How Apple, Google and Microsoft Clear Passwords and Phishing in 1 Stroke

Getty Images

For more than a decade, we have been assured that the password-free world is in a corner, and yet year after year, this security nudity cannot be achieved. Now, for the first time, a functional form of password-free authentication is being made available to the public in a standard format accepted by Apple, Google and Microsoft, allowing cross-site and cross-service passwords.

Plans to kill passwords have encountered many problems in the past. A major drawback is the lack of a potential recovery mechanism in case someone loses control of phone numbers or physical tokens and phones connected to the account. Another limitation is that most solutions eventually fail to actually be password-free. Instead, they gave users the option of signing in with a face scan or fingerprint, but these systems eventually fell into the category of phishing, password reuse and forgotten passcodes — the reasons why we begin to hate passwords. Do not go.

A new approach

What is different this time is that Apple, Google and Microsoft all have the same well-defined solution. Not only that, the solution is easier for users than ever before, and it costs less to launch great services like Github and Facebook. It was meticulously designed and peer reviewed by experts in recognition and protection.

A mock-up on what password-free authentication looks like.
Zoom in / A mock-up on what password-free authentication looks like.

FIDO Alliance

Current multifactor accreditation (MFA) systems have made significant improvements over the past five years. For example, Google allows me to download the iOS or Android app I use as a second factor when logging into my Google Account from a new device. Based on CTAP Client first authentication protocol—This system uses Bluetooth to confirm that the phone is close to the new device and that the new device is actually connected to Google and not a disguise site like Google. Which means it is impossible to fish. The standard ensures that the cryptographic secret stored on the phone cannot be extracted.

See also  DK Metcalf, Seattle Seahawks agree to three-year, $72 million extension

Google also provides Advanced security plan Physical keys in the form of personalized dongles or end-user phones are required to authenticate logins from new devices.

The big limitation now is that MFA and password-free authentication are issued differently by each service provider. Some providers, such as most banks and financial services, still send out passwords via SMS or email. Realizing that security-sensitive are not secure means of carrying secrets, many services have switched to a system called TOTP. A time-based one-time password– Allows you to add a second factor that effectively enhances the password with the “I have one” factor.

Physical security keys, TOTPs and, to a lesser extent, two-factor authentication via SMS and email, pose an important step, but there are three key limitations. First, TOTPs are generated by authentication applications and sent by text or email Fishy, Regular passwords are the same way. Second, each service has its own closed MFA operating system. This means that even when using MFA’s non-phishing forms — private physical keys or phone-based keys — a user needs a separate key for Google, Microsoft, and all other Internet assets. To make matters worse, each OS operating system has different algorithms for implementing MFA.

These issues lead to a third: one that is unusable for most end users and the insignificant cost and complexity that each service faces when trying to deliver MFA.

Leave a Reply

Your email address will not be published.