to use unsecure computers because you would have to share your private key with that computer to log on, but the same could be said for passwords.

- convincing people to carry around a usb stick containing keys seems much easier than convincing them to choose and track dozens of hard to guess/bruteforcable passwords.

pretty sure this could all be done over http, with a browser extension to handle the authentication on client end

@zacharius I think that this in basically what WebAuthn is doing (with the addition of username-like features and per-website key pairs).

@zacharius The two issues I see with this is that 1) people are totally going to lose their USBs -- so then they're screwed. 2) USB sticks are a super easy to inject malicious code into a new computer. I've heard of companies with software that auto-formats USB devices upon being plugged into the computer.

How are you seeing this model as more secure than a password manager?

@sgparent I agree that portable drives are a problem and the best practice would be to only store keys on personal devices. This would be a limitation in that you wouldn't be able to log on through any device, but most people carry computers around with them everywhere so I don't think that is too much of an issue.

@zacharius @sgparent this is how smart card based authentication works. The smart card both holds the key and does the signing. If the smart card is lost it won’t work without a pin. It also self erases after enough failed attempts.

Keys beat passwords because I don't have to trust a 3rd party with my private key, like I do my passwords. Smart companies store hashes instead of keys anyway but I don't want to have to trust that companies have sane security practices.

Also it is much more manageable to keep track of a keypair than dozen of passwords. I am relatively educated on security and I still reuse most of my passwords. It's not functional to maintain sane security across dozens of account with passwords

@zacharius @sgparent a key is just one factor authentication. The key needs to be protected with a password to actually provide increased security.

@octesian @zacharius I was mostly replying to the idea of keeping this smart card as a USB-based drive.

@zacharius Not suiable in all situations, key loss, initial validation.

I'd like to see a physical token, NFC, physical approval system. Signet rings. Seperate identifiers per service / organisation. Expiring identifiers.


@zacharius You also still have the problem of key exfiltration, or impersonating the remote site. As well as trust and reputation.

@zacharius Minilock! Minilock! Minilock!

(I hope Minilock is actually as secure as it claims; I have no way of telling. I just love the idea of a super-short public key being my identity, and its matching super-short private key being automatically generated from my username and passphrase).

@zacharius client side ssl certificates are (handwaving) basically this. Here's an article from *10 years ago* lamenting that they never caught on.

@zacharius Keep in mind that with PKI you can have entirely unauthenticated /transactions/, by instead authenticating / encrypting /content/.

Post to site, and GPG-sign post. Send private message, encrypted to recipient.

Problem here is that there's massive metadata leakage. CCC have covered this in recent years IIRC.

There's also the directory / routing problem.

Sign in to participate in the conversation
Refactor Camp

Mastodon instance for attendees of Refactor Camp, and members of various online/offline groups that have grown out of it. Related local groups with varying levels of activity exist in the Bay Area, New York, Chicago, and Austin.

Kinda/sorta sponsored by the Ribbonfarm Blogamatic Universe.

If you already know a few people in this neck of the woods, try and pick a handle they'll recognize when you sign up. Please note that the registration confirmation email may end up in your spam folder, so check there. It should come from administrator Zach Faddis.