Access keys - Microsoft, Apple and Google's password killer - are finally here

Access keys – Microsoft, Apple and Google’s password killer – are finally here

Pictures of Gerta

Big Tech has insisted for years that the death of the password is just around the corner. For years, these assurances were little more than empty promises. Password alternatives—such as push, OAUTH single sign-on, and trusted platform modules—have created as many usability and security problems as they have solved. But now we’re finally on top of a password alternative that will actually work.

The new alternative is known as access keys. Access keys generally refer to various schemes for storing authentication information in hardware, a concept that has been around for over a decade. What’s different now is that Microsoft, Apple, Google and a consortium of other companies have come together around a single access key standard provided by the FIDO Alliance. Not only are passkeys easier to use than passwords for most people; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US users will soon be able to log in with FIDO-based access keys and join Kayak, eBay, Best Buy, CardPointers and WordPress as online services that offer a password alternative. In recent months, Microsoft, Apple, and Google have updated their operating systems and apps to allow passkeys. Access key support is still problematic. Access keys stored in iOS or macOS will work in Windows, for example, but the reverse is not yet available. However, everything should be resolved in the coming months.

What exactly, they are access keys?

The FIDO Alliance

Access keys work almost identically to FIDO authenticators, allowing us to use our phones, laptops, computers and Yubico or Feitian security keys for multi-factor authentication. Like the FIDO authenticators stored on these MFA devices, access keys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device manufacturers. There is no way to obtain the cryptographic secrets stored in the authenticators other than physically disassembling the device or subjecting it to a jailbreak or root attack.

Even if an adversary were able to obtain the cryptographic secret, he would still have to supply a fingerprint, facial scan, or—in the absence of biometric capabilities—the PIN associated with the token. What’s more, hardware tokens use the FIDO Cross-Device Authentication, or CTAP, flow, which relies on Bluetooth Low Energy to verify that the authenticating device is in close physical proximity to the device trying to log in.

Until now, FIDO-based security keys have mainly been used to provide MFA, which stands for Multi-Factor Authentication, which requires someone to present a separate authentication factor in addition to the correct password. The other factors that FIDO offers usually come in the form of something the user has—a smartphone or computer containing a hardware token—and something the user is—a fingerprint, face scan, or other biometric that never leaves the device.

Attacks against FIDO-compliant MFA are lacking so far. An advanced phishing campaign that recently breached Twilio and other top security companies, for example, failed against Cloudflare for one reason: Unlike other targets, Cloudflare used FIDO-compliant hardware tokens that were immune to the phishing technique the attackers were using. All victims that were breached relied on weaker forms of MFA.

But while hardware tokens may provide one or more authentication factors in addition to a password, access keys do not rely on any password at all. Instead, passkeys bundle several authentication factors—typically a phone or laptop and the user’s face scan or fingerprint—into a single package. Access keys are managed by the device’s operating system. At the user’s option, they can also be synchronized via end-to-end encryption with the user’s other devices using a cloud service provided by Apple, Microsoft, Google or another provider.

The access keys are “discoverable”, meaning that a registered device can automatically push them through an encrypted tunnel to another registered device trying to log in to one of the user accounts or applications. When logging in, the user is authenticated using the same biometric or device password or PIN to unlock their device. This mechanism completely replaces the traditional username and password and provides a much simpler user experience.

“Users no longer need to register every device for every service, which has long been the case with FIDO (and any public key cryptography),” said Andrew Shikiar, executive director and chief marketing officer of FIDO. “By enabling the private key, if the service is securely synced in the OS cloud, the user only needs to sign up for the service once, and then they’re essentially pre-registered for the service on all their other devices. This provides better usability for the end user and – very significantly – allows the service provider to start cracking passwords as a means of account recovery and re-enrollment.

Ars Review editor Ron Amadeo summed things up well last week when he wrote: “Passkeys simply exchange WebAuthn cryptographic keys directly with a website. There’s no need for a person to tell the password manager to generate, store, and retrieve secrets—it’ll all happen automatically, with much better secrets than the old text field supported, and with enforced uniqueness.”

#Access #keys #Microsoft #Apple #Googles #password #killer #finally

Leave a Comment

Your email address will not be published.