Passwords have a bad reputation. They are often either too short and therefore uncertain, or too long and therefore difficult to remember. They are guessed, stolen, forgotten, reused. And even those who, as is recommended, use a password manager to keep track of things, will sooner or later ask themselves: Isn't there a simpler, safer, better way to do this - without passwords at all?
Yes, that's possible, say those responsible for the industry consortium Fido (Fast IDentity Online). Since it was founded in 2013, Fido members, which include large tech companies such as Apple, Amazon, Samsung, Google, Meta, Microsoft and Intel, as well as financial service providers such as Visa, Mastercard and ING, have been working on industry-wide authentication methods that replace the password should. A new whitepaper that Fido published last week boasts: "For the first time, secure Fido technology will be able to replace passwords as the predominant form of authentication on the Internet."
 |
| Russia Hacked Ukrainian Satellite |
In fact, the Fido method has been around for a number of years and is supported by the World Wide Web Consortium (W3C), which sets Internet standards. Thus, the operators of websites could use it widely. So far, however, the technology has not yet achieved a breakthrough. In order for this to change, Fido wants to make hardware manufacturers and developers of operating systems more responsible in the future.
Password, USB key or biometrics?
In order to explain what Fido is now specifically proposing as an extension of their procedure, it is advisable to first take a general look at the common authentication procedures. In other words, the way in which you identify yourself as a legitimate user to a website or an app. A distinction is made between three factors:
"What you know": This includes passwords and pins, but also birthdays or other security questions, the answer to which, in the best case, only the user who created the account knows. This factor is the most common, but also the most uncertain. Because passwords can be stolen or cracked, the answer to security questions is often quite easy to guess.
"What you own": Includes physical objects that only the legitimate user owns and that they can show to gain access. In the offline world, these can be key cards that companies issue to their employees. In the digital world, one often speaks of so-called tokens, which can be specially encrypted USB keys such as the Yubikey. But smartphones can also take on the role of a token.
"What you are": This includes biometric data such as fingerprints, face or iris scans. Thanks to its integration into many new smartphones, this type of authentication is now quite widespread, especially for unlocking devices. However, fingerprints can also be copied and facial recognition can be tricked.
 |
| Truth Social: What Nobody Expects |
If more than one of the three factors is used for login, this is called multi-factor authentication. This includes two-factor authentication (2FA), which is now offered and sometimes required by many online services and banks. To do this, users must identify themselves in addition to their password. For example, by entering a randomly generated code on their smartphone, or by confirming a login or a transfer with a fingerprint or face scan. In this context, an authentication app can also be used, for example. 2FA is recommended by bodies such as the Federal Office for Information Security (BSI) for as many online services as possible because it protects against cyber attacks. Because in order to gain access to online accounts, the attackers no longer only need to know the password, but also have access to the smartphone, fingerprint or USB key at the same time.
Nevertheless, from the point of view of the Fido industry consortium, two-factor authentication has two disadvantages: First, the security codes created on the smartphone do not protect users if they have become the target of a phishing attack. Using both sophisticated fake websites and computer-generated calls from rogue customer service agents combined with fake emails , attackers have been able to intercept two-factor authentication codes even in the short window of time they are valid. Second, two-factor authentication doesn't do away with the password. What's more, it is recommended above all because many people use insecure and often the same passwords. It's like a band-aid that you put on the wound called the password. Wouldn't it be better if the wound didn't exist in the first place? The current method developed by Fido is called Fido2 and includes an authentication protocol called CTAP and a web standard called WebAuthn, which allows you to log into your account on a website or app without entering a password.
Do You Know What We Have Posted on
twitter facebook instagram reddit tumblr
It works like this: If you want to register or log in to a website that supports WebAuthn in your browser, you type in your username. Instead of then entering the personal password, authentication takes place using a so-called authenticator, as Fido calls it. But that's - confusion alert! – does not mean an authenticator app, as is often used with two-factor authentication (because from Allianz’s point of view, it is not considered phishing-proof). This can be the previously mentioned security key, which needs to be connected via USB or Bluetooth to the device you want to log into. Or you can use a device in which a separate crypto chip is already installed and which can communicate with the Fido2 protocol: many smartphones and laptops now have this type of technology, in which particularly sensitive data from the public part of the system is processed in a protected manner.
Now, when the website connects to the authenticator via the browser, a cryptographic key pair is created: the public key is stored by the website, the private key stays on the authenticator. This key pair replaces the password. In addition, the user must sign the process with a fingerprint or by entering a pin on the authenticator. At least if you choose the latter option, you still need a password. But: You don't have to remember a separate password for every website and for every service. The authentication runs solely via the cryptographic key, which is different for each service. If hackers attack the website and steal user data, they only receive the public part of the key pair, which they can do little with. If attackers get their hands on the authenticator , they have the private key, but they still don't have the fingerprint or the PIN with which the login must also be confirmed. Incidentally, this cryptographic key procedure is not an invention of Fido; it is used in numerous applications, such as end-to-end encryption for messengers. Rather, Fido2 is an attempt to provide website operators with a standard that they can use to create an alternative password. That's the theory.
Safer, but not necessarily more comfortable
In practice, however, only a few websites offer the password-free method; the best-known services include Twitter and Github. There are various reasons for the low spread: The developers of websites and web apps have to integrate WebAuthn into their product, and the entire login chain must also support the standard: from the browser to the operating system and the appropriate authenticator, which is specially certified by FIDO have to be. Windows Hello, which enables biometrics to sign in in Windows 10, is one of them. Likewise the Yubikey. New Android and iOS versions support Fido2, as do all major browsers, but as field reports show, not all systems cooperate equally well with each other. And the users also have to clarify whether they want to use a USB key or whether their mobile device can take on the role of the authenticator.
 |
| Quantum Computers |
In short: A number of requirements must currently be met in order to live the dream of a password-free login. Although they have earned their bad reputation in many cases, there are alternatives not necessarily better in all respects.
Physical security keys such as USB keys are close to the optimum in terms of security, but they have some disadvantages, the greatest weakness in user-friendliness: using an additional device for authentication is often cumbersome in everyday life. It must also be ensured that the USB key also works with all services. "Once you have to carry a handful of USB keys on your keychain because certain services only support certain keys, consumers don't play along. The solution of using the smartphone and its crypto chip instead of a USB key seems much more attractive. After all, most people always have their cell phones to hand. But here, as with the USB solution, there is another problem: What happens if the device is lost or broken? Since half of the login key is stored here, a login would no longer be possible - and that would be catastrophic from the users' point of view.
The Fido Alliance therefore recommends always registering a backup authenticator. For example, in addition to the smartphone, a USB key that would also work without a password in an emergency. The users must ensure that the backup is always up-to-date and constantly consider when and where to take the backup with them. Because this is cumbersome, consumers could instead resort to other available backup options -- for example, emergency passwords that some account recovery websites offer. The plan to get rid of passwords would then have failed.
Fido wants the next step
The Fido Alliance knows the problems. According to the latest white paper, most consumers do not want to lug around additional hardware. And the risk of loss or defects also prevents the process from spreading. To change that, Fido has an idea: If the common operating systems such as Android, iOS or Windows reliably support the Fido2 standard, why should you not only hand over the authentication of individual logins to them, but also the administration of the entire login data?
 |
| Send Files Up To 2GB By Whatsapp |
This idea is the innovation that they explain in the white paper that has now been published. As users move from device to device, their Fido credentials are already there and ready to be used. To put it simply, Fido recommends that the manufacturers of devices or operating systems take on a function similar to that of a password manager - only that no traditional passwords are stored, but rather cryptographic keys: the user registers with a website as described above and uses their laptop or your smartphone as an authenticator and signs the process with a pin or biometrics.
The operating system (Fido speaks somewhat vaguely of the "platform") then stores the data (more precisely: both the public and the secret key) not only locally on the device, as is currently the case, but also encrypted in the Cloud: on PCs, so to speak, on a Microsoft server, with Android either with Google or with the manufacturer of the device such as Samsung. If you then log on to a second or new device with the same fingerprint or account, the provider can assign the saved logins to a user and make them available immediately. A device loss would not be so bad. Still, the proposal seems counterproductive; after all, it is a security feature that the secret key is only stored on a device and not in the cloud.
 |
| Apple Removes The Ability |
In fact, since last year this procedure has been offered by a major operator: Apple. Passkeys in iCloud Keychain is the name of the feature that is available in iOS 15 for developers and experienced users and that essentially enables exactly what Fido describes: login to websites and apps without a password and across multiple Apple devices.
The question of trust
Storing authentication data in the clouds of large IT platforms naturally requires a high degree of trust. It is not that easy to set up, because there is already an acceptance problem among consumers, which is already evident when using biometric data such as fingerprints or single sign-on-Solutions where you can log into other services with your Facebook or Google account. That sounds a little conservative, but it's understandable: For a long time, users have been taught to be particularly careful when managing their login data. A passwordless process that is not yet fully understood and in which the entire administration is placed in the hands of large platforms can be unsettling.
On the other hand, argues the Fido Alliance, large companies such as Apple and Google generally have a higher level of security than, for example, the provider of a normal online shop, where customer passwords may be poorly secured on a server. Even if the concerns are justified, the construction of a secure authentication structure that also works across platforms and the development of industry standards, as Fido is trying to do, is generally welcome.
Cross-platform is an important keyword. If you live completely in the Apple universe, you might be able to get by with passkeys in iCloud Keychain. But what if you have an iPhone but use a Windows PC? Or switch from iPhone to Android? It is unlikely that Apple will exchange login data with Microsoft in the background. The Fido Alliance has no answer to such questions; it makes the platforms responsible for finding a solution.
 |
| Boy Become A millionaire With Hacking |
Couldn't the way to the passwordless world be accelerated if a large service like Facebook started to use Fido2 methods as standard instead of passwords? If users were introduced to passwordless procedures when registering a new Facebook or Instagram account to get a taste for it? Facebook could probably introduce that easily. However, a significant proportion of users would probably drop out at this point because it is too complicated for them. And then we are faced with an economic decision: Do the big Facebook or the small online grill shop want to risk scaring away new, profitable users just so that the passwords can be replaced by a secure procedure?
In order for the dream of a world without passwords to come true, a lot still has to happen. New, universally applicable standards are needed for a process that is as quick as it is convenient, economic incentives and gentle introduction of people to the new technology. "Passwords are annoying, but they're comparatively convenient,".
: The Dream Of A Passwordless Life){kind=link}
0 Comments