Your phone could soon replace many of your passwords – Krebs on security

Apple, Google and Microsoft It was announced this week that they will soon support an authentication approach that completely avoids passwords and instead requires users to only unlock their smartphones to log into websites or online services. Experts say the changes should help tackle many types of phishing attacks and ease the overall password burden on Internet users, but warn that the true future without passwords may still be long for most websites.


Technology giants are part of an industry-led effort to replace passwords that are easy to forget, often stolen by malware and phishing programs, or that are leaked and sold online as a result of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to the passwordless login standard developed by the FIDO (“Fast Identity Online”) alliance and the World Wide Web (W3C) consortium, groups that have worked with hundreds of company specialists over the past decade to develop a new login standard that works in the same way in many browsers and operating systems.

According to the FIDO Alliance, users will be able to log into websites with the same steps they do multiple times a day to unlock their devices – including a device PIN or biometrics such as a fingerprint or a face scan.

“This new approach protects against phishing, and logging in will be radically more secure compared to passwords and older multi-factor technologies such as one-time passcodes sent via SMS,” the alliance wrote on May 5.

Sampath SrinivasGoogle’s director of security authentication and president of the FIDO Alliance said that in the new system, your phone will store FIDO credentials called a “key” that is used to unlock your online account.

“The access key makes logging in much more secure as it is based on public key cryptography and is only visible in your online account after you unlock your phone,” wrote Srinivas. “To log into the website on your computer, all you need to do is have your phone nearby, and you’ll just be asked to unlock it in order to gain access. Once this is done, you no longer need your phone and you can log in just by unlocking your computer. ”

As ZDNet Notes that Apple, Google and Microsoft already support these standards without a password (eg “Sign in with Google”), but users must log in to every web page to use passwordless features. Under this new system, users will be able to automatically access their password on multiple devices – without having to re-register each account – and use their mobile device to log into an app or website on a nearby device.

Johannes UlrichThe Dean of Research at the SANS Technology Institute called this announcement “by far the most promising effort to tackle the authentication problem.”

“The most important part of this standard is that it will not require users to buy a new device, but instead can use devices they already own and know how to use as authenticators,” said Ullrich.

Steve BellovinaA professor of computer science at Columbia University and a pioneer and researcher on the Internet called the passwordless effort “a huge advance” in authentication, but said many websites would take a long time.

Bellovin and others argue that a potentially difficult scenario in this new passwordless authentication scheme is that someone loses their mobile device or their phone breaks and cannot remember their iCloud password.

“I’m worried about people who can’t afford an extra device or can’t easily replace a broken or stolen device,” said Bellovin. “I’m worried about recovering a forgotten password for my cloud accounts.”

Google says that even if you lose your phone, “your passwords will be securely synced to your new phone from a cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft also have cloud backup solutions that customers using these platforms can use to recover a lost mobile device. But Bellovin said a lot depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account without authorization?” Bellovin wondered. “I think their protocols prevent it, but the others don’t agree.”

Mikołaj Tkaczlecturer at the department of computer science at University of California, BerkeleyHe said websites still need to have some sort of recovery mechanism after the “lost phone and password” scenario, which he described as “a really hard problem to safely execute and is already one of the biggest weaknesses of our current system”.

“If you forget your password, you lose your phone and you can retrieve it, this is now a huge target for attackers,” Weaver said in an email. “If you forget your password and lose your phone, and you CANNOT, well, now you have lost the authorization token that is used to log in. It will have to be the latter. Apple has the right infrastructure (iCloud Keychain), but it’s unclear if Google does that. ”

Even so, he said, FIDO’s overall approach is an excellent tool for improving both security and usability.

“This is a really good step forward and I’m glad to see it,” said Weaver. “Using strong phone owner authentication (if you have a decent password) is pretty nice. Or at least in the case of the iPhone, it can be made immune even to compromises with the phone, because it’s a secure enclave that can handle it, and the secure enclave doesn’t trust the host operating system. ”

Tech giants said new passwordless features will be rolled out on Apple, Google and Microsoft platforms “over the coming year.” But experts say it will likely take a few more years for smaller websites to adopt the technology and ditch passwords altogether.

Recent research shows that too many people are still reusing or reprocessing passwords (modifying the same password slightly), which poses a risk of account hijacking when those credentials are eventually disclosed as a result of a data breach. March report from a cybersecurity company SpyCloud They found that 64 percent of users are reusing their passwords for multiple accounts, and 70 percent of the credentials that were compromised in previous breaches are still in use.

The March 2022 white paper on the FIDO approach is available here (PDF). Here you will find an FAQ on this subject.

Leave a Reply