undefined | Better HN

0 pointsaddicted2y ago0 comments

Any half decent sophisticated user on the internet has not remembered passwords for half a decade at least.

Nearly everyone is storing it in password managers.

So has that changed passwords into not being “thing you know”?

0 comments

  So has that changed passwords into not being “thing you know”?

Yes? If you write your password down on a piece of paper it becomes something you have, no?

afiori2y ago

Protocol-wise the difference is that a TYH* requires an interaction by the user.

An app generating OTP codes is a TYH while the secret used to generate the token is a TYK.

A password manager is a TYH while the passwords inside are TYK

In general every (non-quantum) TYH possess some kind of TYK that can be used to duplicate the TYH.

In the name of security sometimes there are locks around the TYK, sometimes physical other times software.

In the case of passkeys the inability to export them makes them TYH.

* "Thing you have" is too long

charcircuit2y ago

The server is not checking if you have a piece of paper. It is checking if you can produce a piece of information.

If someone steals your paper, copies the password to their phone, and then returns your paper, then the attacker can log in without that piece of paper. In a true "something you have" if you have that something then it is impossible for someone to login to your account.

afiori2y ago

I agree with the general sentiment but every non-quantum "thing you have" can be duplicated.

PS: I suspect that you could make a 2FA protocol capable of detecting duplication of the thing you have by having the app generate signed codes like "this is the n-th code I have generated" and have the server remember the n as a logical clock to detect duplicates and "time travel".

AFAIK only bank-type apps would use something this sophisticated

charcircuit2y ago

>but every non-quantum "thing you have" can be duplicated.

Not easily. Extracting keys from hardware keys is very hard to do.

1 more reply

j / k navigate · click thread line to collapse

0 comments

noman-land2y ago

  So has that changed passwords into not being “thing you know”?

Yes? If you write your password down on a piece of paper it becomes something you have, no?

afiori2y ago

Protocol-wise the difference is that a TYH* requires an interaction by the user.

An app generating OTP codes is a TYH while the secret used to generate the token is a TYK.

A password manager is a TYH while the passwords inside are TYK

In general every (non-quantum) TYH possess some kind of TYK that can be used to duplicate the TYH.

In the name of security sometimes there are locks around the TYK, sometimes physical other times software.

In the case of passkeys the inability to export them makes them TYH.

* "Thing you have" is too long

charcircuit2y ago

The server is not checking if you have a piece of paper. It is checking if you can produce a piece of information.

afiori2y ago

I agree with the general sentiment but every non-quantum "thing you have" can be duplicated.

AFAIK only bank-type apps would use something this sophisticated

charcircuit2y ago

>but every non-quantum "thing you have" can be duplicated.

Not easily. Extracting keys from hardware keys is very hard to do.

1 more reply

j / k navigate · click thread line to collapse