Will a passwordless system give too much power to big tech companies?  The FIDO Alliance is trying to make passwords obsolete

Will a passwordless system give too much power to big tech companies? The FIDO Alliance is trying to make passwords obsolete

Password protection has been the backbone of online cybersecurity for decades, but the rapid evolution of hacking techniques and malware has required a new way of doing things: authentication, various factors. Many companies have moved to this mode of authentication due to the fact that it is the kind of thing that can potentially end up creating an extra layer of defense, and the natural end result of this progression seems to be a completely wordless world.

FIDO (for Fast IDentity Online), an alliance of several companies (including Google, Apple, Meta and Microsoft) that has existed since 2013, is trying to speed up the obsolescence of passwords. Together with the World Wide Web Consortium, FIDO is working to create and implement standards for a largely password-free Internet. According to the alliance blog, these standards are already supported by billions of devices and by all modern web browsers.

Specifically, it is planned to implement support for password-free FIDO login standards across all platforms. Google mentions Chrome, ChromeOS, and Android. Implementation is expected to take place again this year. Instead of a password, a FIDO authorization, called a password, can be saved on the user’s smartphone. This code confirms the registration of an online service. Credit card payment authorization works similarly to 3D-Secure 2.0.

In a joint effort to make the web more secure and usable, Apple, Google and Microsoft today announced plans to expand support for a common password-free login standard created by Alliance, FIDO and the World Wide Web Consortium. The new feature will allow websites and applications to provide consumers with consistent, secure, and simple password-free sign-in across all devices and platforms.

Password-only authentication is one of the most important security issues on the web, and managing so many passwords is cumbersome for consumers, and often causes consumers to reuse them across all services. This practice can lead to costly account acquisitions, data breaches, and even identity theft. While password managers and older forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create a more convenient and secure login technology.

Extensive standards-based capabilities will give websites and applications the ability to offer an end-to-end password-free option. Users will sign in with the same action they do many times a day to unlock their devices, such as a simple fingerprint or facial verification, or a device PIN. This new approach protects against fishing, and logging in will be radically more secure compared to legacy passwords and multifactorial technologies, such as one-time passwords sent via SMS.

Hundreds of technology companies and service providers around the world have worked through the FIDO Alliance and W3C to create password-free login standards that are already supported by billions of devices and all modern web browsers. . Apple, Google and Microsoft led the development of this extended feature set and are now incorporating support into their respective platforms.

These companies’ platforms already support FIDO alliance standards to allow password-free sign-in on billions of cutting-edge devices, but previous implementations require users to sign in to every website or application. with each device before you can use the feature without a password. The FIDO announcement expands the deployments of these platforms to provide users with two new, more transparent and secure login features without a password:

  • It allows users to automatically access their FIDO login credentials (some call them passwords) on many of their devices, even new ones, without having to re-register each account.
  • Allows users to use FIDO authentication on their mobile device to sign in to an application or website on a nearby device, regardless of the operating system platform or browser they are running.
  • In addition to providing a better user experience, broad support for this standards-based approach will allow service providers to offer FIDO credentials without the need for passwords as an alternative method of login or account recovery.

These new features are expected to be available on Apple, Google and Microsoft next year.

Your phone may soon replace many of your passwords

Experts said the changes should help defeat many types of fishing attacks and ease the overall burden of passwords for Internet users, but warn that a true future without passwords can still take years for most websites.

However, some believe that this could block users in a given ecosystem. Taking the case of Face ID authentication on the iPhone, one expert wonders: if everything from your bank account to your Twitter account is only accessible through facial recognition, your iPhone will be even more important and this could discourage you from moving away from this ecosystem. Google, Amazon, and most other major technology companies also support the initiative, but this possible unwanted side effect should always be considered. Users are already struggling to switch from iOS to Android and vice versa, and this new initiative could make things even more pronounced.

Some suggest a blockchain-based solution where your facial identification is securely stored in the form of NFT, as this would eliminate the control of the hands of large technology companies. However, we need to see if any of these solutions are sustainable, otherwise we may continue to rely on passwords to block our accounts.

Sampath Srinivas, Google’s director of security authentication and president of the FIDO Alliance, said that with the new system, your phone will store a FIDO ID called a password that is used to unlock your online account. .

The password makes your login much more secure, as it is based on public key encryption and is only displayed in your online account when you unlock your phone, “wrote Srinivas. To sign in to a website on your computer, all you need is your phone and you’ll only be asked to unlock it. Once you’ve done that, you’ll no longer need your phone, and you’ll be able to sign in simply by unlocking your computer.

As noted by the FIDO Alliance, Apple, Google, and Microsoft already support these standards without a password (e.g., “Sign in with Google”), but users must sign in to each website to use the password-free feature. . With this new system, users will be able to automatically access their password on multiple of their devices, without having to re-register each account, and use their mobile device to sign in to an app or website on a nearby device.

Johannes Ullrich, dean of research at the SANS Technology Institute, believes that this announcement is by far the most promising effort to meet the challenge of authentication: the most important part of this standard is that it will not require “users they will not buy a new device, but instead they will be able to use devices they already own and know how to use them as authenticators, “said Ullrich.

Steve Bellovin, a computer science professor at Columbia University and one of the first researchers and pioneers of the Internet, believes that this password removal initiative is an advanced standard in authentication, but said it will take a long time to many websites are updated.

Bellovin and others say a potentially complicated scenario in this new password-free authentication scheme is what happens when someone loses their mobile device or their phone breaks and they can’t remember your iCloud password.

“I’m concerned about people who can’t afford an extra device or who can’t easily replace a broken or stolen device,” Bellovin said. I’m worried about recovering a forgotten password for cloud accounts.

Google says that even if you lose your phone, your passwords will be securely synced to your new phone from the cloud backup, allowing you to pick up where your old device left off.

Apple and Microsoft also have cloud backup solutions that customers using these platforms could use to recover from a lost mobile device. But Bellovin said it depends a lot on the security of managing these systems in the cloud: is it easy to add another device’s public key to an account without permission? Bellovin wondered. I think their protocols make it impossible, but others disagree.

Source: FIDO Alliance

And you?

Have you ever used an authentication tool other than your phone password (for example, your fingerprint) when you sign in to a supported application (WhatsApp, certain banking applications, and other applications)?
Have you ever had to use your phone to connect to a service (for example, Google services when you want to use your YouTube account on your TV or your Gmail account on your computer)?
What do you think in absolute terms? Would you rather use another authentication tool by default or have it enabled by the user if you wish?
Will a passwordless system give too much power to big tech companies?

Leave a Comment

Your email address will not be published.