In future Windows Hello+TPM+WebAuth implementation in Win10, hopefully eventually you won't need phone for primary PC anymore.
@runycat
-
-
Replying to @SwiftOnSecurity
U2F -> FIDO -> now "WebAuth" Industry titans like Google, Microsoft, PayPal are serious about killing off passwords. https://w3c.github.io/webauthn/
11 replies 41 retweets 106 likes -
Replying to @SwiftOnSecurity
Replacing passwords requires biometrics, secure hardware enclave, OS-level APIs and UI, browser/app adoption, service support, and education
10 replies 8 retweets 34 likes -
Replying to @SwiftOnSecurity
Over decades we've made incremental steps from discrete auth hardware with major hassles, to now top-to-bottom industry-wide coordination.
1 reply 5 retweets 22 likes -
Replying to @SwiftOnSecurity
The most important part of WebAuth is that site identity is verified before communication, even then they only have per-site public key 4 u.
1 reply 4 retweets 24 likes -
Replying to @SwiftOnSecurity
This will make it basically impossible to phish a user, because it doesn't rely on human judgement in any part of the process.
4 replies 9 retweets 51 likes -
Replying to @SwiftOnSecurity
This also makes stealing users passwords literally completely impossible at a mathematical level. There is no secret on the server anymore.
4 replies 6 retweets 61 likes -
Replying to @SwiftOnSecurity
"Hey Taylor it's December 23rd and a Friday night. What do you want to do?
"
"Let's talk about changing authentication paradigms."6 replies 15 retweets 169 likes -
Replying to @SwiftOnSecurity
I'm curious how key storage attestation will pan out. How can sites make sure credentials are stored in TPM?
2 replies 0 retweets 2 likes -
Replying to @adamUCF @SwiftOnSecurity
They can't, and you don't want them to be able to. The day they can do that is the day you've lost the ability to access any network infrastructure with open, general-purpose computing devices.
1 reply 0 retweets 0 likes
What you want is for use of the user's preferred secure key storage device to be easier and safer than legacy alternatives.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.