Your phone could soon replace many of your passwords – Krebs on Security

Apple, Google and Microsoft announced this week that they will soon support an authentication approach that avoids passwords altogether and instead requires users to simply unlock their smartphones to log in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden for internet users, but warn that a true password-free future may still take years to complete. most websites.


The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing programs, or leaked and sold online following security breaches. business data.

Apple, Google and Microsoft are among the most active contributors to a passwordless login standard developed by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have worked with hundreds of technologies. companies over the past decade to develop a new connection standard that works the same across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to log in to websites with the same action they take multiple times a day to unlock their devices, including a device PIN or biometrics such as a fingerprint or password. face scan.

“This new approach protects against phishing, and login will be radically more secure compared to passwords and legacy multi-factor technologies such as one-time passcodes sent via text message,” the alliance wrote on May 5.

Sampath Srinivasdirector of security authentication at Google and president of the FIDO Alliance, said that under the new system, your phone will store a FIDO ID called “passkey” which is used to unlock your online account.

“The password makes logging in much more secure, as it is based on public key cryptography and is only displayed in your online account when you unlock your phone,” Srinivas wrote. “To log into a website on your computer, you’ll just need your phone nearby and you’ll just be prompted to unlock it to access it. Once you’ve done that, you won’t need your phone anymore. and you can log in by simply unlocking your computer.

Like ZDNet notes, Apple, Google, and Microsoft already support these passwordless standards (e.g., “Sign in with Google”), but users must log in to each website to use the passwordless feature. Under this new system, users will be able to automatically access their password across multiple of their devices – without having to re-enroll each account – and use their mobile device to log into an app or website on one device. near.

Johannes Ullrichdean of research at SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it won’t require users to purchase a new device, but instead they will be able to use devices they already own and know how to use as authenticators,” Ullrich said.

Steve Belovina Columbia University computer science professor and one of the earliest internet researchers and pioneers, called the passwordless effort a “huge advance” in authentication, but said it will take lots of time to many websites to catch up.

Bellovin and others say a potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device or their phone breaks down and they can’t remember your iCloud password.

“I worry about people who can’t afford an extra device or can’t easily replace a broken or stolen device,” Bellovin said. “I’m worried about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will be securely synced to your new phone from cloud backup, allowing you to pick up where your old device left off.”

Apple and Microsoft also have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said a lot depends on the security of administering these cloud systems.

“Is it easy to add another device’s public key to an account, without permission?” Bellovin wondered. “I think their protocols make that impossible, but others disagree.”

Nicolas Tisserandlecturer in the computer science department of University of California, Berkeleysaid websites still need to have a recovery mechanism for the “you’ve lost your phone and password” scenario, which he described as “a really difficult problem to fix securely and already l one of the greatest weaknesses of our current system”.

“If you forget the passcode and lose your phone and can get it back, that’s now a huge target for attackers,” Weaver said in an email. “If you forget the password and you lose your phone and you CANNOT, well, you have now lost your authorization token used to log in. It will have to be the latter. Apple has the infrastructure in place to support it (iCloud Keychain), but unclear if Google does.

Even so, he said, FIDO’s holistic approach has been a great tool for improving both security and usability.

“It’s a very, very good step forward, and I’m excited to see that,” Weaver said. “Taking advantage of strong phone owner authentication (if you have a decent password) is pretty nice. And at least for the iPhone, you can make this robust even to compromise the phone, because it’s the secure enclave that would handle that and the secure enclave doesn’t trust the host OS.

The tech giants said the new passwordless features will be enabled across Apple, Google and Microsoft platforms “over the coming year”. But experts said it will likely take several more years for smaller web destinations to embrace the technology and ditch passwords altogether.

Recent research shows that far too many people are still reusing or recycling passwords (modifying the same password slightly), posing a risk of account takeover when those credentials are ultimately exposed during a data breach. A report in March from a cybersecurity firm SpyCloud found that 64% of users reuse passwords for multiple accounts and 70% of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ about it is here.