> Passwordless authentication means removing the most critical failure factor from authentication: the human.
Yes it is but you are removing a layer of defense not a link in a chain. You think this is better based on a fundamentally flawed understanding of defensive security.
> This type of attack is not based in reality; most attacks are done remotely from a location with limited jurisdiction and practically no repercussions
Of course the threat landscape never changes right? And the process you have to issue new yubikeys is flawless too right? And threat actors never adapt right? WebUSB and in browser vnc can't possibly be abused? So many things can go wrong.
Look, here is the fundamental thing you people that jump on these hype trains don't understand about security: it is that after half a century, what we've learned is that it is a cat and mouse game and there are no long lasting silver bullets and even if there were, you still do security in layers because mistakes happen and you could screw up something that makes your silver bullet ineffective. So you add multiple layers of preventive and detection focused security.
You don't remove an entire layer of security and somehow twist that to sound like you improved something. It's legitimately fraudulent and harmful.
Passwords are bearer credentials and as such, they are not a meaningful layer of defense when in the custody of even a modestly competent system administrator.
As I'd said, you need to look no further than annual threat reports to see that credential theft is the most common avenue of abuse - by a lot. Hardware assertions, on the other hand, which in WebAuthN standards are also bound to domain origins, simply remove this risk entirely. Let me repeat: you cannot phish a WebAuthN assertion. Yes, you can pull off a physical attack, but at this point of the game, it is over because the adversary could just implant a bootkit, keylogger or backdoor on your valuable system.
The threat landscape certainly changes but the economics of computer fraud and abuse remains largely the same: attack the most vulnerable link in the chain for maximum profit for the least amount of cost - the human and her portable password (and other forms of exportable factors, roughly in order of security: SMS-based, HOTP/TOTP apps, email magic links, Duo-style "confirmations").
> Passwords are bearer credentials and as such, they are not a meaningful layer of defense when in the custody of even a modestly competent system administrator.
Again, you are avoiding my argument. Passwords, even pin codes have been a meaningful layer of defense for half a century. You can argue that they are weaker and propose stronger methods such as paddhphrases but you arr arguing against passwords when your real argument is against "what you know" as a factor of authentication.
> As I'd said, you need to look no further than annual threat reports to see that credential theft is the most common avenue of abuse - by a lot.
Are you a middle manager or executive by chance? Because I respond to incidents as a matter of routine and I very much know how much passwords get phished or cracked. You know what solved the problem: adding even the weakest layer of authentication like SMS. Now, there are many better altetnatives for a second factor of auth other than SMS as there are for passwords as what you know being a factor and I am open to that discussion. But what you are saying is you don't get why a weak layer of defense is needed so you want to get rid of it.
> The threat landscape certainly changes but the economics of computer fraud and abuse remains largely the same: attack the most vulnerable link in the chain for maximum profit for the least amount of cost
Again, it's not a chain. Your mindset is a flawed way of thinking carried over from physical security (think "cyber killchain), which is perimeter focused, that's where the chain analogy comes from.
Modern security, having learned from the past few decades is such that you have many layers of chains. The user's knowledge, as weak as it is, is one such layer. Removing it plain and simple is a reduction in your security posture. See, the critical thing you need to get is the relationship between layers od chains as opposed to links in a chain is complementary not symbiotic.
Persistent threat actors will get past any layer of defense. If ransoming your company gets me a few million dollars, as a criminal there is not a whole lot I wouldn't do including physical attacks (there are even untargeted campaigns where threat actors drop or mail USB drives en masse).
> the human and her portable password (and other forms of exportable factors, roughly in order of security: SMS-based, HOTP/TOTP apps, email magic links, Duo-style "confirmations").
Great, guess what that means? They spent all that time and effort to get past a password and now they face a yubikey. The difference in cost to threat actors is at least geometric. They can't just steal a yubikey or compromise your phone, now they also have to steal or guess your password.
By removing user knowledge as a factor, you are making it orders of magnitude cheaper for a threat actor. And you think that is fine because the latest and shiniest methods of authentication, unlike past solutions will never ever be defeated and you will never face insider threats or threat actors willing to spend more to profit off of you.
Stealing or guessing a password is infinitely easier than compromising a Yubikey or otherwise hardware-based authentication factor. This is a demonstrable fact and any argument to the contrary is simply pearl clutching. I challenge you to find even a single incident resulting from a compromise of this 2nd factor, until you do there's nothing to discuss. And because you don't find it, it will ultimately demonstrate passwords are not even necessary when accounts are protected in this way.
> This is a demonstrable fact and any argument to the contrary is simply pearl clutching
I agree. Lookup what a strawman argument is. No one made that claim.
> I challenge you to find even a single incident resulting from a compromise of this 2nd factor,...
Friend, do you read comments before replying to them? That is exactly my challenge to you. Passwordless usually means getting rid of 2fa and using one or more "next generation credential providers".
I'm thoroughly convinced you don't understand the U2F/WebAuthN standard, which makes intelligent discourse about the topic impossible. Good luck with your studies.
We weren't talking about those two standards alone and you haven't brought them up as examples either. All i have learned from you is you use strawman arguments.
Ok, what part of U2F requires users to remember a secret? I have seen passwordless accounts you can take over simply by controlling a yubikey. I hate it when people seem to argue with me but argue against strawmans they're inventing. I agree, discourse here can't happen.
Thanks. I learned something. Even if passwords are a weak form of security, they add an extra Ayer that would make it much more difficult for an attacker. They don’t have to be the only layer of security, and would still be good as an extra layer on top of hardware keys and/or OS keychains. Very interesting.
Yes. Also keep in mind that layers are not just preventive. There are also detection layers. You can frustrate threat actors by reacting to their attempts to get past the password or some other layer by collecting logs and alerts. A simple example would be setting up ssh on your vps with password AND public key auth and the setup fail2ban. Of course it is very hard to bypass public key auth but even if you accidentally post your private key to github or have your personal device hacked, that is still one layer of defense to slow them down.
If threat actors spend sufficient resources they will get past any security layer. There is no such thing as absolute security, good security creates the most hostile environment for threat actors by requiring them to committ the most resources without interfering with normal usability of the system.
Using a password on a WebAuthN protected account is the equivalent of putting a bathroom privacy lock on your steel front door. It's psychological coddling, nothing more.
No it is not, comparing passwords or passphrases really (what people should be using) to a bathroom privacy lock is silly. For threat actors, difficulty is not relative like that.
It's more like you have an actual normal door with alarms at a bank. Then a door to the vault area with similar alarms. Then the actual vault.
In your ideal world, everyone should be able to just walk up to the vault because it is so amazing on it's own.
Yes it is but you are removing a layer of defense not a link in a chain. You think this is better based on a fundamentally flawed understanding of defensive security.
> This type of attack is not based in reality; most attacks are done remotely from a location with limited jurisdiction and practically no repercussions
Of course the threat landscape never changes right? And the process you have to issue new yubikeys is flawless too right? And threat actors never adapt right? WebUSB and in browser vnc can't possibly be abused? So many things can go wrong.
Look, here is the fundamental thing you people that jump on these hype trains don't understand about security: it is that after half a century, what we've learned is that it is a cat and mouse game and there are no long lasting silver bullets and even if there were, you still do security in layers because mistakes happen and you could screw up something that makes your silver bullet ineffective. So you add multiple layers of preventive and detection focused security.
You don't remove an entire layer of security and somehow twist that to sound like you improved something. It's legitimately fraudulent and harmful.