In a joint effort, tech giants Apple, Google, and Microsoft announced Thursday morning that they have committed to building support for passwordless sign-in across all of the mobile, desktop, and browser platforms that they control in the coming year. Effectively, this means that passwordless authentication will come to all major device platforms in the not too distant future: Android and iOS mobile operating systems; Chrome, Edge, and Safari browsers; and the Windows and macOS desktop environments.
[…]A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services, as Google detailed in a blog post published Thursday. Unlocking the phone with whatever is set as the default action — entering a PIN, drawing a pattern, or using fingerprint unlock — will then be enough to sign in to web services without the need to ever enter a password, made possible through the use of a unique cryptographic token called a passkey that is shared between the phone and the website.
Passwords are a terrible security practice, and while password managers make the whole ordeal slightly less frustrating, using my phone’s fingerprint reader to log into stuff seems like a very welcome improvement.
Thom Holwerda,
There are well known problems with bio-metrics though, in particular that bio-metrics are permanent, they can’t be changed once compromised. Some methods are safer than others, but I don’t know any will be safe in the long term.
Whether it’s good enough will probably depend on the application. Social media and email? It’s probably enough for the general public who aren’t VIPs with targets on their backs. But for banking, medical records or the like where both the incentives and harms are greater I don’t think so. The need for secret keys will never go away entirely as the security mantra says “something you have plus something you know”.
The fact that companies like google will have the hashes technically increases the risk. Hashes, especially fuzzy ones can be brute forced.
Granted users would assume that google would keep them safe, but considering the permanent nature of biometrics it is a risk.
Yeah, and he we never ever lose his phone.
Yeah, and his phone will never suddenly run out of charge without a possibility of charging it.
Yeah, and his phone will always work.
Not to mention that:
Many users don’t have a smartphone.
Many refuse to use a smartphone.
Many cannot use a smartphone.
If this thing will be the only method of authorization, it’s gonna be a disaster for millions of people. We already have MFA and e.g. Google Authenticator. Don’t understand what’s the whole thing is about.
Time and again Thom proves the whole world is centered around well-off smart educated sane young 1st world countries citizens. Others simply don’t exist.
I’m a 1st world educated citizen but I simply hate phones, especially smartphones. They have their use (sometimes), but most of the time their best use is “none”.
Being dependent on a “smart”phone is risky, as you already pointed out.
For a moment, I hoped to have ssh-like public/private-key auth., but no… Humanity must be controlled using smartphones…
They will try to do it, because most of people have phones with them all the time. so it`s practical. I guess that when you don`t have your phone you can still use password.
Marshal Jim Raynor,
During a transition period, of course passwords have to be supported in parallel to FIDO, but hypothetically after a transition period Employers/schools/banks/government services/etc could start to require it unconditionally. There’s no guaranty they’ll keep password authentication around as a supported login method after most users have switched.
What I’m reading seems to suggest that the service provider and not the user is going to be in control of FIDO authentication methods.
https://www.pingidentity.com/en/resources/blog/posts/2021/fast-identity-online-fido.html
This makes me very worried because it is very likely that only the dominant providers (like MS/google/apple) will be accepted by services in practice. Alternative implementations (whether browsers or operating systems) are likely to be left out in the cold.
Without some explicit assurances that the owner has an explicit say over the authentication methods that suit us and NOT give that power over to the service provider, then I have to strongly protest FIDO on the basis that it will effectively consolidate authentication power to a few dominant providers while making alternatives non-viable.
FIDO sounds like something the oligopolies will love.
@Alfman We’ll see. FIDO’s protocols are also what are used by these things that I use and, given that Yubico is the big name in hardware crypto tokens and was part of the group of companies that designed FIDO, I doubt they’ll allow their products to be left out in the cold without a fight.
Hell, if it’s just an agreement to ensure client-side FIDO devices are ubiquitous enough that sites can stop requiring you enable a TOTP authenticator option as a backup before allowing you to enable U2F/WebAuthn “in case your client doesn’t support U2F/WebAuthn”, then it’ll be a good thing, since the full-blown YubiKey only has storage for about 30 (32?) TOTP secrets and I don’t want to use a phone app as a TOTP authenticator.
(U2F and WebAuthn are designed so the authenticator doesn’t have to store any per-site data… and so that, if a site doesn’t ask for extended verification of the device or if you check the “anonymize me anyway” checkbox in Firefox when registering a new site, it can’t become a cross-site identifier.)
ssokolow,
Just to be clear, I’m not against ubiquitous authentication standards that can be implemented by clients to replace passwords. It can be both secure and convenient. However I think it would be a huge mistake if the standards that we adopt allow services to dictate the hardware and software we’re allowed to use. It would be a disaster for alternative platforms that don’t realistically have the weight to convince or coerce services to support their platforms. The byproduct being consumers will no longer have a practical way to choose alternatives.
While I don’t know enough about FIDO to say which way it is, the wording that I’m reading about services having control over authentication methods concerns me greatly.
Perhaps it's stupid but I personally find it scary like in those moves where the criminal or the protagonist cuts someone's finger or pull out his eye to use as a biometric key.
jgfenix
Speaking of body mutilation and movies, Face Off 2 is coming out and apparently they’ll be taking the whole body this time. Biometrics will probably come up.
https://screenrant.com/faceoff-2-sequel-mistake-fix-body-swap-details/
Hollywood can be stupid but I’d also be wary of biometric technology that provides those incentives.
As long as they don’t use this as another excuse to try to boil the frog toward making a phone with a valid, ad-targeting-trackable mobile plan mandatory for every user, I’m fine with this.
Password manager plus hardware U2F/WebAuthn token is good enough for me.
Not sure why passwords are a security issue however they definitely are the most basic, widely compatible and interoperable way for identification.
Google, Microsoft, Apple initiative means:
* More concentration: these will be gatekeeper for -so far- independent website or service
* More complexity: my account will be tied to my phone number: more lock-in,
* Anyway there will be a backup… password which I’ll have to input, once every few months (just the time needed to forget it)
* No more shared account (or at least not simple) with shared passwords with friends, family
bipbip,
I think (or at least strongly hope) the implementations of this will be running locally and not dependent on remote services.
A few years ago one of my clients outsourced their security to watchguard to log into their network. Unfortunately they won’t support anything outside of IOS and android for authentication (not linux and not even windows). My personal phone runs lineageos, and so they forced me to buy & carry another just to login to my network account.
I would agree that centralized authentication as a service is a huge problem not only for choice and flexibility but also reliability.
Not necessarily “phone number”, just “phone”. Anyways having experienced it first hand, it was so damn frustrating! And for all that hassle it wasn’t more secure, it was just more complicated. I haven’t studied FIDO enough to know whether it lets the user have a greater say in security or if it gives that control to the services. It would be extremely disappointing if websites start to mandate FIDO authentication and mandating the devices you can use for authentication. I’ll have to research it more.
https://developers.google.com/identity/fido
Alfman,
Thanks for the insight
Still don’t like it though
Here’s hoping. Currently, if a site demands an SMS number for 2FA, I just don’t enable 2FA.
If this effort turns out to mean “push all sites to accept WebAuthn as a sufficient alternative to an SMS number” without also meaning “turn around and shut out Yubikey’s products, despite them being one of the companies that designed WebAuthn”, then it could be an improvement for privacy, since WebAuthn is explicitly designed so that the authenticator doesn’t have to become a cross-site-trackable identifier to do its job.
No mention of Linux plus Firefox.
Or Android with Firefox.
And does it work with other password managers?
And what if I die and my partner needs to login somewhere?
Honestly, the main thrust of the article seems to be “Microsoft, Apple, et al. have committed to supporting cloud sync of FIDO credentials stored in their browsers to reassure websites that they can trust that you won’t lose them”
Linux doesn’t currently offer a “platform authenticator” (i.e. you need an external USB fob to use U2F or WebAuthn) and Android does… but only through Chrome.
See this pair of compatibility matrices.
That said, while it’s not recommended, Firefox has an about:config key which will turn on a software authenticator built into it. (
security.webauth.webauthn_enable_softtoken
)If you want to play around with the process without enabling OSAlert’s support for it, Yubico has a demo site that I’ve tested as working with my hand-me-down mobile Safari test device’s support for bridging WebAuthn to TouchID.
This could actually be really bad and dangerous. Especially if there’s no option of a password fallback, but also just in general.
I can’t speak for folks elsewhere in the world, but here in the US, law enforcement cannot coerce a password from you legally… But they can coerce a biometric login.
Especially in view of the possible Supreme Court decision to overturn Roe v Wade, that’s very bad. Huge numbers of people could be effectively forced to incriminate themselves, just for seeking medical help (or helping someone else do so). Thus leading to further and more effective enforcement of anti-abortion laws, thus leading to more poverty, and more deaths from botched DIY abortions and pregnancy complications. And that’s just one case – there will also be repercussions on climate activism, whistleblowers, people suffering from drug addictions…
This is why we say all technology is political. Tech companies’ products and decisions can have a major (sometimes fatal) impact on people’s lives, they need to actually give a damn.
rainbowsocks,
I agree with you on principal, if the 4th and 5th amendment protections mean anything then not sharing passwords seems to be fundamentally protected. However the courts and law enforcement don’t always follow those rights in practice. Some people can and do get into legal trouble for not disclosing their keys. Also, some law enforcement officials consider not providing logins in and of itself grounds to take further action against you with no suspicion or probable cause in so called “constitution-free zones”.
en.wikipedia.org/wiki/Key_disclosure_law#United_States
http://www.uscitizenship.info/blog/social-media-checks-for-us-visa-applicants/
http://www.theatlantic.com/technology/archive/2017/02/give-us-your-passwords/516315/
nakedsecurity.sophos.com/2012/01/09/us-customs-can-and-will-seize-laptops-and-cellphones-demand-passwords/
Oh, thanks for the information, and yes that’s a very good point.
If you replace passwords with a single master key that unlocks everything, isn’t keeping passwords as a fallback defeating the purpose? This isn’t about protecting people, it’s about companies and governments making it easier to abuse you by consolidating access and trusting them with the master key.
Both surveillance capitalism and surveillance state need users on the internet to be authenticated and their identity known to them. And to lock everybody else out by “privacy sandbox”. As if you want such data you need to pay for it. If you are prepared to pay for it then no problem whatsoever in getting it. No surprise such companies will do whatever is in their power to implement such mechanisms. Total lack of any criticism and total rejection of privacy from general public enables them to do that effortlessly. It’s not even worth to complain about it. I just had some spare time and wasted it on it. Main reason being on how this news imply this for sure is the best thing after sliced bread. There is i guess just no substance anymore in today’s people. Perfect drones.
Without this three companies in the future people won’t even be able to sign in on the internet. And the people will applaud them for it. What happened to you people? Where did we go wrong? Why are you so stupid in times when educations is as freely available as it ever was. I guess we have reached some sort of paradox.
agree. It narrows choice in a very bad way.
It’s not “people are stupid” IMO, it’s concentration of wealth/power and regulatory capture, plus mass media downplaying issues that actually affect the public (which it is allowed to do because see again concentration of power and regulatory capture). Give us “drones” the information and the tools, and many of us will fight – as you’re seeing with the current nationwide protests.
TBH, “most people (aside from me and my friends) are stupid” is one of the worst fallacies of geek culture, and part of how we got here. If we think most people are stupid, it’s a few short steps to oligarchy, and from there to kleptocracy, and from there to getting violently oppressed by the same people our elitism helped empower.
If you don’t think “people are stupid” is a thing, how do you explain how we got exactly where we’re at right now? Yes, we are a few short steps away from being oppressively governed and yes, it’s the people who have done and are doing it to themselves. Stupidity in the population is so rampant and blatant I don’t see how any sane person could possibly not acknowledge it.
friedchicken,
Some of the people are stupid but others are just playing stupid to advance political & ideological agendas. Consider that they understand that their odds drop in fair and intelligent debates. Making the stage stupid with stupid attacks, stupid logic, and bad faith arguments gives them an edge. It’s with this in mind that we’re seeing the rise of a new breed of stupid trumpian politicians filling the ranks, deliberately trampling on intelligent and educated discourse.
What is eye opening is that voters have been so willing to accept this from their representatives.
I agree, democracy is in grave danger and it’s because people are giving authoritarians power.
I think there are many conservatives (the John McCain types) who detest the growing stupidity in their own party, but they are looking the other way because the allegiance to their party and hatred of the other party is more fundamental.
@Alfman
I feel the self-inflicted damage done to this country in recent times is the type you can’t undo. I believe we’ve entered new territory and I don’t feel particularly optimistic about the foreseeable future for us as a country. I don’t claim to have a crystal ball but radical tribalism never ends well.
@friedchicken …and I’m guessing that opinion is without this:
https://www.economist.com/briefing/2022/05/07/americas-supreme-court-faces-a-crisis-of-legitimacy
@ssokolow
Our Supreme Court has the credibility of $3 bill at this point. They’re grossly out of sync and deeply unpopular with the people. The majority justices seemingly take every chance to contradict themselves and are clearly pursuing a far-right agenda. It’s not even surprising since the far-right have openly said what their intentions are – to replace every judge in every court they can from the bottom to the top. They don’t have the support of the people so the only way to set the country back 100 years is through the courts and judges.
The majority doesn’t approve of what the Supreme Court is doing. The politicization of SCOTUS has destroyed their credibility and the people’s trust in them. The worst part is it’s near-impossible to remove a SCOTUS justice. Thanks to the leaked Roe v. Wade draft, the call for justice term limits is louder than ever though I wouldn’t hold my breath waiting for it to happen. Additionally, the justices have all been assigned increased security due to threats of violence against them.
You notice how there’s zero republicans cheerleading the fact SCOTUS has granted their wish to ban abortion and instead are acting like the draft leak revealing it, which isn’t a crime, is one of the worst betrayals in American history. I wonder why that is…..
I agree it goes beyond stupid. As there is more to it. As for better qualifier. Perfect slaves.
Let me get this straight.. You want me to replace my ability to segregate access to things and control over the keys to each of those doors, with a single master key that will unlock everything… And I give you the master key, because you know, for my own safety.
Passwords are not terrible security practice by default, but bad habits and weak/outdated methods. Is it convenient to have a single point-of-entry to all aspects of your life? Absolutely. Is it wise to hand that control over to parties proven gazillions times over they have no problem abusing power, and you, to further their own agendas? ……….. No, and laws aren’t going to protect you because it’s only the people who ever seem to be punished for breaking them.
Is wordpress inherently broken or just the comments section here on OSAlert.com?
You cannot reply to the 5th level comments – the reply button is missing, e.g. the comment here from 2022-05-06 12:35 pm
Artem S. Tashkinov,
It’s wordpress. I think it’s fair to say most of us found it worse for commenting than the custom site we had before, but it is the dominant blogging platform and I think that’s the reason they went with it. There’s a lot that could be improved and some of us offered to help do it, but after the old site they had no interest in maintaining custom site code. Just a theme and that’s it.
Passwords are the basic security for any website or app. Although google offer saved passwords across the websites and app, the concept of passwordless login is good. There are already applications using this technology; most are bank applications. Instead of entering the password, you can logi in using your mobile password or a fingerprint.
https://www.affordable-dissertation.co.uk/dissertation-writing-services-uk/
Can we at least get an edit to remove the spam link from this post?
MFA causes death when a critical action cannot be performed because of failing MFA.
(in response to the ludicrous statement, “Passwords are a terrible security practice”)
Or failing “hello” or biometrics or whatever. My point is that stupidity reigns. Passwords are good things. And passwordless can be “ok” in some cases (but isn’t in the majority, so be warned) and MFA can also be useful in most cases.
I don’t think it’s a good idea.. Idk
Security is a very big issue, keeping in mind the safe browsing, the software company has come out with this password method so that we are safe on the online platform, this is a very good update date. https://mybabyneed.in