Tech

goodbye mental strain and hello security promise Apple, Google and Microsoft

For years, the scourge of Internet users was spam, tsunamis of spam that gathered from all sides to pour into our mailboxes. But as it’s on its way to disappearing, another scourge has taken over: that of passwords, the number of which continues to increase with the galloping dematerialization of our societies. These passwords that we are asked at every step on the Internet, whether to connect here to its basic online services (security, banking, insurance, telecom, doctor, transport, travel, etc.), there to its social networks, even to his various email accounts, to his online apps for the office or for leisure…they are plentiful and everyone has to make their own little stopgap (Type A mnemonic system[email protected]! and/or paper or digital list) so as not to forget one that does not end up in the water.

And that’s exactly what Grahame Williams, director of identity and access management at Thales, noted yesterday on World Password Day, when he said that passwords “became more and more dangerous” because they were “easy to hack”:

“Recent research shows that many CEOs still use ‘12356’ as their password. †

Indeed, the other big problem is that of security, the danger of your account being hacked – or even all of your accounts – and no longer being able to access your data or for ransom. If it’s not outright identity theft lurking… In short, a heavy daily mental burden to manage, and a security order beyond human comprehension. Because internet users, literally overwhelmed by their cognitive abilities, then use passwords that are too easy to guess, or even always the same ones to simplify their lives…

According to an old study (2016) by Skyhigh Networks When analyzing 11 million passwords for sale on the Darknet, 10.3% of Internet users use one of the 20 most popular passwords on the Internet. That means in less than 20 attempts, anyone can hack nearly one in ten accounts.

Shock Alliance to Ease and Secure Internet Use

But good news a priori, the internet giants Google, Apple and Microsoft took advantage of World Password Day, Thursday, May 5, to announce that they are joining forces to put an end to this ordeal. The press release published from Mountain View, the stronghold of Google, announces that the three giants will join forces to build a system that enables authentication without having to memorize a series of kabbalistic characters.

The new feature allows websites and apps to provide consumers with consistent, secure and convenient passwordless logins across all devices and platforms.

“With the new feature, consumers can easily authenticate without a password and securely on websites and mobile applications, regardless of device or operating system,” summarized the FIDO Association Alliance (Fast Identity Online Alliance) in a press release.

FIDO is at the heart of this technological revolution, an alliance of manufacturers working to improve, facilitate and secure digital authentication. FIDO was officially launched in February 2013, but was founded a year earlier, in 2012, by the alliance of major players such as PayPal, Validity Sensors (these two are the original core created in 2009 around cryptography issues public key), Lenovo, Nok Nok Labs, Infineon and Agnitio. In 2012, a passwordless authentication protocol was started.

Since then, hundreds of technology companies and service providers around the world have collaborated through the FIDO Alliance and W3C to create the passwordless login standards already supported by billions of devices running on all modern operating systems and web browsers (iOS, macOS, Safari, Chrome, Android, Edge , Windows, etc.), according to the FIDO press release.

Billions of devices… for billions of users: according to the site Live internet statistics, there are now 5.3 billion Internet users in the world. The number of internet users has multiplied by 10 between 1999 and 2013 and is constantly increasing (1 billion internet users in 2005, 2 billion in 2010, 3 billion in 2014).

“Fido IDs” for authentication on all platforms

In yesterday’s press release, Google explains that it aims to allow users to connect to an online service by simply unlocking their smartphone (using their usual method: fingerprint, facial recognition, multi-digit code, etc.).

In concrete terms, a website can ask the internet user if he wants to “authenticate himself with his FIDO identifiers”. This message appears simultaneously on his phone, where the user only has to accept, by unlocking his screen, to connect to the site. Smartphones store this coded identification data, the so-called “passkey”. Once registered with Fido, it is no longer necessary to create or enter a password.

The promise is that Fido authentication will be accessible regardless of operating system or browser and regardless of device, as it will be possible to convert a new device via Bluetooth with a first device that already has the credentials. Also, it will not be necessary to resort to two-factor authentication via SMS, also known as: outdated since… 2016.

A solution by leaps and bounds, within twelve months

The three tech giants have committed to deploying this new system within 12 months on Android and iOS (the Google and Apple mobile operating systems), Chrome, Edge and Safari (the Google, Microsoft and Apple browsers), as well as Windows and macOS. (Microsoft and Apple operating systems for computers).

“Password-only authentication is one of the biggest security vulnerabilities on the web,” Apple notes in its statement, adding:

“The new approach will protect against phishing and logging into a service will be radically more secure than passwords and other technologies such as unique codes sent by SMS. †

For Andrew Shikiar, Executive Director and CMO of the FIDO Alliance, “This new capability should usher in a new wave of FIDO deployments low friction in addition to the continued and growing use of security keys, giving service providers a full range of options to modern, phishing-resistant authentication.”

(with AFP and Reuters)