The first Thursday in May is apparently World Password Day, and to celebrate Apple, Google and Microsoft are launching a “joint effort” to destroy the password. Major OS vendors want to “extend support for a common password-free login standard created by the FIDO Alliance and the World Wide Web Consortium.”
The standard is called either “FIDO for multiple devices” or simply “access key”. Instead of a long string of characters, this new scheme will have the app or website you log in to send a request to your phone for authentication. From there, you’ll need to unlock your phone, authenticate it with a pin or biometric code, and then you’re on your way. This sounds like a familiar system to anyone with phone-based two-factor authentication, but it’s a substitute for a password rather than an additional factor.
The schedule for the interaction with the user is provided:
FIDO Alliance
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As explained in the White Paper, “Bluetooth requires physical proximity, which means we now have a phishing-resistant way to use the user’s phone during authentication.” Bluetooth has a terrible reputation for compatibility, and I’m not sure that “security” was ever a real concern, but the FIDO alliance notes that Bluetooth is just “for physical proximity checking” and that the actual login process does not depend on security features on Bluetooth. ” Of course, this means that both devices will need Bluetooth on board, which is a given for most smartphones and laptops, but can be a difficult task for older desktops.
Advertising
Just as a password manager can aggregate your login information under one password, your access keys can be archived by a major platform owner such as Apple or Google. This will allow you to easily transfer your credentials to a new device, protect you from losing them, and make it easier to sync access keys between devices. If you lose your device, you can still recover your accounts by logging in (uh with a password?) To your large platform owner account. It may also be a good idea to have more than one device configured as an authenticator.
Companies have been trying to get out “without passwords” for years, but getting there is difficult. Google has a whole timeline in its 2008 blog post. Passwords work well if they are long, random, secret, and unique, but the human element of passwords is always an issue. We are not good at memorizing long, random strings of characters. It is tempting to write down passwords or reuse them, and phishing schemes try to trick you into giving your password to a third party. When a security breach occurs, the username and password pairs are easy to share and there are huge databases with compromised credentials.
The FIDO blog post said: “These new features are expected to be available on Apple, Google and Microsoft platforms next year. Apple, which seems to have started the whole “passkey” trend, already has a built-in system in iOS 15 and macOS Monterey, but it is not yet compatible with other platforms. Google’s support for passwords has already been noticed in Android’s Play Services, so it should be quickly supported by even older Android devices as soon as it’s ready.
Image of the FIDO Alliance list
Add Comment