Different “password-less” ?
How data on a billion people may have leaked from a Chinese police dashboard
https://www.theregister.com/2022/07/10/stolen_shanghai_police_data/
It reads “Record-breaking dump thanks to password-less Kibana endpoint?”
I would like to assume that this “password-less” is not the “password-less” that a number of security people are touting as a security-enhancing solution.
Let me try a breakdown.
(1) Password-less + nothing else; the least secure
(2) Password-less + something else; securer than (1)
(3) Password + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) is viewed as higher than (3), presumably because an attack surface of the password is removed in (2) whereas there is an attack surface on the password in (3).
Well, let me try the same for “token-less” login.
(1) Token-less + nothing else; the least secure
(2) Token-less + something else; securer than (1)
(3) Token + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) should be viewed as higher than (3) because an attack surface of the token is removed in (2) whereas there is an attack surface on the token in (3).
Good food for LoL?
Ref: “Graphene Ant Going to Fell Paper Elephant — Exciting Scenery of Digital Identity”
PS I would like to reiterate that there would be nothing wrong with “Passwordless” authentication if it came with a transparent statement that it brings ‘better availability’ at the cost of losing security. It could be helpful where availability and convenience, not security, matters most.
Digital identity blogs collected at https://www.linkedin.com/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/
