![]() My password manager protects me against nothing more than brute forcing and password reuse. Today, most websites offer FIDO2/WebAuthn/U2F as a second factor, but I'd rather see them as a first factor with an optional password as a second factor. Using the security chips inside my devices for authentication as a single factor is more than enough for most of my purposes. Passwords are easy to brute force, but device-bound keys aren't. ![]() For everything but real important stuff (banks, email, business accounts, that kind of stuff), I reckon my devices are protected enough that if someone can gain access to my devices unlocked enough, 2FA wouldn't prevent any threads anyway. What I mean is eliminating passwords on most services at all. ![]() I think it could work, but I wouldn't want to protect my banking passwords and credit card details behind some random script. Passwords are useful but passwordless authentication is just better for most single factor authentication mechanisms in my opinion. This means that brute-forcing or other attempts at access don't need to go through the biometric system on Linux whereas Windows Hello is more tightly protected against malware like that.ĭongles do work great! With WebAuthn/FIDO(2) we can hopefully soon start to let go of password managers completely. ![]() The Linux version of this process, at least as far as I could find so far, consists of identifying and authorizing the user alright, but the TPM's secret management seems to be handled by an entirely different system. Windows Hello (and I presume TouchID) is set up to handle authentication and authorization together in one well-secured kernel blob with all kinds of TPM trickery to ensure security. Fingerprints work great in modern Linux distros (I use them for sudo and sometimes unlocking my display), but the fingerprint hardware and the TPM don't seem to talk to each other. ![]()
0 Comments
Leave a Reply. |