appleAnd The Google And Microsoft They announced this week that they will soon support an authentication approach that avoids passwords entirely, and instead requires users to simply unlock their smartphones to sign into websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but they caution that the true future without a password may still be far from most websites.
The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.
Apple, Google, and Microsoft are some of the most active contributors to the passwordless login standard developed by the FIDO (“Fast Identity Online”) alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of technology over the past decade to develop the standard. A new login works the same across many browsers and operating systems.
According to the FIDO Alliance, users will be able to log into websites through the same procedure they do multiple times each day to unlock their device – including a device PIN, or biometrics like a fingerprint or face scan.
“This new approach protects against phishing and will make login radically more secure compared to legacy multifactor passwords and technologies such as one-time passcodes sent via SMS,” the coalition wrote on May 5.
Sampath SrinivasUnder the new system, your phone will store a FIDO credential called a “passkey” which is used to open your account online, Google’s director of security authentication and president of the FIDO Alliance said.
“The passkey makes logging in more secure, because it is based on public-key cryptography and is only visible to your online account when you unlock your phone,” Srinivas wrote. “To log into a website on your PC, you will only need your phone near you and you will simply be required to unlock it to access it. Once you do, you will not need your phone again and you can log in once you unlock your PC.”
we ZDNet Notes, Apple, Google and Microsoft already support these passwordless standards (eg “Sign in with Google”), but users need to sign in at each website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkeys on many of their devices – without having to re-register each account – and use their mobile device to log into an app or website on a nearby device.
Johannes UlrichD., dean of research at the SANS Institute of Technology, called the announcement “by far the most promising effort to solve the authentication challenge.”
“The most important part of this standard is that it won’t require users to purchase a new device, but instead may use devices they already own and know how to use as authenticators,” Ulrich said.
Steve BellovinA Columbia University computer science professor and early Internet researcher and pioneer described the passwordless effort as a “tremendous advance” in authentication, but said it would take a very long time for many websites to catch up.
One potentially tricky scenario in the new passwordless authentication system is what happens when someone loses their mobile device, or their phone breaks and can’t remember their iCloud password, Belovin and others say.
“I worry about people who can’t buy an extra device, or can’t easily replace a broken or stolen device,” Belovin said. “I am concerned about recovering forgotten password for cloud accounts.”
Google says that even if you lose your phone, “your passkeys will be securely synced to your new phone from your cloud backup, allowing you to pick up where your old device left off.”
Apple and Microsoft also have cloud backup solutions that customers using these platforms can use to recover from a lost mobile device. But Belovin said a lot depends on how securely these cloud systems are managed.
“How easy is it to add another device’s public key to an account without permission?” Belofen wondered. “I think their protocols make that impossible, but others disagree with it.”
Nicholas WeaverLecturer in the Department of Computer Science at University of California, BerkeleyHe said websites should still have some recovery mechanisms for the “You lost your phone and your password” scenario, which he described as “a really tough issue to do safely and it’s really one of the biggest weaknesses in our current system.”
“If you forget your password and lose your phone and manage to get it back, that is a big target for attackers,” Weaver said in an email. “If you forget your password and lose your phone and you can’t, well now you have lost the authorization code used to log in. It should be the latter. Apple has the infrastructure to support it (iCloud keychain), but it is not clear if Google does.”
However, he said, FIDO’s general approach was a great tool for improving both security and usability.
“It’s really a good step forward, and I’m glad to see that,” Weaver said. “Leveraging the phone owner’s strong phone authentication (if you have a decent passcode) is pretty cool. And at least for the iPhone, you can make this robust even for a phone compromise, as it’s the pocket safe that will handle this and the secure pocket doesn’t trust the OS the host. “
The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the next year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and give up passwords entirely.
Recent research shows that far too many people are still reusing or reusing passwords (modifying the same password slightly), presenting a risk of account takeover when those credentials are eventually exposed in a data breach. A March report from a cybersecurity company SpyCloud It found 64 percent of users reuse passwords for multiple accounts, and 70 percent of credentials that were compromised in previous breaches are still in use.
The March 2022 white paper on the FIDO Approach is available here (PDF). Frequently asked questions about it here.