Passwordless Logins

Knuthf

Please drop PASSWORD, and certainly the length checks.
Instead send a SMS to a GSM device that is associated wit the name, and demand that this code is reproduced to authenticate.
You can also use fingerprint to confirm repeatedly on the same device ad not always demand confirmation by the mobile device.
But drop passwords completely.
Google and Apple and numerous password wallet services knows them better than most of us. Make a new site, and they offer passwords for free,well "encrypted", but it takes seconds to break that encryption, so hackers can easily get everybody's password. It take just as long time for 33 character as for 3.
You can confirm HLR (CIC) and MSISDN easily, "phone number" is not enough, it must be an MSISDN with a SIM. Verizon is can solve that.

DoctorG

@Knuthf said in Password:

Instead send a SMS to a GSM device

Not every person has such device. And authentication over SMS is not safe.

Knuthf

@DoctorG SMS is core service, and mil.spec. High Security, Orange Book. It is IMPOSSIBLE to intercept, IMPOSSIBLE to duplicate. It has been tried for decades and nobody has achieved anything more than to take the entire network down, like in Russia.
This is what the US DoD does not want, it is also impossible for the US CIA, NAS and FBI. So they have spread lies, and tries to move the service to become an Internet Service.
This is the GSM core service. and is only available on all mobile phones, except for Verizon. I will talk to them, and explain that they can not deliver this. Their CDMA network is not secure. GSM was designed to comply to US as a NATO country.

mib2berlin

@Knuthf
Hi, SMS is not secure at all, just search a bit for the latest articles from 2024, there are many.

Knuthf

@mib2berlin I am sorry. But it is secure. It is those that conduct that "research" that want you to use a US technology - that they can intercept.
GSM was designed according to NATO specifications. It is even encrypted, hard enough to make much more time to decipher that what can be obtained.
But once delivered, anyone can copy it and use it, like everything on the Internet. I have a degree in math, algebra, extensive research in Group and Ring theory, with application in systems design and development. And I have been director for deployment of telecom networks, also in the USA.

mib2berlin

@Knuthf
I just read lately it is not, I cant proof these articles in detail.
https://www.authx.com/blog/what-is-sms-authentication/#:~:text=SMS messages are not ensured,network protocols are particularly vulnerable.
There was really a lot of these in the last weeks.
IIrc Vivaldi support hardware key login already, @DoctorG know better.

Cheers, mib

Knuthf

@mib2berlin I have managed delivery of systems to the US DoD, the USAF and NATO. I have known US military security protocols and standards and applied these in projects.
I have lead projects and delivered secure telecommunication.

Knuthf

@mib2berlin Thanks. The post is utter nonsense.
GSM is fully encrypted, and must be operated by "Intelligent Network" configurations tools using "COM" or "Xcom" that sends STM "events" that allows the owner to configure every node. The speed of the node is the speed of light. So as long as Einsteins theory of relativity is valid, a copy will always be delayed - later, afterwards, next cycle. We use this to allow many sharing the same network. The network owners can intercept everything in the main switch, the MSC/HLR, where they can let security services inside, fully monitored by them. But Google, Facebook, Apple are US companies, that use this for free, also the FBI, CIA, NSA, Cloudflare. But we can see where the messages comes from, and could make a new net, COS=5, where only paid messages will be transmitted. That would remove more than 70% of the data, spying wold have to be paid for, advertising not profitable. But all our mobile phone quotes, GB/Month would be 1/3 - at least. But they want full control, and tries to remove this. Vivaldi can let one platform approve the others, and demand that Google and Apple pay them for the cross-platform verification. Windows is unsafe and cannot be made safe.

chemistrelapse

Not sure about SMS authentication, many websites have moved to authenticating with a TOTP (such as Vivaldi) and hardware keys (not to mention there are an increasing amount of people out there going without phone numbers).

I would like to see Vivaldi support passkey sign in though, I find it more convenient, and it can't be breached in a data leak. Hopefully they will give us the option the sign in with a passkey and get rid of the password, or for those who prefer not to use passkeys, they can keep their password.

sgunhouse

@Knuthf SMS can't be secure as long as it is using the phone nerwork. Look up any recent mention of the Salt Typhoon hack of US communication systems. Mind you, I doubt the Chinese care about you or I, but the point is they do have that access - but for all we know others could piggy-back on their access or simply hack them. As long aa they are getting the information they want, they may not care who else can access it. The fact no one can access it between you and the cell tower means nothing if the rest of the system is not secure.

yngve

@Knuthf Have you ever heard about the term "SIM swap scam"?

Essentially, if your phone operator (or another operator) lacks security measures for issuing a new SIM cards (cancelling the old one(s)), or there are corrupt persons in such an operator, your phone connection can be stolen, including all SMSes (encryption does not matter since it is not end to end, but from transmitter to device) sent later (until you manage to convince your phone operator that you didn't do that change), and in the meantime you may well have lost control over "all" your accounts.

Websites that have had SMS auth have been moving away from it for years, and one reason is cost, since each SMS cost a certain amount, and that may vary depending on which operator they are sending the text to.

Knuthf

@sgunhouse The FCC has banned use of secure networks in the USA. In the USA, the fibres can be cut and spliced, allowing the state to intercept the fibre. Outside the USA, the fibre is split in multiple "segments" ('Channels") - using DWDM - Dense Wave Dense Multiplexing, so up to 400 times the capacity. This is impossible to tap in, - you have 400 times the number of bits to intercept than the speed of light allows. We tried in AT&T, but the FCC demands analogue equipment.
The mobile net will encrypt all data from HLR to the handset. Only the MSISDN with the correct SIM can decipher. This is the purpose with the SIM. And it is impossible to ignore. The "carries" the data, as "Class of service" "COS" = 4, every 4K packet is encrypted, is charged for and appears on your bill for mobile services.

Knuthf

@chemistrelapse There is no internet service, no hardware key, USB dongle that can compare wit SMS and security. They can al be copied, and replicated. People such as I, can decrypt most with a desk top calculator.

Knuthf

@yngve Your operator is the only one that can read the content of the SIM. They have to ensure that the people that can access the HLR/MSC can be trusted., also the military security. It is not unlimited what can be tapped into, but the Carrier/operator will allow the military security get access here. The encryption is very simple, and efficient, based on prime numbers, just as crypto. It is the property of numbers, very big numbers. We multiply, and always know the answer once we know the Pkey to the HLR and the SIM. It is easy to change the keys, find another Pkey, the next. This will "reset" the SIM, or te network (HLR). There is no need to pass the keys around,"the next" is always a brief multiplication away.
On the Internet, everything is unencrypted, and encryption algorithms are based on that the Security Service can intercept and tap into the net.
With GSM, they must sit inside with the operator/carrier. This is not what the FCC wanted, but the compromise where NATO countries can assist the CIA/FBI to intercept. So they cannot intercept, and they cannot see that the Chinese are NOT inside the network.

Knuthf

@yngve No. I have not heard of the SIM card swap scam. But I have followed closely the solution to Apple for allowing "dual SIM". Please read the terms for allowing this. I have seen how fake SIM cars are detected, and it is very easy. I have seen states, Russia trying to turn of security, ad taken the entire country out.
Finally, the moment you start comparing this with WEB sites, you lose credibility. SMS is below, it is puling the plug and connecting it, below Internet physical level. The FCC has for decades tried to stop GSM.

Knuthf

@yngve They have refused to pay. Telenor for one, demanded payment for security, and the US internet companies refused to pay and operator in Norway. They could ignore all Norwegians. We made the mobile networks to charge for SMS, and they refused to pay. SMS is free now but outside control of Google, Yahoo, Microsoft, Cloudflare. It allows a small country like Norway to control the delivery of what they consider to be "their service". They have never exposed any flaw. It was my consultants that negotiated with the FCC.

yngve

@Knuthf First of all, GSM (2G) is a 90s protocol, it only uses 40-bit encryption, because it was supposed(!) to be wiretappable. 40-bit encryption was cracked conclusively in the late 90s.

It is also in the process of being phased out here in Norway (and have been in a number of countries since 2016 and 2017). The only thing that may prevent the shutdown is the concern about old cars having 2G SOS beacons.

It has since been replaced by 3G (which is also being phased out), 4G, and 5G protocols.

Stealing phone numbers by obtaining a replacement SIM by tricking a phone operator, or bribing one their employees with access, is an old scam. It isn't even one year since the last big one (that I know of) was revealed [1] [2], and it is just barely a year since the FCC implemented rules against it. And it is just a few years since some Norwegian journalists (with permission, mind you!) was able to easily take over the phone number of a Norwegian Parliament member.

And let's not forget phone network problems like the SS7 vulnerabilities (which are AFAIK still unpatched, 16 years after disclosure)

The low security of phone numbers due to SIM card scams stealing phone numbers, as well as costs, are the prime reasons web sites are moving away from SMS texts as a part of MFA.

As for "internet is unencrypted": Yes, it was mainly that, but that was in the 90s! Since then, since 2000, but particularly in the past 10 years, most of the internet network traffic has become encrypted with methods that are considered secure against brute force attacks for at least several decades, in particular due to Lets Encrypt certificates and Search Engines up-ranking encrypted connection. The connections to this site is encrypted (and have always been encrypted) with AES and RSA or Elliptic Curve key exchange and certificates.

Some data, like most emails, are unencrypted at rest, but is mostly encrypted when transmitted between servers, and to/from the email client.

Regarding "being able to decrypt a FIDO or TOTP key [I assume that is what you meant?] with a desktop calculator". If you can really do that, you should be able to get many prime, well attended, speaking spots at CCC, Black Hat, Defcon, and other security conferences, because I suspect that is news to all of those.

Knuthf

@yngve Nothing has changed. Nobody has found any errors in Fermats theorem. It is still applicable, and it is NOT AES. .
The rest is nonsense. 5G depends on SS7, and STM, and COM/IN., and the 2G upgrades is a minor phase out of ancient software. The protocols are the same. I have addressed the SS7 so called vulnerabilities a decade ago, the patch is not needed and based on a fundamental misunderstanding.
Again, this is carrier protocols, and web sites reference has no place here. The reason for not using this is ignorance and political pressure, initially refusing to use a paid service.

Knuthf

@yngve I am not a communist, and there are two ideologies that are conflicting here. One is central (state, Big Brother) control, the other is focus on the individual - Jeremy Salter and me. We are dislike central control, the big IBM mainframe and Microsoft control. Add Google, Apple, Cloudflare, the corporations, and of course the state, the US military. They have made a system of encryption keys in such a way that they have the master key, that unlocks the rest. They have meetings and conferences to discuss ad consider this "infrastructure" - "regime" of keys can be used. They must coordinate to control and master.
The other is to distribute the keys, point to point, and no central control. Just the sender and receiver can intercept. This is used in Blockchains and cryptocurrency. The secret services cannot block these. What happens when you duplicate a BTC? You cannot take it, your copy is worthless and is easy to identify as duplicate. We make structure, certificates, blocks, exchanges. We do not have conferences, well we discuss math and the theory, but Abel, Daloise, Gauchy and Fermat died ages ago and cannot take part even in chat sessions. I am alive, I proved my things with Chris in Paris, during a conference close to my flat there. We celebrated with an ice cream after a lunch. I left, I was the boss for a huge project. Relational theory was "finalised". i se no reason for having to share confidential information with Cloudflare. So, I do not attend those conferences.

yngve

To wrap up: SMS texting is inherently insecure, for reasons mentioned above.

Unfortunately, you seem to have been misinformed about this, and your request is not actually appropriate or safe for a secure login system. The details you are focusing on are unrelated to the security of SMS or web applications, and as a result are not relevant here. Since this request has been asked and answered, I am locking this thread.