garbageAnd The Google And Microsoft They announced this week that they will soon support an authentication approach that avoids passwords altogether and instead requires users to unlock their smartphones only to sign into websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden for Internet users, but they caution that the true future without a password may still be far away for most websites.
The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, often stolen by malware and scams, or leaked and sold online after company data is compromised.
Apple, Google and Microsoft are the most active contributors to the passwordless login standard set by the FIDO (“Fast Identity Online”) coalition and the World Wide Web Consortium (W3C), groups that have worked with hundreds of technology companies in a decade To develop a new login standard that works the same across multiple browsers and operating systems.
According to the FIDO Alliance, users will be able to log into websites through the same procedure they do multiple times a day to unlock their device – including a device PIN or biometrics like a fingerprint or face scan.
“This new approach protects against phishing and will make login radically more secure compared to old multifactor passwords and technologies such as one-time passwords sent via SMS,” the coalition wrote on May 5.
Sampath SrinivasUnder the new system, your phone will store a FIDO credential called a “password,” which is used to open your account online, said Google’s director of security authentication and president of the FIDO Alliance.
“The password makes logging in more secure because it is based on public key encryption and only appears in your online account when you unlock your phone,” Srinivas wrote. “To log into a website on your computer, you will only need to have your phone close to you and you will simply have to unlock it to access it. Once you do, you will not need your phone again and you can log in once you unlock your PC.”
How do ZDNetGenericName Notes Apple, Google, and Microsoft already support these passwordless standards (eg “Sign in with Google”), but users need to sign in to each site to use the passwordless functionality. Under this new system, users will be able to automatically access their passkeys on many of their devices – without having to re-register each account – and use their mobile device to log into an app or website on a nearby device.
Johannes UlrichDean is looking for Sans Institute of Technology, and the announcement has been called “the most promising effort to solve the authentication challenge.”
“The most important part of this standard is that it won’t require users to buy a new device, but instead they can use devices they already have and know how to use as authenticators,” Ulrich said.
Steve BellovinThe Columbia University computer science professor and early and pioneering Internet researcher described the password-free efforts as a “big step forward” in authentication, but said it would take a long time to update many sites.
A potentially challenging scenario in the new passwordless authentication system is what happens when someone loses their mobile device or their phone breaks and cannot remember their iCloud password, Belovin and others say.
“I worry about people who can’t buy an extra device or can’t easily replace a broken or stolen device,” Belovin said. “I am concerned about recovering forgotten password for cloud accounts.”
Google says that even if you lose your phone, “your passkeys will be securely synced to your new phone from your cloud backup, allowing you to pick up where your old device left off.”
Apple and Microsoft also have cloud backup solutions that customers using these platforms can use to restore a lost mobile device. But Belovin said a lot depends on how securely these cloud systems are managed.
“How easy is it to add another device’s public key to an account without permission?” asked Belovin. “I think their protocols make that impossible, but others disagree with that.”
Nicholas WeaverProfessor in the Department of Computer Science at University of California, BerkeleyHe said websites should still have some recovery mechanisms for the “You lost your phone and password” scenario, which he described as “a very difficult issue to do securely and is in fact one of the biggest weaknesses in our current system.”
“If you forgot your password and lost your phone and were able to recover it, this is a big target for attackers,” Weaver said in an email. “If you forget your password and lose your phone and you can’t, well now you have lost the authorization code you used to log in. It should be the latter. Apple has the infrastructure to support it (iCloud keychain), but it is unclear if Google supports it.”
Nevertheless, he said, FIDO’s comprehensive approach has been a great tool for improving security and usability.
“It’s really a good step forward, and I’m glad to see that,” Weaver said. “Taking advantage of strong phone authentication from the phone owner (if you have a proper password) is great. And for an iPhone at least, you can make it strong even for giving away the phone because it’s in the safe pocket that will handle that and the safe in the pocket doesn’t trust the OS the host “.
The tech giants said the new passwordless features will be enabled on Apple, Google and Microsoft platforms “over the next year”. But experts said it will likely take several years for smaller web destinations to embrace the technology and give up passwords entirely.
Recent research shows that many people still reuse or reuse passwords (with a simple modification of the password itself), which poses a risk of account hacking when those credentials are eventually exposed in the data breach. March report from a cybersecurity company SpyCloud It found that 64% of users reuse passwords for multiple accounts, and 70% of the credentials that were compromised in previous violations are still in use.
The March 2022 white paper on the FIDO approach is available here (PDF). There are questions and answers for that here.