The Internet passport is coming — are you ready?

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston If you’re tired of inventing new passwords to suit every different system, while hackers keep finding ever more cl
[See the full post at: The Internet passport is coming — are you ready?]

4 users thanked author for this post.

Lifetime user, lmacri, Tom-R, Fred

Reply | Quote

Replies

China would love to get access to all this user data… or the U.S. Government.  Call me old fashion, or maybe my 18 years in Army Intel makes me jaded, but as much as the ‘concept’ would make things simpler, the personal privacy risks are just too great. No thanks!

12 users thanked author for this post.

Tom-R, Mr. Austin, MHCLV941, a, SueW, wdburt1, Will Fastie, Cybertooth, Moonbear, rc primak, Ascaris, Alex5723

Reply | Quote

This reminds me of the good old days when the big ‘private’ companies in the so-called free world were not collecting and using all the data and meta-data of every individual: Microsoft Google Apple Amazon Starbucks T-Mobile Verizon CambridgeAnalytics and not the least the StatesSecurityServices, etc etc.
The time has arrived a long time that a single password protected internet platform is needed in an environment that is well protected by adequate international legislation.

* _ ... _ *

1 user thanked author for this post.

Lifetime user

Reply | Quote

well protected by adequate international legislation

And exactly how is that supposed to work? Any current examples?

-- rc primak

4 users thanked author for this post.

JohnQ2, wdburt1, MHCLV941, Cybertooth

Reply | Quote

“The technology can prove you’re of drinking age.”

No. Absolutely NO!! No replacing of Drivers Licenses with Private Sector products! No replacing of State control of ID verification with an International, Private-Sector scheme! No international databases of Personally Identifiable Information (PII)!

If it weren’t for the click-baiting marketing hype in the lead section of the column, this would have been a good article on ID verification using FOBs and Smartphones. The part about Yubico and the FIDO Alliance is an excellent explainer.

FWIW, Brian is absolutely correct about facial ID and other biometrics being weak security:

‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits
https://www.nbcnews.com/news/us-news/easy-money-how-international-scam-artists-pulled-epic-theft-covid-n1276789

Our US State and National Governments at work in Cyber-Security. How is an International Agency or private Company going to do any better? What recourse do we have when they fail? Who elected WHO (dark pun intended)? Who’s watching the Watchers? Oh yeah, Super Brian!!

Clearly, Brian actually does know what he’s posting about, underneath the click-baiting excesses. So did some of the other former contributors to InfoWorld. (I have my reasons for casting a very skeptical eye toward former Infoworld contributors. Don’t ask.) But with the lead section, the whole article has become nothing better than an expression of a very sick marketing mentality.

-- rc primak

2 users thanked author for this post.

Kranium, Mr. Austin

Reply | Quote

When a true security solution exists, whether it is one of the methods described in the article or something new, having all those companies onboard will not be enough. They will need to actively encourage the use of the security devices/methods. Without their encouragement for users to actually use the technology, it will go nowhere.

2 users thanked author for this post.

rc primak, Moonbear

Reply | Quote

Brian, thank you for writing about the “Internet passport.”

Do you have recommendations for authentication devices (hardware key, smartphone app) which support these standards?

I’d be interested in a future article about actually using these in day-to-day activity to replace passwords.

2 users thanked author for this post.

JohnQ2, Will Fastie

Reply | Quote

yep, you’ll be able to ditch passwords forever. Until somebody hacks it.

Anything that exists, can be hacked.

4 users thanked author for this post.

Kranium, rc primak, Mr. Austin, wdburt1

Reply | Quote

From the article:

Once one of these things is inserted into a computer, a server can authenticate you with the easiest of steps. (1) You can push a button on the device, proving that some hacker isn’t trying to pose as you from afar. (2) You can press a finger on the device’s tiny reader. (3) You could even enter just a four-digit PIN on your computer keyboard. Any of these steps is enough to confirm to a server that you physically have the device and that you’re physically present.

• Only option 2 actually is “enough to confirm to a server that you physically have the device and that you’re physically present.”  
• Option 1 fails because the fob can be lost or stolen.  If you’ve never lost keys, a wallet, or the like, good for you.  You’re luckier than many.  This violates “something you have; something you know” so grossly I’m amazed this was even considered.
• Option 3 fails because you don’t have to be the one inputting the PIN.  You just have to be no better at protecting your PIN than you are at protecting your password.  How many people will choose PINs other than the last digits of one’s phone number, SS number or even their street number?

Who’s going to front the cost of these things in much of the world?  Even if such a dongle costs but $5, it’s still a significant amount to many in the world.

Oh, and there will be a booming business opportunity repairing worn-out USB connectors!

 

2 users thanked author for this post.

JohnQ2, Cybertooth

Reply | Quote

An internet passport sounds suspiciously like putting all one’s eggs in one basket. Use the passport to log in to all sites, apps, and games etc? Use it for all banking and financial management as well as controlling online subscriptions?

One hack and it’s all gone. The lot. I’m sure that some will argue that security for the passport will be unbreakable, but that’s been said many times before and remember that the good guys are always one step behind the bad guys, not in front.

No thanks!

6 users thanked author for this post.

JohnQ2, rc primak, wdburt1, Mr. Austin, MHCLV941, Cybertooth

Reply | Quote

Seff wrote:

I’m sure that some will argue that security for the passport will be unbreakable, but that’s been said many times before and remember that the good guys are always one step behind the bad guys, not in front.

Oh, it most certainly will be unbreakable, especially if you have a dongle that requires only that “You can push a button on the device”. Now THAT’S security!!

2 users thanked author for this post.

JohnQ2, rc primak

Reply | Quote

Until you lose the dongle.

Reply | Quote

I wonder in which “hostile state” the dongles will be manufactured?

2 users thanked author for this post.

JohnQ2, rc primak

Reply | Quote

Seff wrote:

I wonder in which “hostile state” the dongles will be manufactured?

U.S.A. ofcourse

* _ ... _ *

Reply | Quote

Seff wrote:

I wonder in which “hostile state” the dongles will be manufactured?

Fred wrote:

U.S.A. of course

Not likely. Even the chips cannot be manufactured at a low enough cost and in great enough numbers to be made in the USA only. And these keys won’t be used just by Americans. Does the rest of the world trust US (pun intended)?

-- rc primak

Reply | Quote

That is a good question, probably China, they make everything else I have bought lately, except my flour for making bread. I would be interested in this thing, except well, I spent enough years in the Army to trust anything very much.

1 user thanked author for this post.

rc primak

Reply | Quote

a wrote:

Until you lose the dongle.

What?  Lose a dongle?  It will never happen, especially if it’s on one’s key chain!  🙂

1 user thanked author for this post.

rc primak

Reply | Quote

surely you jest.

1 user thanked author for this post.

MHCLV941

Reply | Quote

surely you jest.

Yes, I jest. And stop calling me Shirley.

-- rc primak

3 users thanked author for this post.

Lifetime user, SueW, JohnQ2

Reply | Quote

🤣🤣

Whaddya know, Airplane lives on!!

2 users thanked author for this post.

Lifetime user, MHCLV941

Reply | Quote

rc primak wrote:

well protected by adequate international legislation

And exactly how is that supposed to work? Any current examples?

I agree. The kind of international legislation discussed at length in Zuboff’s Age of Surveillance Capitalism? Or Tuchman’s March of Folly?

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

1 user thanked author for this post.

rc primak

Reply | Quote

Fred wrote:

an environment that is well protected by adequate international legislation.

Can you cite any substantive example of this having been enacted (and by whom, as a matter of great curiosity?) and is being honored by every country in the world?  A Happy Meal says you can’t.

2 users thanked author for this post.

Mr. Austin, rc primak

Reply | Quote

rc primak wrote:

‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits
https://www.nbcnews.com/news/us-news/easy-money-how-international-scam-artists-pulled-epic-theft-covid-n1276789

Is the above supposed to be a link? I get a blank page when I click on it. It looks to be from NBC News? Probably I have “too much” protection on Basilisk browser to be able to open it.

1 user thanked author for this post.

rc primak

Reply | Quote

Is the above supposed to be a link? I get a blank page when I click on it. It looks to be from NBC News? Probably I have “too much” protection on Basilisk browser to be able to open it.

Yes, yes, yes. And it may be regionally blocked. Sorry, I don’t have the transcript handy. Wish I did.

-- rc primak

Reply | Quote

Mele20 wrote:

How international scam artists pulled off an epic theft of Covid benefits

It is a bad link;  I get a 404.

However, Google found the right one based on the title:

‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits (nbcnews.com) (

)

1 user thanked author for this post.

rc primak

Reply | Quote

Mele20 wrote:

How international scam artists pulled off an epic theft of Covid benefits

It is a bad link;  I get a 404.

MHCLV941 wrote:

However, Google found the right one based on the title:

‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits (nbcnews.com) ( )

There was at the time no PermaLink. Maybe it has one now. Again, sorry. These outside links to news stories can get pretty complicated.

-- rc primak

Reply | Quote

a wrote:

Until you lose the dongle.

You must be assuming the user is mobile much of the time thus using a laptop and they carry the dongle with them and then lose it, right?

What about all of us who don’t have laptops and don’t want any and who access the internet ONLY from our powerful, wonderful HOME DESKTOPS?

Plus, what about those of us who NEVER EVER have allowed anyone (except a tech present in our home to diagnose and fix a computer problem) to touch our desktop computers? (And the tech we carefully watch while they work).

Unless we lose all kinds of things constantly in our homes, the person described above is highly unlikely to lose a dongle.

1 user thanked author for this post.

JohnQ2

Reply | Quote

Mele20 wrote:

a wrote:

Until you lose the dongle.

You must be assuming the user is mobile much of the time thus using a laptop and they carry the dongle with them and then lose it, right?

What about all of us who don’t have laptops and don’t want any and who access the internet ONLY from our powerful, wonderful HOME DESKTOPS?

Plus, what about those of us who NEVER EVER have allowed anyone (except a tech present in our home to diagnose and fix a computer problem) to touch our desktop computers? (And the tech we carefully watch while they work).

Unless we lose all kinds of things constantly in our homes, the person described above is highly unlikely to lose a dongle.

In so far as losing a dongle, you’re right that it’s a problem primarily for mobile users.  However,  it appears that you are conflating identity with security.

Hardware aside, these dongles are about proving your identity to your bank or credit union, Amazon, NewEgg, AskWoody and any other online entity for which you must log on to use.  They have nothing to do with protecting your machine from malware, which is what your points about protecting your machine are all about.

1 user thanked author for this post.

rc primak

Reply | Quote

Will this help with election security?

Who is John Galt?

Microsoft Surface Pro 3 with Windows 10, MS Office. Samsung Galaxy S9+ with Android 10.

Reply | Quote

I doubt it because elections will always stay with some sort of paper/external verifiable voting record and not go 100% to electronic.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Mr. Austin, rc primak

Reply | Quote

and lets hope they stay secure,

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Fred wrote:

Seff wrote:

I wonder in which “hostile state” the dongles will be manufactured?

U.S.A. ofcourse

Feel free to pursue residence elsewhere.

Reply | Quote

Susan Bradley wrote:

I doubt it because elections will always stay with some sort of paper/external verifiable voting record and not go 100% to electronic.

The audit trail for an election is separate and distinct from proving one’s identity to cast a vote.

I truly don’t understand why requiring some sort of identification to vote is such a bad thing.  The vast majority of people already have some sort of ID (driver’s license or state ID card), Social Security, Medicare or Medicaid card, etc.   So long as the state is required to actively assist those few who don’t have some sort of ID in getting an acceptable ID, I see no problem asking people to verify who they are before they vote.

2 users thanked author for this post.

Lifetime user, wavy

Reply | Quote

MHCLV941 wrote:

The vast majority of people already have some sort of ID (driver’s license or state ID card)

Plenty of people don’t have driving licenses and if you make it much harder to re-register when people move you can remove loads from the voting register. This may be more than enough to prevent loss of incumbency in a close vote and has nothing to do with fraud reduction.

Democracy is about everyone having the opportunity to vote.

cheers, Paul

2 users thanked author for this post.

OscarCP, wavy

Reply | Quote

Democracy is about FAIR elections that allow everyone WHO IS ELIGIBLE the opportunity to vote.  If requiring an ID to vote was in any way discriminatory, then all laws and rules requiring an ID to fly, buy alcohol, buy guns, or any other activity would be discriminatory and therefore unconstitutional.  Literally ANY citizen can get a state-issued ID for free – in EVERY state.  Requiring an ID to vote is not discriminatory in any way.  The ONLY logical argument against requiring a valid ID to vote is to allow fraud.  There is absolutely no intellectually honest argument against requiring a valid ID to vote.

5 users thanked author for this post.

Lifetime user, wavy, wdburt1, Cybertooth, MHCLV941

Reply | Quote

Paul T wrote:

MHCLV941 wrote:

The vast majority of people already have some sort of ID (driver’s license or state ID card)

Plenty of people don’t have driving licenses and if you make it much harder to re-register when people move you can remove loads from the voting register. This may be more than enough to prevent loss of incumbency in a close vote and has nothing to do with fraud reduction.

Democracy is about everyone having the opportunity to vote.

cheers, Paul

I said nothing about purging anyone from voter rolls for any reason including moving away.  That’s an issue but irrelevant to the matter of showing some sort of ID when you do vote.  Heretofore, impersonation has not been much of a problem, but given how civility is deteriorating (witness the vitriol and assaults related to mask mandates; the massive efforts to preempt actual election results, etc.), it may not remain so.

Yes, “Democracy is about everyone having the opportunity to vote.”  Why do you think I disagree with this statement?

Reply | Quote

Bakershack wrote:

Literally ANY citizen can get a state-issued ID for free – in EVERY state.  Requiring an ID to vote is not discriminatory in any way.

This is supposed to be true, but in states that are tripping all over themselves to make the act of casting a vote harder and enacting legislation that allows their legislatures to overturn election results at their whim, i.e., their candidate didn’t win, getting an ID may not as easy for one person as it is for the next.

Also, every state requires some kind of source documents, e.g., a birth certificate, that some people may not have.  For this reason, a state-issued ID should not be the only accepted form of identification.  Any government-issued ID (Social Security card, Medicare card, Medicaid card, etc.) should be accepted and the states must be required to actively assist people in getting ID cards when there is a lack of readily available “evidence” of identity to obtain it or accepting non-traditional evidence, such as sworn statements by some number of others that someone is how he/she/they claim to be.

Reply | Quote

I call BS.  There are WELL-documented instances in several states of fraud and of the state not following its own legal requirements for managing the vote.  Your arguments are absolutely invalid.

As for source documents, nobody, including institutions that are against voter ID, has been able to document more than a tiny handful of individuals who had legitimate trouble in producing valid documentation of their citizenship in order to receive an ID.  Less than 1000 out of an adult population of over 250 million.  You seem to totally ignore my statements regarding other situations that require a valid ID.  Considering the VAST numbers of illegal aliens in the country, it is MUCH more important to prevent those who are not legally eligible to vote from voting, and to prevent people from voting multiple times.

The Founding Fathers originally only allowed land-owning citizens to vote.  That is much too restrictive for today – many productive people don’t own land.  But the idea was to only allow INFORMED CITIZENS to vote.  Ballot harvesting from nursing homes and other groups of voters who would not otherwise vote because they are not informed is nothing but fraud, and again, there is no intellectually honest argument against this statement.

None of this takes away from your knowledge and helpfulness regarding Windows and the topics on this forum.  But you are woefully uninformed regarding the topic of government and voting rights as intended by the Founders.

Considering this conversation has crossed over into politics, which is not allowed in this forum, I will post no more on this topic.

2 users thanked author for this post.

Fred, Cybertooth

Reply | Quote

Just out of curiosity, who actually won the 2020 presidential election?

I never claimed that there has been – PAST TENSE – any significant voter impersonation fraud but if you think there won’t be more in the future, you are naive at best.  In effect, you want to rely on the honor system to protect the integrity of the vote.  There are far too many in this country these days whose “honor” is subservient to their choice of would-be demigod.

I am old enough to remember when it required just a tiny bit of effort to register to vore and when I was asked for ID when I went to vote.  Neither of those was in the least bit onerous and I have never been comfortable with the removal of even these modest controls.

That said, I yield no one in my belief that every citizen who wants to vote should be able to vote and that those who would impede them are scum who should spend time in jail.

1 user thanked author for this post.

wavy

Reply | Quote

There is no way I want this. Here’s a scenario that I haven’t yet read:
* If I want to get online from somewhere other than my house, I will need to carry the device with me. Suppose, while I’m out and about, someone knocks me over the head and steals my passport device. What then? Will they then be able to log in as me?

You mentioned crossing an international border – what if the country you are entering demands your passport device in order for you to enter their country? Now they own you.

Talk about identity theft – they steal your passport key, now they have stolen you.

Pick all the cool names you want, I’m not getting one. Sadly, lots of people will get one for no other reason than that it has a cool name.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Mr. Austin

Reply | Quote

MrJimPhelps wrote:

There is no way I want this. Here’s a scenario that I haven’t yet read:
* If I want to get online from somewhere other than my house, I will need to carry the device with me. Suppose, while I’m out and about, someone knocks me over the head and steals my passport device. What then? Will they then be able to log in as me?

You mentioned crossing an international border – what if the country you are entering demands your passport device in order for you to enter their country? Now they own you.

Talk about identity theft – they steal your passport key, now they have stolen you.

Pick all the cool names you want, I’m not getting one. Sadly, lots of people will get one for no other reason than that it has a cool name.

It depends a bit on which type you buy. If you get one that only requires a button-press, you’ve wasted your money – and your identity.  99.999999999% of the world’s population can press a button,  And that’s only counting the people.   If you get one that requires a PIN or a fingerprint, you’re better off if (when) you lose the thing,   If you get assaulted, you’re already in deep trouble, regardless of what kind you have.

As for international travel, researching entry requirements for where you’re thinking of going would definitely be in order, not to mention getting back into your home country.

Reply | Quote

Bakershack wrote:

The Founding Fathers originally only allowed land-owning citizens to vote.

And what does that say to you?

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

There are passports and then there is the Internet passport.

Traveling abroad, one can keep one’s international passport, money and other valuables and certain documents needed during the trip in a zippered bag that fits in one’s jacket’s inner pocket, or some other convenient pocket, or a belly bag. Keeping jacket or belly bag close to one’s own body all the way. On arrival, once the passport has been examined by the country’s passport control, back it goes into the pocket or belly bag during the travel by taxi or shuttle to a hotel. Once there, after showing it to the clerk when registering, it is placed in a security deposit box. Once it is time to come back, in the return trip the same precautions are taken in reverse order. (I do this.)

One could take some of these precautions, in principle, with a little gadget that is one’s “Internet Passport.” But things can be more complicated, as this little gadget will have to be produced and used not just three times, as one would a regular passport during a round-trip without intermediate scales, but every time when one is not at home and has to use the Internet to access an account online. That, plus it being little, looks like a recipe to loose it or have it stolen. One can loose many important things this way: car keys, for example. But couldn’t the loosing of this little gadget have much more serious consequences?

I can see something like this passport used in two-factor authentication along with the use of a user id and an encrypted password. So not used instead of a password, but as well as one. If it one lost or had it the passport stolen? When needing to do so, one could simply try to login to one’s online account, where there will be a “lost your passport?” button. Clicking on it after entering the password would result in an authentication single-use code being sent to your device to be used to complete the login.

Using the passport gizmo this way might no be super convenient, but it might spare one endless captcha sessions before being allowed to access a site.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

wavy wrote:

and lets hope they stay secure,

They will.  The interesting bet is whether they are cracked/hacked before quantum computers become available widely enough that the black hat community can get some time on them.

Reply | Quote

OscarCP wrote:

I can see something like this passport used in two-factor authentication along with the use of a user id and an encrypted password.

You’d think so, wouldn’t you, but only one of the devices described really meet that standard.  One requires, wait for it, “pushing a button” to authenticate oneself.  The second type requires a PIN, better than pushing a button, but not great for anyone who has to write down a PIN.  Only the type that requires a finger swip is really reliable if lost or stolen.

Of course, if your finger, or worst, you get stolen, authentication becomes a very secondary problem…

Reply | Quote

MHCLV941: I did not mean a particular design of the passport gizmo. I was commenting on this issue in general terms.

Moreover, assuming the passport is a good idea, something that remains to be seen, its use is not going to make everyone absolutely safe once and for all, because nothing can (*), merely to make it very difficult to use a false flag to break into one’s accounts, particularly the accounts of someone as much a member of the small fry as myself. As to the big fish: governments, international agencies and big corporations, they should take additional self-protecting measures, as they are going to be the targets of choice of such elaborate schemes as may be needed to defeat the use of passports, for example.

(*) No need to wait for quantum computers for defeating such protections as the use of passports: other already available and even low-tech means, such as social engineering, might suffice. Because no chain is stronger than it’s weakest link, as the saying goes.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

(*) No need to wait for quantum computers for defeating such protections as the use of passports: other already available and even low-tech means, such as social engineering, might suffice. Because no chain is stronger than it’s weakest link, as the saying goes.

Agreed, but the discussion seems to be focused on the devices, not their owners.   While the technology in them should be as good as the state of the art allows – thus the reference to quantum computers to break – there is no fix for human beings and their foibles and outright stupidity.

To quote Robert Heinlein, “you live and learn, or you don’t live long”.   To the detriment of the gene pool and security, this is no longer true.

Reply | Quote

MHCLV941: Agreed. That is why the comment you refer to is in a footnote.

And I also completely agree with your last sentence.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote