New cross-platform password-less authentication system in the works

[jtbell]

How Apple, Google, and Microsoft will kill passwords and phishing in one stroke (Ars Technica)

The key acronym is FIDO (Fast IDentity Online).

As I understand it, basically, you authenticate yourself to a website or service on your phone using a fingerprint or facial recognition as can already be done. To authenticate yourself on e.g. your desktop computer, it communicates with your nearby phone via Bluetooth, and the phone does the fingerprint or facial recognition thing.

Lots of layers and details here. I'm not sure I really understand it yet. There are some helpful "promoted comments" at the end.

 

[StevieTNZ]

Doesn't appeal to me. I'm fine with how things run at the moment.

 

[Algr]

I'm not. Passwords are hell.

 

[anorlunda]

The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.

I also hope that Microsoft doesn't require an online connection or a smart phone to unlock your laptop.

Sometimes, technical advances improve things for 95% of the people and make it worse for the tiny minorities.

 

[vela]

One big change underlying the system is that it uses a public-private key pair for authentication instead of a password. The other party only gets your public key, and it doesn't matter if it's intercepted or stolen by a hacker as it's useless without the private key.

Your phone is the second factor needed for authentication. When you want to log into a website or service from your computer, your phone has to be nearby to unlock the private key. This makes it impossible for a hacker to break into your account from a remote location.

I've heard numerous complaints about how TouchID doesn't work reliably for some people on their iPhones. With my mom, for instance, it's pretty hit and miss whether the phone recognizes her fingerprint. I'm guessing that you should also be able to authenticate using the phone's passcode, just like you can with ApplePay when TouchID fails.

The system is based on the assumption that most people have smartphones these days, but I wonder what happens if your phone is lost, stolen, or broken. Does that mean you'd be locked out of your accounts until you can get it fixed or replaced?

 

[vela]

The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.

I'd expect this authentication method would have to be opt-in.

IIRC, Microsoft's announcement explicitly stated you could use your phone's PIN.

 

[Algr]

Whoever invented case-sensitive passwords needs to be kicked in the head.

but I wonder what happens if your phone is lost, stolen, or broken.

You can log in with one of your other devices (home pc, watch, car maybe) and then deactivate your phone. The person stealing one of these things will not be able to do anything without your fingerprint or pin. A phone could also detect things like a grab-and-run via it's motion sensor, and thus dial up security or take a picture of the person holding the phone and trying to change settings.

 

[vela]

I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.

 

[anorlunda]

I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.

The author of the article said this in response to that question.

Storing the passkey on a phone is an option, not a requirement. You're free to store it elsewhere (e.g. on your laptop, a Yubikey, etc.) if you want.

 

[vela]

From what I understand, the idea is to store the private key in the cloud, encrypted of course, so losing or replacing a device doesn't get you locked out of your accounts.

My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored. The document from the FIDO Alliance seems to suggest this.

 

[pbuk]

My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored.

Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.

For further information see this PDF white paper.

 

[sandy stone]

I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?

 

[pbuk]

I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?

Yes, in the same way as you can use any other app whilst acting as a hotspot. The only thing you can't normally do while acting as a hotspot (i.e. a WiFi connection provider) is connect to a WiFi connection.

 

[MikeeMiracle]

So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)

 

[vela]

Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.

So you're saying it's recommended but not required? It didn't seem clear to me when I scanned the white paper a few days ago.

Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor. It's biometric and local therefore non-phishable. It seems to address the same issues. (And it's how I can currently log into Apple's websites.) Or say I have a Yubikey to use as a second factor. It seems requiring the use of the phone is unnecessarily restrictive though it'll be the method the majority of people would likely use.

 

[vela]

So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)

Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.

 

[MikeeMiracle]

Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.

From the linked white paper...

"Just like password managers do with passwords, the underlying OS platform will “sync”
the cryptographic keys that belong to a FIDO credential from device to device. This means that the security
and availability of a user’s synced credential depends on the security of the underlying OS platform’s"

And here lies the problem. Your creating a single point of authentication so any compromise has much bigger effect as it's used in more places.

Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.

 

[pbuk]

So you're saying it's recommended but not required?

Correct. Multi-device is recommended and is what public services will use. For some implementations single device credentials are required (e.g. logging on to a company network with a company-issued smart ID tag).

Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor.

Yes, that is the idea (although FIDO authentication is designed to be passwordless).

Or say I have a Yubikey to use as a second factor.

Yes, Yubikeys support FIDO2.

 

[vela]

Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.

I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

Your objection does remind me about how "experts" warned against using password managers because if a hacker got your database, they would gain access to everything. They're a single point of failure! It turned out to be a fear that in real life was largely unfounded, and the use of password managers greatly increased the security and convenience for the vast majority of users.

 

[vela]

Yes, that is the idea (although FIDO authentication is designed to be passwordless).

Just wanted to mention TouchID is passwordless. It's just a question of whether I biometrically authenticate on my computer or on, say, my phone. It wasn't clear to me if FIDO required the use of a separate second device in proximity to my computer.

 

[MikeeMiracle]

I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

I will do, need more lower level info about how it works :)