WebAuthn+ Unhackable Authentication (Why Fido will fail.) [video]
youtube.comAuthentication is a mess.
User names and passwords are not secure and are difficult to manage.
MFA can be hacked and has been deprecated (White House memorandum on January 26, 2022).
For almost ten years the FIDO Alliance assured everyone they knew what they were doing and then all of a sudden (March 27, 2022) they say, “Oops, that’s not working out so we are now working on a new plan.”
FIDO's "new and improved" technology, Passkeys (https://fidoalliance.org/passkeys), has major problems (detailed in our video). Most significantly, FIDO's "new and improved" technology opens a security back door. No kidding. Any senior developer or application architect who reads about FIDO's new technical architecture will have an “Oh my God!” reaction.
A tech startup in Austin has solved the authentication problem in a very elegant way. We hope you will watch this brief video, read our technical whitepaper (https://medium.com/@mduffy_48393/webauthn-unhackable-authent...) and pass them along to your friends and colleagues.
We hope that the experts in the Hacker News community will try to tear this technology apart.
Other than malware, we think there is only one threat vector against WebAuthn+ (detailed in the video). The first person on this forum to discover another threat vector wins a free pizza (large, three topping, extra cheese if you want; seriously, we will call the order into the pizza shop of your choice).
Our technology is open-source and "mostly free", so the entire world will benefit from an evaluation by the Hacker News community.
The following text is from the script to our video:
In order to make this all work, we had to create our own version of the Chromium browser: “Nexus Chromium”. This prototype version of Chromium writes the domain name characteristic through Web Bluetooth from the browser application context [strong emphasis] and not the JavaScript context which can be easily hacked by anyone creating a fake web page.
In order for the bad actors to compromise your authentication under WebAuthn+ they would need to install malware on your system or install a completely fake version of the Chromium browser on your system.
In this case, for all authentication systems, it is game over, the bad actors have won... and you should probably replace your anti-malware program and/or your corporate IT staff.
Under WebAuthn+ your authentication cannot be compromised by clicking on a phishing link and going to a fake web page or by any of the other advanced attacks.
WebAuthn+ cannot be compromised even if there is a complete breach of the server data because the user's private key is stored securely on his/her mobile device and never leaves the mobile device.
With WebAuthn+ simple passwords like "123", "asd", or even "pw", become highly secure on a "trusted system" (that is, a home computer or an office workstation). Users really do not want to have to use their phone for every authentication to every application every time.
...and there is more.