Beyond Identity Offers Free Version of Its Passwordless Technology(darkreading.com)
darkreading.com
Beyond Identity Offers Free Version of Its Passwordless Technology
https://www.darkreading.com/application-security/startup-offers-free-version-of-its-passwordless-technology-/d/d-id/1339974
29 comments
I'm tempted to suggest the linked article be changed to: https://www.beyondidentity.com/blog/why-we-made-passwordless...
the actual blog post from Beyond Identity.
was really frustrated when the first link in the darkreading article just linked out to _another_ darkreading article. Like....wtf?
the actual blog post from Beyond Identity.
was really frustrated when the first link in the darkreading article just linked out to _another_ darkreading article. Like....wtf?
And the original doesn't render unless you let it use js.
I want my private keys stored on my iPhone / Apple Watch, in Secure Enclave memory, with two-factor biometric authentication (FaceID and Fingerprint). No more passwords.
I don't. I don't want to have to carry a stupid phone around everywhere to get things done. I should only have to move my body between the places I go, and the various 24"+ screens I encounter, mostly at home and the office, should become my UI, and none of that should depend on carrying a stupid 6 inch device.
I like passwords + a YubiKey left permanently plugged into every device.
I like passwords + a YubiKey left permanently plugged into every device.
That's fine for many applications, but for someone like me who has a Continuous Glucose Monitor having my phone/watch be with me at all times is a fact of life. I look forward to the day when my CGM interfaces directly with my watch so I don't have to carry the phone all the time.
> but for someone like me
Of course that's a special case which doesn't apply to most people. But also, why can't the CGM just have its own display, which would simplify things a lot more and likely also require much less power if it used e.g. eInk?
It sounds ridiculous to me that a medical-grade device should depend on a second consumer-grade device to be useful. If it's an added feature for e.g. logging or monitoring or telemetry to the doctors, great, I understand, but if you're just trying to get a glucose reading I strongly believe in one device giving you that reading instead of "Hey I'm a device that your health insurance paid $1000 for but sorry I'm too lame to display data and you're going to need to install this silly iPhone app to actually read its values"
"and oh by the way we also will track your contacts, which apps you are using, your GPS, and serve you and your contacts targeted ads for glucose-free health foods from our partners at Amazon"
Of course that's a special case which doesn't apply to most people. But also, why can't the CGM just have its own display, which would simplify things a lot more and likely also require much less power if it used e.g. eInk?
It sounds ridiculous to me that a medical-grade device should depend on a second consumer-grade device to be useful. If it's an added feature for e.g. logging or monitoring or telemetry to the doctors, great, I understand, but if you're just trying to get a glucose reading I strongly believe in one device giving you that reading instead of "Hey I'm a device that your health insurance paid $1000 for but sorry I'm too lame to display data and you're going to need to install this silly iPhone app to actually read its values"
"and oh by the way we also will track your contacts, which apps you are using, your GPS, and serve you and your contacts targeted ads for glucose-free health foods from our partners at Amazon"
> why can't the CGM just have its own display
So I can check my blood sugar without taking my shirt off.
So I can check my blood sugar without taking my shirt off.
I'd settle for it just displaying on the lock screen, so I don't need to unlock my phone and check the statuses to see what my blood sugar is at. That being said, just being able to look to see what my blood sugar is at without having to poke a hole in my finger was a massive change in how I managed my blood sugar. Having alerts for low (or dropping) blood sugar is a great thing, too. Man, I love my CGM (Dexcom G6)... can't say enough good things about it compared to manual blood testing.
I thought this was supported as of Safari 14, but I haven't heard if Google and Firefox intend to support this as well.
https://developer.apple.com/videos/play/wwdc2020/10670/
https://developer.apple.com/videos/play/wwdc2020/10670/
Having my watch unlock my MBP, and Touch ID for authenticating and authorizing access to credentials, has been pretty awesome.
>two-factor biometric authentication (FaceID and Fingerprint)
this is not two factor. that is two of the same factor.
the whole point of the factors is that they are fundamentally different, otherwise we'd just make people use two passwords and obscure feedback about which is wrong or right.
this is not two factor. that is two of the same factor.
the whole point of the factors is that they are fundamentally different, otherwise we'd just make people use two passwords and obscure feedback about which is wrong or right.
Good of them to do this as if it's useful, we will find out pretty fast. If they have a Vault integration, that would be helpful as well. Solving IAM/IAA problems and designing products are orthogonal concerns, and to me that they're building a product around just managing asymmetric key pairs is a positive note.
An authentication scheme is only ever as secure as its recovery process, so that's going to be where the magic happens.
An authentication scheme is only ever as secure as its recovery process, so that's going to be where the magic happens.
There's already a passwordless technology; it's called Ethereum and Metamask. Store your private key on a hardware wallet, and boom, you have a very secure account controlled by the user where no password or login required to interact with applications. It's also free
Asymmetric cryptography under the tonnes of bullshit marketing.
Bullshit marketing is what CTOs buy. Who cares if the core principles are simple or not, if they're selling a useful service (especially one that can help secure our data) good on them.
This is the first I've heard of the product, but remind me why building cryptography products and then marketing them is bad?
I don't know that it is bad per se, just pointing out that this is a fairly simple existing technology and not some new thing
Ah, gotcha. I'm always interested in tuning my bullshit meter, but their top-level claims — passwordless, continuous authentication, improved user experience — seem pretty justifiable.
I use a good password manager right now, but even so I find myself entering passwords many times per day. I'd love to not have to do that, so any tips on how I can do that are appreciated.
I use a good password manager right now, but even so I find myself entering passwords many times per day. I'd love to not have to do that, so any tips on how I can do that are appreciated.
It's fairly easy to build passwordless scheme.
1. Service picks asymmetric scheme (RSA, ECDSA, etc.)
2. User generates public/private pair of keys locally
3. User registers its public key in the service
4. Now user can sign anything thus confirming its identity
No third-party service required. Users have to keep their private keys locally, but BeyondIdentity also requires this. I don't feel their complicated scheme has much sense. Also they've mentioned the use of machine learning, this looks even more strange.
1. Service picks asymmetric scheme (RSA, ECDSA, etc.)
2. User generates public/private pair of keys locally
3. User registers its public key in the service
4. Now user can sign anything thus confirming its identity
No third-party service required. Users have to keep their private keys locally, but BeyondIdentity also requires this. I don't feel their complicated scheme has much sense. Also they've mentioned the use of machine learning, this looks even more strange.
I think it's useful to keep passwords and to learn new techniques on how to make and remember them. Instead of storing them.
interesting. i wonder if it supports linux?
How is this different from Yubikey? We use FIDO keys and HYPR at my office - https://www.hypr.com/
We use HYPR as well at our org. Has been a pretty great experience and everyone seems to like it so far
[deleted]
How to provide a good onboarding and UX around that process is another story. It requires educating the user to a different mindset.
I advise looking into Argent[1] (Loopring is the same) or BrightID[2] as just a few examples of how this can work well.
If you have no friends for social recovery, Argent provides their own service that links to your email or phone for recovery. So it’s more like a typical account recovery that users are accustomed to today.
Similarly, ZenGo[3] provides just that email/phone recovery service alone but it feels intuitive and safe depending on your threat vector. The cool thing about them is that it also uses facial recognition.
[1]: https://www.argent.xyz/
[2]: https://www.brightid.org/
[3]: https://zengo.com/