I was recently very intrigued with a word ‘Phishing-Resistant’ used for ‘passwordless’ authentication schemes.
Phishing is generally defined as an act of having passwords fished. Where the password has been removed, nobody would be able to have a password fished. Our life would absolutely be ‘phishing-resistant’ indeed. I can only agree.
Well, I am fond of going out for a ‘pickpocket-resistant’ walk to a nearby park. You get it? — Yes, I go out without having any money and other valuables with me. No pickpocketing is possible, however skilled a pickpocket may be, where I don’t carry valuables.
You might ask what if I want to buy something? — I would answer “Forget it. Enjoy a pickpocket-resistant life”.
A similar situation could be imagined with a ‘phishing-resistant’ life. Someone might ask “A password has a defense surface that is necessarily larger than its attack surface. Removal of the password would inevitably bring down the overall security, irrespective of whether it is a device-only solution or a so-called MFA. What if you want to be safer?”
We could answer “Forget it. Enjoy a phishing-resistant life that comes with a false sense of security”.
Really smart, isn’t it?
Ref: “LOSS of Security Taken for GAIN of Security”
Interested to know what were behind this cognitive pitfall over removal of passwords (secret credentials)? — I would suspect those four possible scenarios -
(1) They might have taken ‘what is not good and helpful enough’ for ‘what is ‘bad and harmful’.
(2) They might have failed to notice that a token, whether PKI-based or otherwise, also carries the attack surface of being stolen or otherwise compromised.
(3) They might have assumed that a Defense surface is a part of an Attack surface in the case of password while an Attack surface is a part of a Defense surface in the case of physical tokens.
(4) They might have compared what cannot be compared such as ‘Passwordless versus MFA’ say, mixing up the issue of ‘Authenticators’ with that of ‘Deployment of Authenticators.’
- Wrong Voices are Heard if Large, Correct Voices are Unheard if Small .
Digital identity blogs collected at https://www.linkedin.com/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/