Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
Backups is my main concern with FIDO. Currently I have paper backups of my password in a bank vault and multiple encrypted backups of my data, including passwords, on disks at my home and in other locations.
Having a FIDO key in a bank vault would be very inconvenient, as I would have to fetch the key from the bank to register it with a new account. With my paper backups from time to time I just print a new page and take it to the bank.
And yes, you can also make encrypted paper backups, which I do for my most important passwords.
My Microsoft account has been passwordless for the past few years now and it is fantastic. The more accounts I can make that happen for, the better!
LOL. see what happens when you give us a cruddy electron app 1password???
LOL.
/snark for those that are too serious.
LOL.
/snark for those that are too serious.
TheYayAreaLiving 🎗️
Suspended
I honestly prefer it this way because it offers more protection and security.
Me too.
Please are actually harping on 2-Auth?
Sad.
The security that 2 auth provides me?
Priceless.
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.
To register on a new site, say widget.com
To register on a new site, say widget.com
- You go widget.com and navigate to its new-account creation page
- Type in what you want your username to be and then click "create account"
- Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
- The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.
Last edited:
How does this factor in someone accessing the accounts of someone who passes away? I have a binder of all my acconts and passwords for my wife in the event that I die. What will she do if this service becomes dominant?
I wouldn't rely on that. Read the indemnity clauses that banks make you agree to when getting a safe deposit box. There are no guarantees that anything you put in there is safe. YMMV, you'll have to decide for yourself if this is more or less secure than storing in your own home/workplace/family member's house.
My parents will still figure out a way to mess this up and call me needing help with a "tech question".
Also mailboxes at shops too. There is a famous case where the FBI had a search warrant for a PO box at one of those shops that do printing and shipping.
Turns out they took ALL the boxes. the other people were screwed the contents were taken as well.
took a LOT of work to get it back.
Apple's Legacy Contact Feature: Family Access For Photos and Data After You Die
Apple in iOS 15.2 made it easier for your loved ones to access your personal data in the event of your death with the addition of a Legacy Contact...
www.macrumors.com
I think you can assign up to 5 legacy contacts, that will be able to access your iCloud information after you're gone.
Not sure how you could interpret my post as being against mandatory 2FA. I didn’t mean that.
I’m against Apple requiring the insecure method of SMS codes, with no way of removing my phone number and no option of using TOTP codes, backup codes or physical security keys for 2FA.
I suppose the objective is not to replace all passwords/log-in services, but those which rely on passwrods stored in password managers.
With all services an average user subscribes to it would be net-to-impossible to keep track of them in your mind (unless you use the same password, WHICH IS BAD).
After all with 2FA enabled on your iCloud account, Find My is still accessible traditionally.
What happens if you lose the device used to authenticate your face or such, your mobile phone? How do you recover then?
is this like the app "ping id" and "hyper"?
is this like the app "ping id" and "hyper"?
I learned a lot from this. Great response! Thanks for typing this out.
It would be handled the same way as your organizational SSO and/or Yubikey. A token is sent and that token is used to mathematically validate your identity.
Did a quick search and this seems to provide a decent "101" on passwordless auth: https://www.onelogin.com/learn/passwordless-authentication
Centralizing security will expose that centralized protection to targeted, centralized attacks. 2FA is an independent path security protocol that was established to overtly split up encryption keys across one or more independent paths. I am very skeptical that eliminating distributed protection protocols will be as effective, even if it is more convenient, especially as there will be no evidence that is visible to the user to know that a protection protocol is even being used.
Last edited:
Except it is a hash generated from a mathematic representation of your data. Fun fact, though: (I am not a lawyer) it seems that biometrics and other passwordless systems have less legal protections than a password/passcode: https://www.biometricupdate.com/201...etrics-protected-by-fifth-amendment-get-murky
A cop, (in the USA) if he pulls one over, can ask for your thumb or face unlock but not your 123 type code password I think?
I think that is the latest about that. anyone?
A good practice is to turn off your phone if you get pulled over. Then if they demand to see it, the phone, turn it on and will ask for the code and you can tell the cop to get a warrant.
It stores the passkeys on your keychain, which is backed up to iCloud, so the existing methods for restoring from iCloud into a new phone would apply.
A bit pedantic, but those are NOT PO boxes, they are PMBs (private mail boxes) and considered completely different from a legal standpoint. I do not know about the specific case you mentioned, but it sounds like maybe the warrant did not specify the PMB whose contents were to be collected. Otherwise, they messed up and overstepped the bounds of the warrant, but I am not a lawyer, so...
Maybe my principal bank will FINALLY provide some sort of FIDO security. Myself and other members of the bank (in forums) have been pushing for this for a long time. Have no real idea why they refuse to provide it as an option instead insisting that sending a code to one's phone is secure enough. The bank pretty much refuses to provide a reason why it wont provide the option. So fingers crossed that customers can have the option of FIDO-based protection for their bank account if this effort increases FIDO awareness and use.