Hacker Read

pishpash · 2017-06-12 03:01:49+00:00

Seriously, I don't understand why physical tokens are not the norm and standardized on all devices, still. It isn't a new concept at all.

codedokode | karma 6872 | avg karma 1.97 · | 2019-05-22 09:11:50

Also physical tokens can be easier to use if the support for them is built into OS and doesn't require installing or configuring additional software.

stretchwithme | karma 5432 | avg karma 1.79 · | 2011-06-10 20:33:30+00:00

I was thinking the physical token would have had a USB connector that you actually had to plugin to use it.

arshbot | karma 234 | avg karma 3.9 · | 2019-10-31 04:27:57+00:00

There is a depressing lack of open standards with these off-the-shelf physical tokens. It's unfortunate that a company's security can rely on the APIs of another company which could go bankrupt and disappear at any time.

pishpash | karma 1462 | avg karma 0.67 · | 2018-05-04 06:35:45+00:00

For the thousandth time, can we be done with passwords and move to physical tokens please?

dsfyu404ed | karma 7424 | avg karma 0.98 · | 2019-04-10 13:33:20

That doesn't mean I think it's a good idea.

A phone is better than nothing. A real token would be much better.

reply

pishpash | karma 1462 | avg karma 0.67 · | 2022-07-12 17:37:49

Use physical tokens. Passwords is not the future.

jcrawfordor | karma 7422 | avg karma 5.61 · | 2016-02-17 18:34:30+00:00

I'm optimistic for the use of physical tokens instead of passwords. In my work environment, a lot of authentication is based on physical token possession plus a password just as a guard against lost devices (password validated by the token, not by the service).

These kinds of systems aren't technically very complex but there hasn't been a lot of traction for them outside of corporate environments. The result is that they tend to be hyper-expensive, unfortunately. Standards like FIDO and the Yubikey are good first steps at pushing this into the consumer space, although they don't offer on-device PIN validation yet.

reply

dfischer | karma 2025 | avg karma 2.14 · | 2011-05-13 20:12:23

This is true, your phone is also a physical token. I just like the fact that I can use something I already have instead of having to buy a yubikey.

tomp | karma 21535 | avg karma 2.82 · | 2019-10-09 10:08:43

I hate hardware tokens. Recently got one from my bank. I'm switching banks. I just don't see any advantage over a phone app (plus a phone app can offer better notifications).

cpeterso | karma 43338 | avg karma 5.73 · | 2013-05-10 06:28:59+00:00

What the problem with the physical token the cost, the configuration, or just lazy users?

pvg | karma 14880 | avg karma 1.9 · | 2018-08-24 03:45:31+00:00

Are there technical reasons that device (well, maybe not quite that blue-sky-ish, but the general idea) can't be your phone? You've already paid for it, people seem to think they're quite secure, etc. I don't get the whole desire to make hw tokens more computery so we can better use our computers while also already carrying another computer in our pockets.

bifrost | karma 3796 | avg karma 2.28 · | 2019-04-23 02:55:29

Hardware tokens are great but most people don't know how to use them, so they don't.

smaudet | karma 728 | avg karma 0.88 · | 2023-03-10 02:45:10

I disagree > Have multiple of them for redundancy.

Yes so when I have 40 such tokens then I must worry about which ones to bring when for which devices, it's a usability nightmare.

I contend you should rarely if ever use one, they are (often) more trouble than they are worth. Or, you are reusing them everywhere, and so you violate the principle of re-use. Yeah, you can daisy chain things and the like, but now you are just making your life needlessly complicated and error prone.

reply

taeric | karma 14871 | avg karma 1.66 · | 2022-01-18 16:32:41

Not my point. Just not clear that the alternatives actually are better. Again, I use hardware tokens. Not seeing my family join me on that anytime soon.

List of problems with every approach always falls back to, "what happens if you lose it?"

And the resolution to that is always outside of the technical chain.

reply

ghaff | karma 44589 | avg karma 1.65 · | 2024-04-17 23:35:06

There are hardware tokens. But, yes, not everyone supports them.

bdamm | karma 4946 | avg karma 2.29 · | 2020-10-02 20:44:24+00:00

Physical security tokens are both as old as dirt and the hot new replacement for passwords.

tptacek | karma 394296 | avg karma 6.04 · | 2011-12-05 19:02:12+00:00

Because they are hellaciously expensive, in terms of:

* cost to retrofit the backend of these systems onto the bank's retail software

* cost to roll out tokens to customers

* ongoing support costs for e.g. lost or broken tokens

To all that, you have to layer on the fact that tokens are priced for a different market (enterprise security), so the existing products aren't packaged in a way that makes them palatable to (say) Bank of America's many tens of millions of customers. You can't wave a magic wand on that problem either; tokens are packaged the way they are now because that's how you can keep a token company in the black.

reply

staticassertion | karma 12534 | avg karma 3.12 · | 2022-01-03 19:42:18

That's bad and annoying but it is not at all worse than useless. A hardware token is a very worthwhile investment.

pishpash | karma 1462 | avg karma 0.67 · | 2018-05-08 19:13:58+00:00

Good. After all the roundabout bullshit of "factors" ("2FA") and password managers, people have finally come to their senses that physical tokens are a very natural evolution of analog keys and the only real security, and should have been used from the get-go.