Apple, Google And Microsoft It announced this week that it will soon support an authentication approach that eliminates passwords altogether, instead requiring users to open their smartphones to log in to websites or online services. Experts say these changes will help defeat many types of phishing attacks and ease the overall password burden on Internet users, but warn that the future without real passwords will be many more years for most websites.
Technology giants are part of an industry-led effort to change passwords that are easily forgotten, stolen frequently by malware and phishing scams, or leaked online in the wake of corporate data breaches.
Apple, Google and Microsoft have partnered with FIDO (“Fast Identity Online”) and The World Wide Web Federation (W3C), teams working with hundreds of technology companies over the past decade to develop a new login standard that works uniformly across multiple browsers and operating systems.
According to the FIDO Alliance, users can log in to websites through the same process that takes several times each day to unlock their devices – including device PIN or biometric such as fingerprint or face scan.
“This new approach protects against phishing and makes login more secure compared to traditional multi-factor technologies such as passwords and one-time passwords sent via SMS,” Coalition wrote on May 5.
Sampath SrinivasGoogle’s Director of Security Authorization and Head of the FIDO Alliance said that under the new system, your phone will store the FIDO Certificate called “Basque” which can be used to open your online account.
“Based on public key encryption, it makes it very secure to log in with a password, as it will only be displayed on your online account when you open your mobile phone,” Srinivas wrote. “You will need your phone nearby to log in to the website on your computer. You will be asked to open it for access. Once you have done this you will no longer need to restart your phone and you can sign in by unlocking your computer.
As ZDNet Notes, Apple, Google, and Microsoft already support these password-free standards (e.g. “Sign in with Google”), but users must sign in to every website to use the password-free functionality. Under this new system, users will be able to automatically access their passwords across multiple devices – without having to re-register each account – to use their mobile device to sign in to an application or website on a nearby device.
Johannes UlrichResearch Teen for SANS Technology CompanyThe announcement was called “the most promising attempt to resolve the accreditation challenge”.
“The most important part of this standard is that users do not have to buy a new device, but instead can use the devices they already have and know how to use them as authenticators,” Ulrich said.
Of Steve BellowProfessor of Computer Science and Early Internet at Columbia University Researcher and pioneerCalled the “biggest improvement” in recognizing the password-free initiative, but said many websites would take too long to catch up.
Bellow and others claim that in a tricky situation with this new passwordless authentication program, if someone loses their mobile device or their phone crashes, they will not be able to recover the iCloud password.
“I worry about people who can’t afford an extra device or can easily replace a broken or stolen device,” Bellowin said. “I’m worried about password recovery for cloud accounts.”
Google Says Even if you lose your mobile phone, “your passwords will be securely synced with your new mobile from the cloud backup, allowing you to retrieve your old device from the parking lot.”
Apple and Microsoft have cloud backup solutions that customers who use those sites can use to recover from a lost mobile device. But according to Bellow, it depends on how securely such cloud systems are managed.
“How easy is it to add a public key to another device without authentication?” Bello was surprised. “I think their ethics make it impossible, but others do not agree.”
Nicholas WeaverLecturer in the field of computer science University of California, BerkeleyHe said websites should still have some recovery mechanism in case “you lost your phone and password”, which he described as “a very difficult problem to do securely and already one of the biggest weaknesses in our current system”.
“If you can forget your password, lose your phone and recover it, now this is a big target for attackers,” Weaver said in an email. “If you forget your password and lose your mobile phone, you will now lose your authentication token used to sign in. It has to be the latter. Apple has the infrastructure to support it (iCloud keychain), but it’s not clear if Google will.
Nonetheless, he said the overall FIDO approach is an excellent tool for improving security and usability.
“It’s a good step and I’m glad to see this,” Weaver said. “It is very good to use the strong authentication of the owner of the phone (if you have a decent passcode). And at least for the iPhone, even phone compromises can make this strong, because it’s a secure enclave that handles it and does not trust a secure enclave host operating system.
Technology legends say the new password-free capabilities will be implemented “in the coming year” on Apple, Google and Microsoft operating systems. But experts say it will still take many years for small Internet sites to adopt the technology and get rid of passwords completely.
Recent research shows that many more people reuse or recycle passwords (slightly modifying the same password), which poses a risk of account acquisition when those credentials are exposed in a data breach. A Report March from Cyber Security SpyCloud 64% of users find that they reuse passwords for multiple accounts, and 70% of credentials compromised in previous violations are still in use.