Apple, Google and Microsoft announced this week that they will soon support a authentication approach that completely avoids passwords and instead requires users to simply unlock their smartphones to access websites or online services. Experts say the changes should help combat many types of phishing attacks and ease the burden of passwords for Internet users, but warn that the real future without passwords could still be years from now for most websites.
Image: Blog.google
Technology giants are part of an industry-led effort to swap passwords that are easily forgotten, often stolen by malware and phishing schemes, or leaked and sold online as a result of corporate data breaches.
Apple, Google and Microsoft are among the most active participants in the password-free login standard created by the FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium (W3C), groups that work with hundreds of technologies. companies over the last decade to develop a new login standard that works the same way across multiple browsers and operating systems.
According to the FIDO Alliance, users will be able to access websites through the same action they take several times each day to unlock their devices – including device PIN or biometric data, such as a fingerprint or face scan.
“This new approach protects against phishing and login will be radically more secure than passwords and legacy multi-factor technologies, such as one-time passwords sent via SMS,” the alliance wrote on May 5th.
Sampat Srinivas, Google’s director of security certification and president of the FIDO Alliance, said that under the new system, your phone will store an FIDO identification number called an “access key” that is used to unlock your online account.
“The password makes login much more secure, as it is based on public key cryptography and only appears on your online account when you unlock your phone,” Srinivas wrote. “To access a website on your computer, you just need the phone nearby and you will simply be prompted to unlock it for access. Once you do that, you won’t need your phone again, and you can log in by simply unlocking your computer. ”
As noted by ZDNet, Apple, Google and Microsoft already support these standards without a password (eg “Sign in with Google”), but users must log in to any website to use the password-free functionality. Under this new system, users will automatically be able to access their access key on many of their devices – without having to re-register each account – and use their mobile device to access an app or website on a nearby device.
Johannes Ulrich, dean of research at the SANS Institute of Technology, called the communication “by far the most promising effort to address the certification challenge.”
“The most important part of this standard is that it will not require consumers to buy a new device, but instead they can use devices they already own and know how to use as certifiers,” Ulrich said.
Steve Belovin, a professor of computer science at Columbia University and an early Internet researcher and pioneer, called the password-free effort a “huge step forward in authentication,” but said it would take a long time for many websites to catch up.
Belovin and others say a potentially difficult scenario in this new password-free authentication scheme is what happens when someone loses their mobile device or their phone breaks and they can’t remember their iCloud password.
“I’m worried about people who can’t afford an extra device or can’t easily replace a broken or stolen device,” Belovin said. “I’m worried about recovering a forgotten cloud account password.”
Google says that even if you lose your phone, your access keys will be securely synchronized with your new phone from cloud backup, allowing you to continue exactly where your old device stopped.
Apple and Microsoft also have cloud backup solutions that customers using these platforms can use to recover from a lost mobile device. But Belovin said much depends on how secure such cloud systems are administered.
“How easy is it to add a public key to another device to an account without authorization?” Belovin wondered. “I think their protocols make it impossible, but others disagree.
Nicholas Weaver, a professor of computer science at the University of California, Berkeley, said websites still need some sort of recovery mechanism for the “you lost your phone and password” scenario, which he described as “a very difficult problem to implement. and it is already one of the biggest weaknesses in our current system. “
“If you forget your password and lose your phone and you can recover it, that’s a huge target for attackers now,” Weaver said in an email. “If you forget your password and lose your phone and CANNOT, well, now you’ve lost your authorization token, which is used to log in. It will have to be the last. Apple has a built-in infrastructure to support it (iCloud keychain), but it’s not clear if Google does.
However, he said, FIDO’s overall approach is a great tool for improving both security and usability.
“It’s a really, really good step forward and I’m glad to see that,” Weaver said. “It’s very nice to take advantage of the strong authentication of the phone to the owner of the phone (if you have a decent access code). And at least for the iPhone, you can do this stably even for a phone compromise, because the protected enclave will handle it, and the protected enclave does not trust the host’s operating system.
The technology giants have said that the new password-free capabilities will be activated on Apple, Google and Microsoft platforms “next year”. But experts said it would probably take several more years for smaller web destinations to embrace the technology and throw away passwords altogether.
Recent research shows that too many people still reuse or recycle passwords (slightly changing the same password), which poses a risk of account devouring when this credential is eventually disclosed in the event of a data breach. A March report by cybersecurity firm SpyCloud found that 64% of users re-used passwords for multiple accounts and that 70% of credentials compromised in previous breaches were still in use.
A White Paper on the FIDO Approach of March 2022 is available here (PDF). Frequently asked questions about him is here.
Add Comment