FIDO Alliance and W3C have a plan to kill the password | TechCrunch

https://techcrunch.com/2018/04/10/fido-alliance-and-w3c-have-a-plan-to-kill-the-password/

This looks interesting. By now it’s crystal clear to just about everyone that the password is a weak form of authentication but used a lot. Today, two standards bodies, FIDO and W3C announced a way that looks better, a new password free protocol for the web called WebAuthn. The major browser makers including Google, Mozilla and Microsoft have all agreed to support. The system uses an external authenticator such as a security key or you mobile phone. Unfortunately WebAuthn is not quite ready for final release just yet.

84 Comments

  1. Tomi Engdahl says:

    Yubico Enables Biometric Logins With New YubiKey Bio Series
    https://www.securityweek.com/yubico-enables-biometric-logins-new-yubikey-bio-series

    Yubico this week announced the general availability of YubiKey Bio Series, its first security key to support biometric authentication on desktop computers.

    Featuring support for the FIDO2/WebAuthn and U2F protocols, YubiKey Bio Series leverages fingerprint recognition to enable users to securely log in to their accounts using a second factor or without passwords at all.

    The new security keys support the biometric enrollment and management features that have been implemented in modern platforms and operating systems.

    According to Yubico, the devices have a three chip architecture and they store the biometric fingerprint material in a separate secure element, to ensure increased protection from physical attacks.

    With the new YubiKey Bio, users can log in to desktop applications and services that support FIDO protocols, the company says. Microsoft 365 and Azure Active Directory, Citrix Workspace, GitHub, Duo, IBM Security Verify, as well as Okta and Ping Identity are supported out-of-the-box.

    Reply
  2. Tomi Engdahl says:

    Yubico Launches New Security Key With USB-C and NFC
    https://www.securityweek.com/yubico-launches-new-security-key-usb-c-and-nfc

    Yubico on Tuesday announced the launch of Security Key C NFC, a new hardware security key that includes NFC capabilities in a USB-C form factor.

    Designed with FIDO-only support, the new authenticator can be used with both desktop and mobile applications, services, and user accounts. Courtesy of NFC support, the security key provides tap-and-go authentication.

    The Security Key C NFC is now available for purchase at $29 (€29). For those looking for a USB-A form factor, Yubico has the Security Key NFC available at $25 (€25).

    Reply
  3. Tomi Engdahl says:

    Linux fully supports OpenPGP, OTP-HOTP, OTP-TOTP, Yubico OTP, and FIDO U2F authentication protocols. The YubiKey Manager is available as both GUI and CLI mode. One can use GUI app for finding information about YubiKey & configure FIDO2 PIN, FIDO applications, the OTP application and more using GUI app. Let us see how to install YubiKey Manager on Linux
    https://www.cyberciti.biz/faq/how-to-install-yubikey-manager-gui-on-linux/

    Reply
  4. Tomi Engdahl says:

    A big bet to kill the password for good
    https://arstechnica.com/information-technology/2022/03/a-big-bet-to-kill-the-password-for-good/
    After years of tantalizing hints that a passwordless future is just around the corner, you’re probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle. On Thursday, the organization published a white paper that lays out FIDO’s vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step. See also:
    https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases.pdf

    Reply
  5. Tomi Engdahl says:

    IOCs vs. IOAs How to Effectively Leverage Indicators https://securityintelligence.com/posts/iocs-ioas-how-to-leverage-security-indicators/
    Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security teams and leaders tend to establish a catch-all approach, where quantity outweighs quality to stop the next perceived intrusion attempt. Unfortunately, this strategy rarely provides an operational edge and greatly hinders operational readiness. Obtaining a better understanding of indicators, their intent, and how to better leverage them within your environment is essential to driving good security practices and providing enablement, not hindrance, to your analysts.

    Reply
  6. Tomi Engdahl says:

    Microsoft, Apple, and Google to support FIDO passwordless logins https://www.bleepingcomputer.com/news/security/microsoft-apple-and-google-to-support-fido-passwordless-logins/
    Today, Microsoft, Apple, and Google announced plans to support a common passwordless sign-in standard (known as passkeys) developed by the World Wide Web Consortium (W3C) and the FIDO Alliance. Once implemented, these new Web Authentication (WebAuthn) credentials (aka FIDO credentials) will allow the three tech giants’ users to log in to their accounts without using a password.

    Reply
  7. Tomi Engdahl says:

    Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
    In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

    Reply
  8. Tomi Engdahl says:

    Tech Giants Unite in Effort to Scrap Passwords
    https://www.securityweek.com/tech-giants-unite-effort-scrap-passwords

    Tech Giants Unite in Effort to Scrap Passwords
    https://www.securityweek.com/tech-giants-unite-effort-scrap-passwords

    Apple, Google, and Microsoft announce support for passwordless sign-in via FIDO open authentication standard

    In celebration of 2022 Word Password Day, Apple, Google and Microsoft announced plans to expand support for a sign-in standard from the FIDO alliance and the World Wide Web Consortium (W3C) that aims to eliminate passwords altogether.

    The passwordless sign-in involves the use of a FIDO credential called passkey, which is stored on a phone. When signing into a website, users would need to have their phone nearby, as they will have to unlock it for access.

    “Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off,” Google explains.

    Reply
  9. Tomi Engdahl says:

    One step closer to a passwordless future
    https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/

    Today passwords are essential to online safety, but threats like phishing, scams, and poor password hygiene continue to pose a risk to users. Google has long recognized these issues, which is why we have created defenses like 2-Step Verification and Google Password Manager.

    However, to really address password problems, we need to move beyond passwords altogether, which is why we’ve been setting the stage for a passwordless future for over a decade.

    Today, in honor of World Password Day, we’re announcing a major milestone in this journey: We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms. This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year.

    How will a passwordless future work?

    When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.

    Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.

    To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.

    Reply
  10. Tomi Engdahl says:

    Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins
    https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

    Mountain View, California, MAY 5, 2022 – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

    Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.

    The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.

    Reply
  11. Tomi Engdahl says:

    Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms
    The tech giants want to roll out FIDO passkey technology in the coming year
    https://www.theverge.com/2022/5/5/23057646/apple-google-microsoft-passwordless-sign-in-fido

    Reply
  12. Tomi Engdahl says:

    IPhoneihin ja Maceihin iso muutos ei enää salasanoja https://www.is.fi/digitoday/tietoturva/art-2000008874787.html
    Verkkosivuille ja sovelluksiin kirjautumiselle tarjoutuu turvallisempi vaihtoehto iPhonejen ja Macien uusissa käyttöjärjestelmissä.

    About the security of passkeys
    https://support.apple.com/en-us/HT213305
    Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.
    Passkeys are built on the WebAuthentication (or “WebAuthn”) standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.
    One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.

    Reply
  13. Tomi Engdahl says:

    Build Your Own Two-Factor Authenticator With Good USB
    https://hackaday.com/2022/06/18/build-your-own-two-factor-authenticator-with-good-usb/

    Two-factor authentication is becoming the norm for many applications and services, and security concerns around phone porting hacks are leading to a phaseout of SMS-based systems. Amidst that backdrop, [Josh] developed his own authentication device by the name of Good USB.

    The device can be built using a Arduino Leonardo, SS Micro, or even a BadUSB device. It’s the latter which [Josh] most liked, and since the nefarious device is being repurposed for good, it led to the name Good USB. Basically any Atmega32U4-based device will work, as the key functionality is the ability to emulate a USB keyboard to a host PC.

    Good USB
    A DIY hardware two-factor authenticator.
    http://optimumunknown.com/goodusb.html

    Reply
  14. Tomi Engdahl says:

    GoodUSB aka DIY YubiKey
    http://optimumunknown.com/goodusb.html

    An Arduino based 2-factor-authentication key. This project consists of two parts. The Arduino which types in 2FA codes by emulating a keyboard and a companion computer app for instructing the Arduino on which service’s 2FA code you want to type. The secret codes for generating the 2FA codes only lives inside the Arduino instead of within an authenticator app on your computer like Authy. Using a GoodUSB saves time since it types the 2FA code for you, it is a lot cheaper than a YubiKey, and it could be more secure than using an authenticator app with secrets stored on your computer. This is a proof of concept project. Do not use for protecting any important account.

    Why is it called GoodUSB?

    There are a number of small micro controller for sale labeled as BadUSB. Basically they look like innocent USB sticks, but once plugged in they pretend to be a keyboard and start typing commands to take control of a computer. This project takes the same hardware used for BadUSBs and uses them to increase security. Therefore, by doing something good instead of bad it becomes a GoodUSB.

    http://optimumunknown.com/goodusb.html

    Reply
  15. Tomi Engdahl says:

    The Good USB Turns a Bad USB Into an Arduino-Based Two-Factor Authentication Dongle
    Using the same hardware as a payload-injecting Bad USB, this Good USB serves as a physical dongle for TOTP-based two-factor authentication.
    https://www.hackster.io/news/the-good-usb-turns-a-bad-usb-into-an-arduino-based-two-factor-authentication-dongle-44579ab9ae5c

    Semi-pseudonymous maker Josh, of Optimum Unknown, has put together a homebrew two-factor authentication dongle powered by an Arduino or compatible — and, given its inspiration in the payload-injecting Bad USB project, he’s dubbed the device the Good USB.

    “Using two-factor authentication is a great way to add extra protection to your online accounts,” Josh writes of the problem his project seeks to solve. “Looking up [the] codes on your phone and typing them in every time you access an important online account is a pain. There is always some time pressure to locate the code and type it in before it expires. It is easy to mistype the code. When you mistype you need to start all over.”

    While there are commercial devices to take the pain away, Josh points out that they cost around $50 each — while software-based alternatives capable of automatically filling in the code required to authenticate are vulnerable to attack. The solution: a custom-built two-factor authentication dongle, created using common low-cost hardware and open-source code.

    “You will need an Arduino that can pretend to be a keyboard connected to your computer,” Josh writes. “I have had good luck with the Arduino Leonardo, SS Micro, and BadUSB. I like the BadUSB since it is a nice looking USB stick. These are frequently used for nefarious purposes, but instead, we are using them for good and that is why I call this project Good USB.”

    “The Arduino works with a companion app that runs on your computer. The companion app is what you use to tell the Arduino which of your accounts to type the code for. Optionally, you can add a button to your Arduino that will type the 2FA code when you press the button. Without the button, the Arduino will type the code 2 seconds after you select the account in the companion app.”

    The companion software is built in JavaScript and Electron, communicating with an Arduino firmware running on the physical device itself. The random-number seed is stored on the Arduino, as a hard-coded value in the sketch, rather than on the host computer

    http://optimumunknown.com/goodusb.html

    Reply
  16. Tomi Engdahl says:

    What is Apple Passkey, and how will it help you go passwordless? | TechCrunch
    https://techcrunch.com/2022/09/12/apple-passkey/
    As Apple is rolling out its iOS 16 update today, one of the key security-facing features that will be available to users is Passkey. This feature will allow users to use their Apple devices to log in to websites and services without any passwords.
    What is Passkey?
    Passkey is the company’s implementation of an industry standard designed to remove passwords for online authentication. Earlier this year, Apple, Google and Microsoft joined hands with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms.
    Apple announced its own version of this standard called Passkey at its Worldwide Developer Conference (WWDC) in June. Apple said Passkeys will be supported on macOS Ventura, iOS 16 and iPadOS 16.
    Passkey is based on WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. At a higher level, instead of relying on the username-password combination, passkeys use your device to prove that you are the legitimate owner of the account.

    Reply
  17. Tomi Engdahl says:

    https://hackaday.com/2022/10/07/this-week-in-security-php-attack-defused-scoreboard-manipulation-and-tillitis/

    Want a hardware security token, but really want it to be fully open? Tillitis might be for you. It’s a USB platform for experimenting with new security key ideas, and is fully open-source, including the hardware. There isn’t a place to go and order one yet, but you could have your favorite PCB manufacturer build one for you. The first revision also lacks some hardware hardening that really needs to be present for high-value use cases, but this project is one to watch.

    https://www.tillitis.se/

    Reply
  18. Tomi Engdahl says:

    Jared Newman / Fast Company:
    1Password unveils “passkey” support for secure user logins to apps, and says it will work across platforms, including iOS and Android, coming in early 2023
    1Password wants to ditch passwords without locking you in to one platform
    Here’s a passwordless system that won’t lock you into one company’s computing platform forever.
    https://www.fastcompany.com/90812818/1password-wants-to-ditch-passwords-without-locking-you-in-to-one-platform
    When Apple and Google announced their passwordless login systems earlier this year, they glossed over one major problem: By relying on either company to eliminate passwords, you’re effectively locking yourself into their respective platforms.
    Now 1Password is coming out with a different approach that lets you ditch passwords without pledging allegiance to any particular tech giant. The company’s passwordless system, which replaces traditional passwords with simpler and more secure “passkeys,” is launching early next year, and it’ll work across iOS, Android, Windows, Mac, Chrome OS, and Linux. 1Password users can check out a live demo.
    1Password is also announcing that its chief experience officer, Matt Davey, has joined the board of the FIDO (Fast Identity Online) Alliance, the industry standards group that’s pushing passwordless logins in tandem with the tech giants. With a seat at the table, 1Password wants to make sure that security doesn’t just become another form of lock-in.

    Reply
  19. Tomi Engdahl says:

    Passkeys are the new standard to authenticate on the web https://www.passkeys.com/ Passkeys are a new way to sign in without passwords. With Touch ID and Face ID, passkeys are more secure and easier to use than passwords and any current two-factor authentication methods. Passkeys provide users a passwordless sign-in experience that is both more convenient and more secure. In a sense, Passkeys are similar to MFA, it’s a combination of something you have and something you are (your Face ID or Fingerprint). Different from passwords, Passkeys are resistant to phishing, are always strong, and they are not shared or stored on different databases. When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key. Each time a passkey is being authenticated, a unique signature is generated, which expires within minutes

    Passkeys Support Added to Google Accounts for Passwordless Sign-Ins
    https://www.securityweek.com/passkeys-support-added-to-google-accounts-for-passwordless-sign-ins/

    Google has added passkeys support to Google accounts on all major platforms as part of the company’s passwordless sign-in efforts.
    Google announced on Wednesday that users can now sign into their Google account using passkeys. The move is part of the company’s efforts towards passwordless authentication.
    Unlike passwords, which can be compromised in phishing attacks, passkeys cannot be written down or stolen by threat actors. Passkeys are also more convenient because they make the login process easier, including by skipping the two-factor authentication (2FA) step.
    Passkeys are stored on the user’s device and presented to Google to verify the user’s identity when they log in. Instead of entering a password, users are required to simply unlock their phone or computer using an authentication method such as a local PIN, fingerprint, or face recognition.
    A passkey is a cryptographic private key whose corresponding public key is in Google’s possession. The passkey is unlocked locally and biometric data is not shared with Google or anyone else.

    Google provides a simple explanation for how passkeys work:
    https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

    “When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.
    Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.
    This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site. The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”

    Reply
  20. Tomi Engdahl says:

    So long passwords, thanks for all the phish https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html
    Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in. Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN. Using passwords puts a lot of responsibility on users.
    Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesnt fully protect against phishing attacks and targeted attacks like “SIM swaps” for SMS verification. Passkeys help address all these issues

    Reply
  21. Tomi Engdahl says:

    Jess Weatherbed / The Verge:
    Google enables passkeys, FIDO Alliance-developed cryptographic keys that require a preauthenticated device, on all accounts, to eventually replace passwords — Google’s next step into a passwordless future is here with the announcement that passkeys — a new cryptographic keys solution …
    You no longer need a password to sign in to your Google account
    https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing
    Your Google account now supports passkeys to replace your password and 2FA.

    Reply
  22. Tomi Engdahl says:

    Bitwarden Moves into Passwordless Security https://thenewstack.io/bitwarden-moves-into-passwordless-security/
    Bitwarden, the curator of the prominent open source password management program of the. same name, has officially launched Bitwarden Passwordless.dev. This is a comprehensive. developer toolkit for integrating FIDO2 WebAuthn-based passkeys into consumer websites.
    and enterprise applications

    Reply
  23. Tomi Engdahl says:

    Google Introduces First Quantum Resilient FIDO2 Security Key Implementation

    https://thehackernews.com/2023/08/google-introduces-first-quantum.html

    Reply
  24. Tomi Engdahl says:

    Google announces new algorithm that makes FIDO encryption safe from quantum computers https://arstechnica.com/security/2023/08/passkeys-are-great-but-not-safe-from-quantum-computers-dilithium-could-change-that/

    New approach combines ECDSA with post-quantum algorithm called Dilithium.

    Bleeping Computer:
    https://www.bleepingcomputer.com/news/security/google-released-first-quantum-resilient-fido2-key-implementation/

    Reply
  25. Tomi Engdahl says:

    How Google Authenticator made one company’s network breach much, much worse https://arstechnica.com/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/

    A security company is calling out a feature in Google’s authenticator app that it says made a recent internal network breach much worse.

    Retool, which helps customers secure their software development platforms, made the criticism on Wednesday in a post disclosing a compromise of its customer support system. The breach gave the attackers responsible access to the accounts of 27 customers, all in the cryptocurrency industry.
    [...]
    The most important moral of this story is that FIDO2-compliant forms of MFA are the gold standard for account security. For those sticking with TOTPs, Google Authenticator is intended to provide a happy medium between usability and security. This balance may make the app useful for individuals who want some form of MFA but also don’t want to run the risk of being locked out of accounts in the event they lose a device. For enterprises like Retool, where security is paramount and admins can manage accounts, it’s woefully inadequate.

    Reply
  26. Tomi Engdahl says:

    Google’s new Titan security keys are ready for a world without passwords / Hardware like Google’s Titan keys can provide more security with zero passwords for attackers to steal or guess.
    https://www.theverge.com/2023/11/15/23962443/google-titan-security-key-passwordless-login

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*