New cross-platform password-less authentication system in the works

  • Thread starter Thread starter jtbell
  • Start date Start date
  • Tags Tags
    System Works
Click For Summary

Discussion Overview

The discussion centers around a new cross-platform password-less authentication system being developed by major tech companies, including Apple, Google, and Microsoft. Participants explore the implications of this system, which utilizes biometric authentication and public-private key pairs, while raising concerns about accessibility, security, and potential drawbacks.

Discussion Character

  • Exploratory
  • Debate/contested
  • Technical explanation

Main Points Raised

  • Some participants describe the FIDO (Fast IDentity Online) system as using biometric data from smartphones to authenticate users on other devices, such as desktops.
  • Others express skepticism about the reliance on smartphones, questioning what happens if a phone is lost or broken, and whether this could lock users out of their accounts.
  • There are concerns that the system may disadvantage users without biometric capabilities on their devices, as well as those who prefer traditional methods.
  • Some participants highlight the use of public-private key pairs for authentication, suggesting that this method enhances security by making intercepted keys useless without the private key.
  • Participants discuss the possibility of using alternative devices for authentication, such as laptops or Yubikeys, and whether the phone is strictly necessary for the process.
  • There are mixed feelings about the simplification of authentication processes potentially compromising security, with some expressing a desire to maintain traditional methods.
  • Several participants note that the system may require an opt-in approach and that the details of implementation could vary by service provider.

Areas of Agreement / Disagreement

Participants do not reach a consensus, as multiple competing views remain regarding the necessity of smartphones in the authentication process, the implications of the new system on security, and the overall effectiveness of the proposed changes.

Contextual Notes

Some participants mention the potential for technical limitations, such as the requirement for biometric features on devices and the implications of losing access to a registered device. There are also concerns about the clarity of the FIDO Alliance's documentation regarding device registration and authentication requirements.

Who May Find This Useful

This discussion may be of interest to individuals involved in cybersecurity, software development, or those who are keen on understanding emerging authentication technologies and their implications for user security and accessibility.

jtbell
Staff Emeritus
Science Advisor
Homework Helper
2025 Award
Messages
16,031
Reaction score
7,905
How Apple, Google, and Microsoft will kill passwords and phishing in one stroke (Ars Technica)

The key acronym is FIDO (Fast IDentity Online).

As I understand it, basically, you authenticate yourself to a website or service on your phone using a fingerprint or facial recognition as can already be done. To authenticate yourself on e.g. your desktop computer, it communicates with your nearby phone via Bluetooth, and the phone does the fingerprint or facial recognition thing.

Lots of layers and details here. I'm not sure I really understand it yet. There are some helpful "promoted comments" at the end.
 
Computer science news on Phys.org
Doesn't appeal to me. I'm fine with how things run at the moment.
 
  • Like
Likes   Reactions: MikeeMiracle
I'm not. Passwords are hell.
 
  • Like
Likes   Reactions: phinds and vela
The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.

I also hope that Microsoft doesn't require an online connection or a smart phone to unlock your laptop.

Sometimes, technical advances improve things for 95% of the people and make it worse for the tiny minorities.
 
  • Like
Likes   Reactions: Wrichik Basu and StevieTNZ
One big change underlying the system is that it uses a public-private key pair for authentication instead of a password. The other party only gets your public key, and it doesn't matter if it's intercepted or stolen by a hacker as it's useless without the private key.

Your phone is the second factor needed for authentication. When you want to log into a website or service from your computer, your phone has to be nearby to unlock the private key. This makes it impossible for a hacker to break into your account from a remote location.

I've heard numerous complaints about how TouchID doesn't work reliably for some people on their iPhones. With my mom, for instance, it's pretty hit and miss whether the phone recognizes her fingerprint. I'm guessing that you should also be able to authenticate using the phone's passcode, just like you can with ApplePay when TouchID fails.

The system is based on the assumption that most people have smartphones these days, but I wonder what happens if your phone is lost, stolen, or broken. Does that mean you'd be locked out of your accounts until you can get it fixed or replaced?
 
anorlunda said:
The devil is in the details. That article makes it sounds as if you'll be locked out of your accounts if your phone doesn't have a fingerprint scanner or face recognition.
I'd expect this authentication method would have to be opt-in.

IIRC, Microsoft's announcement explicitly stated you could use your phone's PIN.
 
Whoever invented case-sensitive passwords needs to be kicked in the head.
vela said:
but I wonder what happens if your phone is lost, stolen, or broken.
You can log in with one of your other devices (home pc, watch, car maybe) and then deactivate your phone. The person stealing one of these things will not be able to do anything without your fingerprint or pin. A phone could also detect things like a grab-and-run via it's motion sensor, and thus dial up security or take a picture of the person holding the phone and trying to change settings.
 
I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.
 
vela said:
I wasn't really asking about erasing or deactivating the phone. I'm wondering if a phone will be absolutely necessary for authenticating on another device.
The author of the article said this in response to that question.
Storing the passkey on a phone is an option, not a requirement. You're free to store it elsewhere (e.g. on your laptop, a Yubikey, etc.) if you want.
 
  • #10
From what I understand, the idea is to store the private key in the cloud, encrypted of course, so losing or replacing a device doesn't get you locked out of your accounts.

My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored. The document from the FIDO Alliance seems to suggest this.
 
  • #11
vela said:
My question, though, was if the use of the phone as a second factor is required, regardless of where the key is actually stored.
Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.

For further information see this PDF white paper.
 
  • #12
I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?
 
  • #13
sandy stone said:
I have a dumb question. It's fairly common for us to stay at a motel, B&B, whatever, where the wifi is so bad that we use a cell phone as a hotspot instead. Can a smartphone authenticate under this system while simultaneously being used as a hotspot?
Yes, in the same way as you can use any other app whilst acting as a hotspot. The only thing you can't normally do while acting as a hotspot (i.e. a WiFi connection provider) is connect to a WiFi connection.
 
  • #14
So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)
 
  • #15
pbuk said:
Yes, in order to authenticate through FIDO it is necessary to use a device that is registered with FIDO; the idea is that you can have more than one device registered to the same account so you can authenticate (to services that permit multi-device credentials) using the other device: this is the alternative recommended by the FIDO alliance.

What happens if you do not have access to another device already registered (or for registering a new device to a service that does not permit multi-device credentials) is up to the provider of the service you are trying to log in to.
So you're saying it's recommended but not required? It didn't seem clear to me when I scanned the white paper a few days ago.

Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor. It's biometric and local therefore non-phishable. It seems to address the same issues. (And it's how I can currently log into Apple's websites.) Or say I have a Yubikey to use as a second factor. It seems requiring the use of the phone is unnecessarily restrictive though it'll be the method the majority of people would likely use.
 
  • #16
MikeeMiracle said:
So...just need to compromise 1 device, steal the private key, BANG access to all your other devices and online accounts. The security services will be rubbing their hands at this one, they probably had a hand in designing it.

Simplification usually comes at the expense of security, not seeing how this is any different.

Think I will be giving this a miss :)
Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.
 
  • Like
Likes   Reactions: pbuk
  • #17
vela said:
Your reaction seems fairly common among curmudgeons who fear any sort of change. You might want to learn the actual details of the method before dismissing it.

From the linked white paper...

"Just like password managers do with passwords, the underlying OS platform will “sync”
the cryptographic keys that belong to a FIDO credential from device to device. This means that the security
and availability of a user’s synced credential depends on the security of the underlying OS platform’s"

And here lies the problem. Your creating a single point of authentication so any compromise has much bigger effect as it's used in more places.

Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.
 
  • #18
vela said:
So you're saying it's recommended but not required?
Correct. Multi-device is recommended and is what public services will use. For some implementations single device credentials are required (e.g. logging on to a company network with a company-issued smart ID tag).

vela said:
Say I don't have my phone at the moment, but I'm logging into a site from my MacBook Pro, which has TouchID. I'm wondering if TouchID would be usable as the second factor.
Yes, that is the idea (although FIDO authentication is designed to be passwordless).

vela said:
Or say I have a Yubikey to use as a second factor.
Yes, Yubikeys support FIDO2.
 
  • Like
Likes   Reactions: vela
  • #19
MikeeMiracle said:
Don't get me wrong, it seems like a great solution "for the masses" but for those of us more security focused it's simply not needed.
I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

Your objection does remind me about how "experts" warned against using password managers because if a hacker got your database, they would gain access to everything. They're a single point of failure! It turned out to be a fear that in real life was largely unfounded, and the use of password managers greatly increased the security and convenience for the vast majority of users.
 
  • Like
Likes   Reactions: pbuk
  • #20
pbuk said:
Yes, that is the idea (although FIDO authentication is designed to be passwordless).
Just wanted to mention TouchID is passwordless. It's just a question of whether I biometrically authenticate on my computer or on, say, my phone. It wasn't clear to me if FIDO required the use of a separate second device in proximity to my computer.
 
  • #21
vela said:
I'll just repeat I think you need to learn more about the method before dismissing it so lightly.

I will do, need more lower level info about how it works :)
 

Similar threads

Graduate BRS: PKI Cryptosystems for SA/Ms: A Tutorial
  • · Replies 13 ·
Replies
13
Views
4K