Apple Just Killed the Password–For Real This Time
wired.comNot really a fan of passwordless.
I want my login credentials synced to all devices, and to not need an extra piece of hardware.
Until Android and Linux can somehow sync, I'd much rather have Passwords that Bitwarden can easily manage and sync.
Passwordless will be great eventually but it doesn't seem to be ready for general use yet. We need APIs for apps to be able to provide virtual software implemented authentication the way password managers currently provide autofill.
Otherwise, you're stuck with either no sync, or some OS provided sync solution locked to one company.
Bad passwords aren't really an issue unless you're manually creating and remembering them.
We just need to stop the losing battle of telling people to make their own secure passwords out of words and numbers, and focus on password managers and 2FA.
This is a red flag with regard to privacy. I have a feeling that they will push this sort of login the same way that they pushed 2FA, except the only difference being that for 2FA you can get different phone numbers and not compromise on privacy. In the case of biometrics, this makes it so that anonymity no longer exists
But in what way does this do any better than 2FA security wise, aside from convenience? imo 2FA is already overkill. I think the real reason they want this is it makes it easier to push federated login, easier to connect data points to a single identity for advertising.
My stance on this is that I refuse to use any sort of biometric login or service. I refuse to use any product that has it as a strict requirement
I think you're absolutely right to take that stance, especially as biometrics either allow you to be biologically tracked or require trusting some inscrutable hardware[0] to do some hashing for you (which can likely be reversed, or might not be doing hashing at all).
On the issue of "federated login", though, I think that modern efforts to replace passwords do consider the threat model of adversaries trying to correlate your identity between sites, so the standards at least support you using unique keys between sites. If Apple wanted to track which sites you were visiting, it probably has simpler ways than subverting the login process, so I would need extra evidence to believe that was the danger/intent here.
[0] I've argued elsewhere that the requirements for supporting "device attestation" mean that we are effectively building DRM for human identity, with all the scope for abuses that that entails. Here's a Twitter thread that makes this point very well:
Funny, my Apple ID still has a password. So does every site I use. This has the potential to be great, but it’s an unrealized benefit at this point.
So use something that doesnt change (your fingerprints or face), to create something that should be able to be changed?
Well, it's also dependent on "something you have", i.e. your phone, which is really "something Apple has" because they can send firmware updates to change the functionality whenever they want.
Yeah, so you are basically completely owned by state actors (and Apple)
> state actors (and Apple)
What's the difference?
https://www.economist.com/united-states/2021/08/14/a-38-year...