> "Does this mean 'Attestation of Personhood' is broken? ... In my opinion, no. Starting with the obvious, Cloudflare has clearly considered this attack vector as they mentioned it in the post and decided it still raises the cost of an attack over the current CAPTCHA model...
Attackers are already willing to purchase a bunch of cell phones to emulate human behavior. 'Attestation of Personhood' with the use of a hardware key is completely broken.
It doesn't have to be 100% impenetrable to do its job most of the time and make it economically not viable with scale. Biggest issue is expecting a big chunk of users to actually have a FIDO2 token. They would have to be as ubiquitous as thumb drives or be built-in into phones and notebooks.
They are cheap enough to be ubiquitous (cheap ones can be had for $5 or so) and are already built into most phones, usually behind biometric verification (face or fingerprint recognition). Note the biometric only unlocks the FIDO2 private key in the phone’s TPM so biometric data never leaves the device.
Edit: just checked, a hyperfido mini sells for $9.99 CAD, so not quite five bucks but still pretty affordable.
I don't know know about most unless you mean that most iPhones have it, but I wasn't aware it was built into mine, using Android 10. Just didn't put two and two together. My old smartphone on Android 9 didn't have it, I'm pretty sure.
The author points out that you can detect this by finding keys that have an unusually high signature counter. It becomes one signal amongst many, including IP addresses, user agents, etc that are correlated with bot-like activity. You still also get to track other things such as whether the user is moving their mouse and how realistic that looks, as well as past behaviour from that user.
I guess in the edge case where you are a legitimate but very heavy user of u2f keys and you happen to share one with a batch that is being abused for bad activity... you just get shown a regular captcha and continue with your day I guess.
The design of the system will surely reduce the percentage of people that get that experience however.
> Any opinions stated here are my own, not necessarily those of any past, present, or future employer.
Is it common to get in trouble with employers if this is not stated? I don't understand how a clearly non-work related blog post like this could land someone in hot waters with their employer. And even if it were I still don't understand how this statement alone can help.
The cost of including it is nothing, so on the chance it works, there’s only upside. If it doesn’t work, it’s the same as not having it but the cost to include it was nothing, so what reason is there to not include it?
I’ve seen it a fair amount in cyber security, especially if you are attacking or leveraging things that the company sells or promotes. Does it work? Anecdotally yes, but that’s not something I would bank on when releasing content that I feel needs a disclaimer.
Realistically, if someone wants to release something questionable, it’s preferable to work with the company prior to releasing it to find the verbiage they want used (similar to how many google GitHub repositories state they aren’t official Google products) and to understand if you will end up in hot water.
They remind me of the safety labels on every day items containing often apparently ridiculously obvious warnings. Like electrical shock warnings on extension chords, or warnings to not put a ladder on a slippery surface.
For non US based individuals encountering these for the first time, they often were their first encounter with how different the US legal system really was/is from the rest of the world.
------------------------------------------------------------
WARNING: This product contains a chemical known to the State of California to cause cancer.
A simple mechanical touch device, with some kind of electromagnetic actuator.
I read about people who put a mobile phone in a fixed cradle, so that when the phone receives a call and vibrates, a band of steel attached to the cradle and with a bulb of conductive rubber on the other end locks into resonance and eventually hits a USB security token.
For anti-bot / reputation systems, I think there's some value in the type of proof of space and time (PoST) algorithm used by the Chia blockchain.
Algorithms that do proof of idle resources switch the economies of scale so it's cheaper for the average user to participate in a system than it is for an industrial scale botnet or bad actor. IE: Scaling up costs real money while I have a ton of idle capacity sitting in front of me right now that I could use for proofs with an incremental cost of $0 to me.
Reputation and identity are ripe for disruption IMO and systems that prove idle capacity for a period of time are pretty interesting and in their infancy right now.
"we would be able to quickly deauthorize manufacturers’ public keys at various levels of granularity."
The wording suggests they can't deauthorize an individual device's key, perhaps because they're not unique. So would they have to brick innocent devices that happen to be from the same batch as the attackers'?
They don't need to brick anything, they can just throttle those that match for a bit. Cloudflare are not in a business of blocking people, they just need to protect sites from being overwhelmed by bots.
I'm holding off buying WebAuthn stuff until fabled YubiKey Bio comes out since WebAuthn support is still so insignificant even compared to TOTP. But big players like Cloudflare supporting it might change the picture.
It's already in there and ready to be used. I wrote a small IDP/authenticating proxy that uses it, and I can now log in to my stuff with FaceID. Or you can hold your old-school Yubikey up to the phone (that you enrolled on your workstation!) and use that instead. It is all very seamless.
There is absolutely no reason to have passwords anymore. You can't phish WebAuthn. It's built into every modern phone and PC. (There is some concern about it being easier to lose access to your account, but account recovery already exists for the three remaining people that don't use a password manager, and forget their passwords. If you're implementing it, do let users add multiple tokens, though. That way they can have a backup and easily enroll new devices.)
> You sure can replace toString (which can be detected as-well)
Are you sure? You can make “native code” functions with .bind(null)
(function(){ var a=function(){};a.prototype.toString=navigator.credentials.create.toString.bind(navigator.credentials.create); return new a();})().toString()
(function(){ var a=function(){};a.prototype.toString=navigator.credentials.create.toString.bind(navigator.credentials.create); return new a();})().toString == Function.prototype.toString
Attackers are already willing to purchase a bunch of cell phones to emulate human behavior. 'Attestation of Personhood' with the use of a hardware key is completely broken.