For years, Big Tech has insisted that the death of the password is imminent. For years, these assurances were empty promises. Password alternatives, such as push, OAUTH single sign-on, and trust platform modules, have introduced as many usability and security issues as they have solved. But now we are finally on the verge of finding a password alternative that will actually work.
The new alternative is known as security keys. Generically, passkeys refer to various schemes for storing authentication information in hardware, a concept that has been around for over a decade. What’s different now is that Microsoft, Apple, Google and a consortium of other companies have unified around a single passkey standard led by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.
On Monday, PayPal said US-based users will soon have the ability to log in using FIDO-based access keys, joining Kayak, eBay, Best Buy, CardPointers and WordPress.com as services. online that will offer the alternative to the password. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable security keys. Support for passkeys is still patchy. Keys stored on iOS or macOS will work on Windows, for example, but the reverse is not yet available. In the coming months, however, all this should be ironed out.
What exactly, are master key ?
Security keys work almost the same way as FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Much like FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device manufacturers. There is no way to recover cryptographic secrets stored in authenticators unless you physically disassemble the device or subject it to a jailbreak or rooting attack.
Even if an adversary were able to extract the cryptographic secret, they would still have to provide the fingerprint, face scan, or, in the absence of biometric capabilities, the PIN associated with the token. Additionally, hardware tokens use FIDO’s Cross-Device Authentication Flow, or CTAP, which relies on Bluetooth Low Energy to verify that the authenticating device is in physical proximity to the device attempting to to log in.
Until now, FIDO-based security keys have primarily been used to provide MFA authentication, short for Multi-Factor Authentication, which requires someone to present a separate authentication factor in addition to the correct password. The additional factors offered by FIDO usually come in the form of something the user has – a smartphone or computer containing the hardware token – and something the user is – a fingerprint, facial scan or other biometrics that never leaves the device.
So far, attacks against FIDO-compliant MFAs have been rare. An advanced credential phishing campaign that recently broke through Twilio and other leading security companies, for example, failed against Cloudflare for a reason: unlike other targets, Cloudflare used compatible hardware tokens FIDO who were immune to the phishing technique used by the attackers. Victims who were raped all relied on weaker forms of SMA.
But whereas hardware tokens can provide one or more authentication factors in addition to a password, access keys don’t rely on any password. Instead, authentication keys combine multiple authentication factors, typically the phone or laptop and the user’s face scan or fingerprint, into a single package. Passkeys are managed by the device operating system. At the user’s option, they may also be synchronized via end-to-end encryption with a user’s other devices using a cloud service provided by Apple, Microsoft, Google or another provider.
Access keys are “discoverable”, which means that an enrolled device can automatically send one through an encrypted tunnel to another enrolled device that attempts to log into one of the site’s accounts or apps. ‘user. When logging in, the user authenticates using the same biometric or on-device password or PIN to unlock their device. This mechanism completely replaces the traditional username and password and provides a much simpler user experience.
“Users no longer need to register every device for every service, which has long been the case for FIDO (and all public-key cryptography),” said Andrew Shikiar, FIDO’s Executive Director and Chief Marketing Officer. . “By allowing the private key to be securely synced across an operating system cloud, the user only needs to register once for a service and then is essentially pre-registered for that service. service on all of its other devices. This improves usability for the end user and, very significantly, allows the service provider to begin removing passwords as a means of account recovery and re-enrollment.”
Ars Review editor Ron Amadeo summed it up nicely last week when he wrote, “Security keys exchange WebAuthn cryptographic keys directly with the website. a human tells a password manager to generate, store, and recall a secret. It all happens automatically, with far better secrets than the old textbox supported, and with enhanced uniqueness.”
#Access #keys #Microsoft #Apple #Googles #password #killer #finally