Hacker Read

metaphorm · 2017-05-23 17:01:05

the technical problem is "create secure tokens and distribute them in authenticated messages to N clients that have not established trust" whereas the business problem is "we want a user login system".

happy-go-lucky | karma 24038 | avg karma 6.21 · | 2016-09-26 02:33:56+00:00

OK, the token security outweighs the usability.

bigDinosaur | karma 2571 | avg karma 2.94 · | 2022-11-30 18:08:38

The core problem is really that passwords suck and should never be the entirety of authentication. Time for hardware tokens! (admittedly there are some big problems when people lose tokens, but at least that's not a problem of insecurity ;-))

faizanbhat | karma 48 | avg karma 2.82 · | 2018-06-20 02:46:58

Could you elaborate on why you believe security tokens to be a bad idea?

cpeterso | karma 43338 | avg karma 5.73 · | 2013-05-10 06:28:59+00:00

What the problem with the physical token the cost, the configuration, or just lazy users?

binarysneaker | karma 130 | avg karma 2.24 · | 2022-11-18 21:10:30

Tech has changed _a lot_ over the past few decades. Auth tokens expire. I'd be interested to hear how you're planning to future proof your solution.

jhwang5 | karma 262 | avg karma 1.42 · | 2018-01-09 18:05:23+00:00

Yes, then you are shifting the security problem to securing the private keys for these identity tokens.

pishpash | karma 1462 | avg karma 0.67 · | 2022-07-12 17:37:49

Use physical tokens. Passwords is not the future.

arshbot | karma 234 | avg karma 3.9 · | 2019-10-31 04:27:57+00:00

There is a depressing lack of open standards with these off-the-shelf physical tokens. It's unfortunate that a company's security can rely on the APIs of another company which could go bankrupt and disappear at any time.

Avamander | karma 4204 | avg karma 1.56 · | 2019-08-05 22:51:46+00:00

Or (3) implement an universal TLS standard to abstract logins away into hardware tokens... but that's exactly what we have but don't use super-widespread. Estonia has demonstrated the solution scales easily into millions, Latvia is working on it, Finland as well and a few other countries, but they're 15 years behind from Estonia, rest of the world is at least two decades behind. I've always wanted to make wild predictions, now I can try, I think such personal hardware tokens will become wildly mainstream in 25 years, totally replacing passwords.

seniorivn | karma 344 | avg karma 1.16 · | 2021-01-13 20:55:08+00:00

hardware token would be a solution

postalrat | karma 2562 | avg karma 1.18 · | 2022-06-06 16:13:47

Whats wrong with authenticating multiple tokens and backing up the physical tokens?

I'd rather know that each token is unique and not wonder how many copies of the token exist.

reply

romaniv | karma 2296 | avg karma 2.77 · | 2012-06-25 12:31:03

You need an RSA token for each server you talk to as well. It's not a replacement for asymmetric cryptography.

jongjong | karma 2390 | avg karma 2.18 · | 2023-03-16 21:08:39

I hold some tokens from a project I worked on for 2 years (I hold everything on-chain) and also from my own project which I built (and designed the signature algorithm from scratch) so it's hard to get more security than that.

SAI_Peregrinus | karma 5632 | avg karma 2.07 · | 2017-10-26 21:11:03+00:00

People lose their tokens and need a way to recover their account access. People don't want to have to go into a physical branch to verify ID and reset it. The security of everyone suffers to increase the convenience for a few.

SilverRed | karma 3294 | avg karma 3.25 · | 2021-09-02 20:33:58

2FA token is the most obvious use case I can imagine. Otherwise you can do some programming practice. You are limited on IO though.

ScottBurson | karma 10295 | avg karma 2.77 · | 2012-07-05 19:54:28+00:00

Ah. So it's not the use of cryptographic tokens per se that you're objecting to -- just that they're not generated and/or handled correctly.

astazangasta | karma 1702 | avg karma 1.38 · | 2015-11-17 19:01:45+00:00

I think the panacea is dedicated hardware that can produce secure tokens (a signed message) without having to expose my key to the machine I plug into. But existing systems still require that level of trust; I'm doing no worse than someone with a password typing it into a possibly insecure machine.

rando444 | karma 2462 | avg karma 3.93 · | 2019-05-21 20:35:24

I wouldn't say it's BS. It's just not perfect.

The standard person today isn't capable of managing multiple secure tokens, and actually keeping them separate.

One smashed phone, and truly secure accounts would be lost forever, or require significant resources on the part of the provider to re-verify people's identities.

reply

sgeisenh | karma 390 | avg karma 2.77 · | 2014-04-10 01:34:57+00:00

Authenticator tokens are pretty robust systems. I'd like to see more services start to make use of them.