The current 2FA methods, something you have and something you know, are better than the proposed methods.
Under the new method, something you have and something you are, hackers/feds only require your device to get into your accounts. Feds especially can extract your biometrics: simply force your hand against the fingerprint reader or take your picture. They have a much greater difficulty extracting your passwords, they must compel you to reveal that information through fines or torture (aka the hammer to the kneecap principle).
The decent thing about face login on iPhone is you can set it to require your attention before unlocking the phone. So closing your eyes or looking away from the phone will prevent unauthorised unlocks.
Found out? Thats inherent to its design. You mean people suddenly realized what they’ve signed up for. Any biometric security method implies constant surveillance.
No one would expect a biometric verification to be firing off when its not being used to verify the user, dumbass. Unless you think everyone buying iphone xxx'es is an einstein.
They have a much greater difficulty extracting your passwords, they must compel you to reveal that information through fines or torture (aka the hammer to the kneecap principle).
It depends on the state as to whether or not a warrant can compel you to give your password. It kinda hinges on how allowable "I forgot" is. After all, it's really hard to prove you know it.
Most MFA has consisted of a password and a security token—that is, something I know and something I have. The new system provides another, easier form of MFA—specifically, something I have (my phone) and something I am (my fingerprint or face scan).
So now, when Google shadowbans you, it shadowbans your face. I see.
This scheme is many things, but it is not security.
Even ignoring all the privacy issues in mandating biometrics, biometrics can be fairly easily stolen IRL - heck, DHS lost data on 100,000 people over a couple months.
Second,
Equally important, the credential can be stored online so that it’s available when I replace or lose my current phone,
And, entirely invalidating the process. If it's stored online in a usable format, then it will be stolen. Not "can be", "will be". Who knows when, but it WILL happen. Those credentials need to be hashed (at a minimum), or they will get stolen and will be used for compromising accounts (or likely identity theft since it's biometrics).
Plus,
Bob Lord was the chief security officer for the Democratic National Committee and chief information security officer at Yahoo.
Trusting someone who was in charge of DNC security is stupid, trusting someone who was in charge of Yahoo security is idiotic, trusting someone who was both is just flat-out malicious.
Computer Science and Information Security already figured out that longer, but simpler passwords are far more effective than shorter more convoluted passwords or biometric data (especially since you'll still need a password to get in as an alternative anyway).
"Kotaku In Action 2 is the home of GamerGate you stupid faggot"
is a far more difficult password to crack password for a computer to try and figure out compared to
"K0T4ku!!02"
which you are then required to change every 30 days.
A long passphrase can be far too difficult to crack with brute force trial and error because of the insane number of combinations. People are also able to memorize long passphrases much more easily. Worse if anyone decides to do something silly like just throw a random @ symbol somewhere, all of the password cracking for English pass phrases won't work either because it's no longer a normal sentence.
The problem is getting more companies to accept the utility of passphrases.
Yea, right. Let's give these ideologically motivated megacorps our biometrics and universal login keys. What could go wrong!
Governments are looking into these technologies for their digital IDs / digital wallets. FIDO mentioned in this article is one of them.
No more anonymity
^ This guy gets it.
The feds really want into your accounts.
The current 2FA methods, something you have and something you know, are better than the proposed methods.
Under the new method, something you have and something you are, hackers/feds only require your device to get into your accounts. Feds especially can extract your biometrics: simply force your hand against the fingerprint reader or take your picture. They have a much greater difficulty extracting your passwords, they must compel you to reveal that information through fines or torture (aka the hammer to the kneecap principle).
The decent thing about face login on iPhone is you can set it to require your attention before unlocking the phone. So closing your eyes or looking away from the phone will prevent unauthorised unlocks.
They found out that iPhones do a 3D face scan every 5 seconds, not just on the lock screen.
Found out? Thats inherent to its design. You mean people suddenly realized what they’ve signed up for. Any biometric security method implies constant surveillance.
No one would expect a biometric verification to be firing off when its not being used to verify the user, dumbass. Unless you think everyone buying iphone xxx'es is an einstein.
You’re a no one. Einstein was a pederast.
There's a setting in there that prevents the phone from dimming or locking if you're looking at it; the repeated scan may be related.
I turned that off primarily because it made my eyes feel a little odd.
So now its a weapon too, great.
Kek.
Eyecrowave. ;-)
Well the legal way is a warrant.
It depends on the state as to whether or not a warrant can compel you to give your password. It kinda hinges on how allowable "I forgot" is. After all, it's really hard to prove you know it.
For an online service a warrant to the company will get them your info. Your password is irrelevant to the company hosting the service.
For a file it's just a matter of brute forcing it.
For a device like your phone, I haven't kept up with where that's at, but I'm betting the company has a way to crack it given a warrant.
To quote what I'm reaponding to:
Pretty sure this must be an online service.
So now, when Google shadowbans you, it shadowbans your face. I see.
Wrongthinkers can't come back!
To quote one of the comments out there
Even ignoring all the privacy issues in mandating biometrics, biometrics can be fairly easily stolen IRL - heck, DHS lost data on 100,000 people over a couple months.
Second,
And, entirely invalidating the process. If it's stored online in a usable format, then it will be stolen. Not "can be", "will be". Who knows when, but it WILL happen. Those credentials need to be hashed (at a minimum), or they will get stolen and will be used for compromising accounts (or likely identity theft since it's biometrics).
Plus,
Trusting someone who was in charge of DNC security is stupid, trusting someone who was in charge of Yahoo security is idiotic, trusting someone who was both is just flat-out malicious.
$100 says this is what elon wants to 'verify' all twitter users.
If this is the requirement for a blue checkmark, I'd be fine with it personally.....if it is a req for anything else....not so much
he said he wants to 'verify all human users'. its not a far fetch to think this is what he means.
Oh I agree, its not a far fetched thought at all, I just hope he doesn't!
Microsoft, it's a shit idea.
If its not, they stole it. Always has been, always will be. Gates was an awful programmer but a top tier thief.
"I didn't get rich by writing checks!"
It's amazing how talented they are at taking an old idea and pretending it's something new.
Computer Science and Information Security already figured out that longer, but simpler passwords are far more effective than shorter more convoluted passwords or biometric data (especially since you'll still need a password to get in as an alternative anyway).
"Kotaku In Action 2 is the home of GamerGate you stupid faggot"
is a far more difficult password to crack password for a computer to try and figure out compared to
"K0T4ku!!02"
which you are then required to change every 30 days.
A long passphrase can be far too difficult to crack with brute force trial and error because of the insane number of combinations. People are also able to memorize long passphrases much more easily. Worse if anyone decides to do something silly like just throw a random @ symbol somewhere, all of the password cracking for English pass phrases won't work either because it's no longer a normal sentence.
The problem is getting more companies to accept the utility of passphrases.
using the 4 is what makes your password weaker.
It would have been impossible to crack if only I had used # instead.
More symbols arent unwise.
No, but there's a silty emphasis on symbols for 8 character passwords.
What if they cut off my finger?
incels use their dick to program it.