For more than a decade we’ve been promised that a world without passwords is upon us, yet year after year that security nirvana proves unattainable. Now, for the first time, a viable form of passwordless authentication is available to the masses in a standard adopted by Apple, Google, and Microsoft that enables cross-platform, cross-service passkeys.
Password-killing schemes promoted in the past suffered from a variety of problems. A major shortcoming was the lack of a viable recovery mechanism if someone lost control of phone numbers or physical tokens and phones associated with an account. Another caveat was that most of the solutions ended up not being truly passwordless. Instead, they gave users the option to log in with a face scan or fingerprint, but these systems ultimately resorted to a password, and that meant phishing, password reuse, and forgotten passwords — all of the reasons we change passwords from the start hated – didn’t do this don’t go away.
A new approach
What’s different this time around is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. In addition, the solution for users is easier than ever, and it is more cost-effective to adopt large services like Github and Facebook. It’s also carefully developed and peer-reviewed by authentication and security experts.
Current multi-factor authentication (MFA) methods have made important advances over the past five years. For example, Google allows me to download an iOS or Android app that I use as a second factor when logging into my Google account from a new device. Based on CTAP – short for Client to Authenticator Protocol– This system uses Bluetooth to ensure that the phone is close to the new device and that the new device is actually connected to Google and not to a website impersonating Google. That means it’s unphishable. The standard ensures that the cryptographic secret stored on the phone cannot be extracted.
Google also offers an advanced protection program that requires physical keys in the form of standalone dongles or end-user phones to authenticate logins from new devices.
The big limitation right now is that MFA and passwordless authentication will be implemented differently by each service provider, if at all. Some providers, like most banks and financial services providers, still send one-time passwords via SMS or email. Recognizing that these are not secure means of transporting security-related secrets, many services have moved to a method known as TOTP – short for – time-based one-time password– to allow the addition of a second factor, effectively adding the “something I have” factor to the password.
Physical security keys, TOTPs and, to a lesser extent, two-factor authentication via SMS and email represent an important step forward, but three key limitations remain. First, TOTPs generated by authenticator apps and sent via SMS or email are just as phishable as regular passwords. Second, each service has its own closed MFA platform. This means that even when using non-phishable forms of MFA – like standalone physical keys or phone-based keys – a user still needs a separate key for Google, Microsoft, or any other internet property. To make matters worse, each operating system platform has different mechanisms for implementing MFA.
These problems give way to a third: sheer unusability for most end users, and the not inconsiderable cost and complexity each service faces when attempting to offer MFA.
This article was previously published on Source link