Getty Images

For more than a decade, we have been promised that a world without passwords is just around the corner, and yet year after year, this nirvana for security is unattainable. Now, for the first time, a working form of password-free authentication is about to become available to the masses in the form of a standard adopted by Apple, Google and Microsoft that allows passwords for different platforms and services.

Password killing schemes imposed in the past have suffered from many problems. A major drawback was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and account-related phones. Another limitation was that most solutions ultimately failed to be truly password-free. Instead, they gave users the option to log in with a face or fingerprint scan, but these systems eventually went back to a password, and that meant phishing, password reuse, and forgotten passwords were all reasons we hated passwords in the beginning – don’t do it don’t go.

A new approach

What’s different this time is that Apple, Google and Microsoft seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for users and cheaper to deploy great services like Github and Facebook. It has also been thoroughly developed and verified by certification and security experts.

A layout of what password-free authentication will look like.
Zoom in / A layout of what password-free authentication will look like.

FIDO Alliance

Current Multifactor Authentication (MFA) methods have made important strides in the last five years. Google, for example, allows me to download an iOS or Android app that I use as a second factor when I sign in to my Google Account from a new device. Based on CTAP – abbreviated from client protocol to certifier– This system uses Bluetooth to ensure that the phone is close to the new device and that the new device is actually connected to Google and not a site disguised as Google. This means that it is not a slip. The standard ensures that the cryptographic secret stored on the phone cannot be retrieved.

Google also provides an advanced security program that requires physical keys in the form of standalone keys or end-user phones to authenticate sign-in from new devices.

The big limitation right now is that MFA and password-free authentication are deployed differently – if at all – by each service provider. Some providers, such as most banks and financial services, still send one-time passwords via SMS or email. Realizing that these are not secure means of transporting security-sensitive secrets, many services have switched to a method known as TOTP. time-based one-time password– to allow the addition of a second factor that effectively increases the password with the “something I have” factor.

Physical security keys, TOTP, and to a lesser extent two-factor authentication via SMS and email are important steps forward, but three key limitations remain. First, TOTPs generated through authentication applications and sent by text or email are phishing, just like regular passwords. Second, each service has its own closed MFA platform. This means that even when using non-removable forms of MFA – such as stand-alone physical keys or phone keys – the user needs a separate key for Google, Microsoft and any other property on the Internet. To make matters worse, each OS platform has different MFA deployment mechanisms.

These problems give way to the third: the net unusability for most end users and the non-trivial cost and complexity that every service faces when trying to offer an MFA.

https://arstechnica.com/?p=1852766

Previous articlePig heart: A man who received a transplant died after being diagnosed with a swine virus
Next articleTeledyne FLIR Defense will supply thermal imaging systems to the US Army