Everyone has wanted to kill him for years, but no one succeeds. For as long as computers exist, the password has poisoned our daily lives. You have to make it more complex without forgetting it, manage it in dedicated software, change it periodically, be careful not to pass it on to anyone, etc.
In 2018, the FIDO Alliance consortium thought they had started the beer by proposing the FIDO2 standard. It relies on a rather clever asymmetric cryptography mechanism to get rid of these cumbersome secret codes. But the mayonnaise did not take, and the password is still very much alive. The alliance now offers a new standard: the “Multi-device FIDO”, which has received the support of the main technological giants (Google, Apple, Microsoft). Here are five questions to fully understand what it’s all about.
Why was FIDO2 a flop?
On paper, FIDO2 is a great password alternative. The user who wants to connect to an online service must first proceed to a registration that consists of generating in his “authenticator” – a browser, a smartphone, a connected watch, etc. — a private key and a public key. The public key is transmitted to the service provider and the private key remains stored in the terminal. When the user wants to connect, he sends an authentication message signed with the private key to the service provider, who can verify the signature with the public key. That’s it. The great advantage is that you do not have to write a password and the risk of phishing is eliminated.
The problem is that very few online services have implemented the FIDO2 standard. And this is logical because this registration procedure is too tedious. As the generated private key is unique for each authenticator, it would be necessary to register it for each terminal and each service. However, individuals operate many different terminals and renew them frequently. With three terminals and twenty departments, that theoretically makes… 60 registration procedures! And for each new terminal purchased, you have to stuff yourself with twenty new registrations. We quickly preferred a centralized password manager in the cloud. You fill it once and voila.
What answer does the FIDO Multi-Device provide?
Two improvements should simplify the use of FIDO technologies for the general public. The first is a “roaming” feature, which will allow FIDO authentication to be used on a system that is not enrolled. Therefore, the process can be transmitted via Bluetooth to a nearby authenticator, usually a smartphone, where the user will validate the connection. The advantage is that the individual will no longer need to enroll in each terminal. Ultimately, you can even settle for just one, provided of course the systems are interoperable with each other.
The second novelty is the possibility of centrally saving the private keys in the authenticator provider (ie the smartphone). If the latter is lost, the user can therefore easily regenerate his accesses, without going through new registration procedures.
The goal, in the end, is to have a system that is easy to manage. ” From a user experience perspective, this will be very similar to how one interacts with a password manager today when it comes to securely register and logging into websites. However, it will be much more secure, because the server of the service does not receive a password, but a public key. », explains a spokesman for the FIDO alliance.
How can you be sure that the terminals will be interoperable?
Authentication roaming over Bluetooth will be an integral part of the FIDO standard. All systems implementing “Multi-Device FIDO” will automatically be interoperable. The good news, moreover, is that the three giants Google, Apple, and Microsoft have announced that they will integrate this new authentication technology into their platforms. Therefore, we can expect Android, Windows, iOS, and macOS systems to be interoperable at the roaming level. This would cover almost the entire consumer computing market.
To date, however, no deadline has been given. We also don’t know if the service providers will finally take the plunge and adopt FIDO on their side. This is not obvious, because the platforms have to adapt. Inertia is likely to be strong because it is a significant investment.
Is multi-device FIDO as secure as FIDO2?
No. What we gain in terms of ease of use, we lose somewhat in terms of security, because the two new features also introduce two new risks. From now on, it will be necessary to trust the computer giants for the protection of private keys. The fact that they are stored centrally also risks whetting the appetite of hackers…or intelligence agencies. Also, how will these private keys be stored at Google, Apple, and Microsoft? Will they implement end-to-end encryption as most cloud password managers do? For now, we don’t know.
The second new risk is the transmission of the authentication procedure via Bluetooth, as it creates a new attack surface. However, the alliance minimizes this risk. On the one hand, this occurs in a context of proximity. On the other hand, the underlying FIDO protocol “does not depend on the security properties of Bluetooth for the security of the authentication procedure. Rather, it uses standard cryptographic functions at the application layer to protect data. explains the consortium.
What happens if I change the ecosystem?
This will probably be the big downside to this whole build because private key backups a priori won’t be interoperable from one ecosystem to another. With FIDO Multi-Device, the idea is to use your smartphone as a means of access to all services. The private keys will be stored in Google or Apple. But nothing says there will be a gateway from one ecosystem to another, and the FIDO alliance site suggests otherwise. Therefore, the day the user replaces his Android smartphone with an iPhone, it is likely that he will have to redo all the registrations. Whereas with a password manager, this problem does not exist.
#Understand #Multidevice #FIDO #standard #designed #finally #eliminate #passwords