New cross-platform password-less authentication system in the works

In summary, Apple, Google, and Microsoft will kill passwords and phishing in one stroke by using fingerprint and facial recognition technology, and storing the private key in the cloud.
  • #1
jtbell
Staff Emeritus
Science Advisor
Homework Helper
15,993
6,553
How Apple, Google, and Microsoft will kill passwords and phishing in one stroke (Ars Technica)

The key acronym is FIDO (Fast IDentity Online).

As I understand it, basically, you authenticate yourself to a website or service on your phone using a fingerprint or facial recognition as can already be done. To authenticate yourself on e.g. your desktop computer, it communicates with your nearby phone via Bluetooth, and the phone does the fingerprint or facial recognition thing.

Lots of layers and details here. I'm not sure I really understand it yet. There are some helpful "promoted comments" at the end.
 
Computer science news on Phys.org
  • #2
Doesn't appeal to me. I'm fine with how things run at the moment.
 
  • Like
Likes MikeeMiracle
  • #3
I'm not. Passwords are hell.
 
  • Like
Likes phinds and vela
  • #4
The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.

I also hope that Microsoft doesn't require an online connection or a smart phone to unlock your laptop.

Sometimes, technical advances improve things for 95% of the people and make it worse for the tiny minorities.
 
  • Like
Likes Wrichik Basu and StevieTNZ
  • #5
One big change underlying the system is that it uses a public-private key pair for authentication instead of a password. The other party only gets your public key, and it doesn't matter if it's intercepted or stolen by a hacker as it's useless without the private key.

Your phone is the second factor needed for authentication. When you want to log into a website or service from your computer, your phone has to be nearby to unlock the private key. This makes it impossible for a hacker to break into your account from a remote location.

I've heard numerous complaints about how TouchID doesn't work reliably for some people on their iPhones. With my mom, for instance, it's pretty hit and miss whether the phone recognizes her fingerprint. I'm guessing that you should also be able to authenticate using the phone's passcode, just like you can with ApplePay when TouchID fails.

The system is based on the assumption that most people have smartphones these days, but I wonder what happens if your phone is lost, stolen, or broken. Does that mean you'd be locked out of your accounts until you can get it fixed or replaced?
 
  • #6
anorlunda said:
The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.
I'd expect this authentication method would have to be opt-in.

IIRC, Microsoft's announcement explicitly stated you could use your phone's PIN.
 
  • #7
Whoever invented case-sensitive passwords needs to be kicked in the head.
vela said:
but I wonder what happens if your phone is lost, stolen, or broken.
You can log in with one of your other devices (home pc, watch, car maybe) and then deactivate your phone. The person stealing one of these things will not be able to do anything without your fingerprint or pin. A phone could also detect things like a grab-and-run via it's motion sensor, and thus dial up security or take a picture of the person holding the phone and trying to change settings.
 
  • #8
I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.
 
  • #9
vela said:
I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.
The author of the article said this in response to that question.
Storing the passkey on a phone is an option, not a requirement. You're free to store it elsewhere (e.g. on your laptop, a Yubikey, etc.) if you want.
 
  • #10
From what I understand, the idea is to store the private key in the cloud, encrypted of course, so losing or replacing a device doesn't get you locked out of your accounts.

My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored. The document from the FIDO Alliance seems to suggest this.
 
  • #11
vela said:
My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored.
Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.

For further information see this PDF white paper.
 
  • #12
I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?
 
  • #13
sandy stone said:
I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?
Yes, in the same way as you can use any other app whilst acting as a hotspot. The only thing you can't normally do while acting as a hotspot (i.e. a WiFi connection provider) is connect to a WiFi connection.
 
  • #14
So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)
 
  • #15
pbuk said:
Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.
So you're saying it's recommended but not required? It didn't seem clear to me when I scanned the white paper a few days ago.

Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor. It's biometric and local therefore non-phishable. It seems to address the same issues. (And it's how I can currently log into Apple's websites.) Or say I have a Yubikey to use as a second factor. It seems requiring the use of the phone is unnecessarily restrictive though it'll be the method the majority of people would likely use.
 
  • #16
MikeeMiracle said:
So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)
Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.
 
  • Like
Likes pbuk
  • #17
vela said:
Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.

From the linked white paper...

"Just like password managers do with passwords, the underlying OS platform will “sync”
the cryptographic keys that belong to a FIDO credential from device to device. This means that the security
and availability of a user’s synced credential depends on the security of the underlying OS platform’s"

And here lies the problem. Your creating a single point of authentication so any compromise has much bigger effect as it's used in more places.

Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.
 
  • #18
vela said:
So you're saying it's recommended but not required?
Correct. Multi-device is recommended and is what public services will use. For some implementations single device credentials are required (e.g. logging on to a company network with a company-issued smart ID tag).

vela said:
Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor.
Yes, that is the idea (although FIDO authentication is designed to be passwordless).

vela said:
Or say I have a Yubikey to use as a second factor.
Yes, Yubikeys support FIDO2.
 
  • Like
Likes vela
  • #19
MikeeMiracle said:
Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.
I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

Your objection does remind me about how "experts" warned against using password managers because if a hacker got your database, they would gain access to everything. They're a single point of failure! It turned out to be a fear that in real life was largely unfounded, and the use of password managers greatly increased the security and convenience for the vast majority of users.
 
  • Like
Likes pbuk
  • #20
pbuk said:
Yes, that is the idea (although FIDO authentication is designed to be passwordless).
Just wanted to mention TouchID is passwordless. It's just a question of whether I biometrically authenticate on my computer or on, say, my phone. It wasn't clear to me if FIDO required the use of a separate second device in proximity to my computer.
 
  • #21
vela said:
I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

I will do, need more lower level info about how it works :)
 

FAQ: New cross-platform password-less authentication system in the works

What is a cross-platform password-less authentication system?

A cross-platform password-less authentication system is a method of verifying a user's identity without the use of traditional passwords. This system allows users to log in to multiple platforms or devices using a single form of authentication, such as biometrics or a security key.

How does a password-less authentication system work?

A password-less authentication system relies on alternative forms of identification, such as biometric data or security keys, to verify a user's identity. This information is unique to the user and cannot be easily replicated, providing a higher level of security than traditional passwords.

What are the benefits of using a password-less authentication system?

Password-less authentication systems offer several benefits, including increased security, convenience, and user experience. Without the need for passwords, users no longer have to worry about remembering and managing multiple login credentials, and the use of biometric data or security keys can provide a more secure form of identification.

Is a password-less authentication system compatible with all devices and platforms?

While many cross-platform password-less authentication systems are designed to work across a wide range of devices and platforms, compatibility may vary. It is important to check the system's specifications and requirements to ensure compatibility with the desired devices and platforms.

How can a company implement a password-less authentication system?

Companies can implement a password-less authentication system by choosing an appropriate system and integrating it with their existing login processes. This may involve working with a third-party provider or developing a custom solution in-house. Proper training and communication with users is also important to ensure a smooth transition to the new system.

Similar threads

Replies
13
Views
3K
Back
Top