FIDO Alliance and W3C have a plan to kill the password | TechCrunch

https://techcrunch.com/2018/04/10/fido-alliance-and-w3c-have-a-plan-to-kill-the-password/

This looks interesting. By now it’s crystal clear to just about everyone that the password is a weak form of authentication but used a lot. Today, two standards bodies, FIDO and W3C announced a way that looks better, a new password free protocol for the web called WebAuthn. The major browser makers including Google, Mozilla and Microsoft have all agreed to support. The system uses an external authenticator such as a security key or you mobile phone. Unfortunately WebAuthn is not quite ready for final release just yet.

17 Comments

  1. Tomi Engdahl says:

    Russell Brandom / The Verge:
    FIDO Alliance and W3C announce WebAuthn, a new open standard for password-free logins, currently supported in Firefox, and to be supported in Chrome and Edge

    Chrome and Firefox will support a new standard for password-free logins
    One small step towards a world without phishing
    https://www.theverge.com/2018/4/10/17215406/webauthn-support-chrome-firefox-edge-fido-password-free

    Web browsers are building a new way for you to log in, announced today by the W3C and FIDO Alliance standards bodies. Called WebAuthn, the new open standard is currently supported in the latest version of Firefox, and will be supported in upcoming versions of Chrome and Edge slated for release in the next few months.

    Today’s announcement the latest step in a years-long effort to move users away from passwords and toward more secure login methods like biometrics and USB tokens. The system is already in place on major services like Google and Facebook, where you can log in using a Yubikey token built to the FIDO standard.

    https://www.yubico.com/

    Reply
  2. Tomi Engdahl says:

    Support for FIDO2 Passwordless Authentication Added to Android
    https://www.securityweek.com/support-fido2-passwordless-authentication-added-android

    Google and FIDO Alliance on Monday announced that it is now easier for developers to provide passwordless authentication features for their Android websites and apps as a result of Android becoming FIDO2 Certified.

    The FIDO2 Project comprises the W3C’s Web Authentication (WebAuthn) specification, which provides a standard web API that enables online services to use FIDO authentication, and the Client-to-Authenticator Protocol (CTAP), which enables devices such as FIDO security keys and smartphones to serve as authenticators via WebAuthn.

    Now that Android has become FIDO2 Certified, it will be easier for developer to enable users to log into apps and websites using their Android device’s built-in fingerprint sensor and/or FIDO security keys.

    The FIDO2 certification has been granted to devices running Android 7 and later. New devices will be certified out of the box, while existing devices will include FIDO2 support after an automated Google Play Services update. Since a Google Play Services update is used to roll out FIDO2 support, users will not have to wait on their device’s manufacturer to benefit from passwordless authentication capabilities.

    The use of FIDO authentication, which can be implemented by developers via a simple API call, increases protection against phishing, man-in-the-middle (MitM) and other types of attacks.

    Reply
  3. Tomi Engdahl says:

    MWC 2019: Your future Android phone, apps will need no password
    https://www.zdnet.com/article/your-future-android-phone-apps-will-need-no-password/

    FIDO2 certification is paving the way for passwordless mobile security.

    Reply
  4. Tomi Engdahl says:

    W3C finalizes Web Authentication (WebAuthn) standard
    https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/

    WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.

    Today, the World Wide Web Consortium (W3C), the organization behind all web standards, has formally promoted the Web Authentication API to the title of official web standard.

    WebAuthn is what security experts are calling a passwordless authentication system and what they see as the future of user account security.

    WebAuthn allows users to register and authenticate on websites or mobile apps using an “authenticator” instead of a password.

    Development on the WebAuthn standard started back in November 2015, after the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 Web API to the W3C.

    The original FIDO 2.0 Web API is already supported by browsers and online services. It’s what currently allows users to use secret tokens stored on YubiKey USB thumb drives (aka hardware security keys) to log into websites such as Google, Facebook, Dropbox, AWS, GitHub, YouTube, and others.

    The WebAuthn API is an upgrade of the old FIDO 2.0 Web API and will support a multitude of other authentication systems besides USB-stored security keys –including biometrics.

    Reply
  5. Tomi Engdahl says:

    W3C finalizes Web Authentication (WebAuthn) standard
    https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/

    WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.

    Reply
  6. Tomi Engdahl says:

    You. Shall. Not. Pass… word: Soon, you may be logging into websites using just your phone, face, fingerprint or token
    Just don’t lose your hardware keys
    https://www.theregister.co.uk/2019/03/05/web_authentication/

    At 2004′s RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.

    But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.

    Reply
  7. Tomi Engdahl says:

    Windows Hello Support Added to Firefox 66
    https://www.securityweek.com/windows-hello-support-added-firefox-66

    Mozilla this week released Firefox 66 with support for Windows Hello for Web Authentication on Windows 10, as well as with patches for 21 vulnerabilities.

    The newly added support for Windows Hello should provide users with a passwordless experience on the web, but also with increased security, Mozilla says.

    “Firefox users on the Windows Insider Program’s fast ring can use any authentication mechanism supported by Windows for websites via Firefox. That includes face or fingerprint biometrics, and a wide range of external security keys via the CTAP2 protocol from FIDO2, as well as existing deployed CTAP1 FIDO U2F-style security keys,” Mozilla says.

    Passwordless Web Authentication Support via Windows Hello
    https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/

    Reply
  8. Tomi Engdahl says:

    Stephen Shankland / CNET:
    Google updates its login system with support for FIDO2, allowing users to log into its services with hardware security keys on Firefox and Edge

    Google’s most secure login system now works on Firefox and Edge, too
    https://www.cnet.com/news/google-login-hardware-security-keys-now-work-on-firefox-and-edge-too/

    Better hardware security key support means our post-password future is one step closer to reality.

    Yubico’s hardware security keys let you log on without a password on sites, apps and devices that support the FIDO2 authentication technology.

    But now Google updated its login with the newer, broader standard of FIDO2 and its incarnation for websites, WebAuthn.

    Reply
  9. Tomi Engdahl says:

    Your Android phone can now double as a security key
    An extra layer of security never hurt anybody, and now you can turn your phone into a physical security key
    https://www.welivesecurity.com/2019/04/16/android-phone-security-key/

    Google has announced that any smartphone running Android 7.0 (Nougat) or later can now be used as a hardware security key for two-factor authentication (2FA).

    Available in beta at the moment, the new feature is intended to provide an additional authentication factor and keep Google account users safe from phishing scams and other attacks that attempt to steal people’s login credentials. It can be used to protect your personal Google accounts, as well as Google Cloud Accounts at work.

    The ultimate account security is now in your pocket
    https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/

    Reply
  10. Tomi Engdahl says:

    Google Cloud Blog:
    Android’s “security key” feature, allowing Android 7.0+ devices to be used for 2FA to login to Google accounts, is now generally available

    Now generally available: Android phone’s built-in security key
    https://cloud.google.com/blog/products/identity-security/now-generally-available-android-phones-built-in-security-key

    Phishing—when an attacker tries to trick you into turning over your online credentials—is one of the most common causes of security breaches. At Google Cloud Next ‘19, we enabled you to help your users defend against phishing with a security key built into their Android phone, bringing the benefits of a phishing-resistant two-factor authentication (2FA) to more than a billion users worldwide. This capability is now generally available.

    While Google automatically blocks the overwhelming majority of malicious sign-in attempts (even if an attacker has a username or password), 2FA, also known as 2-Step Verification (2SV), considerably improves user security. At the same time, sophisticated attacks can skirt around some 2FA methods to compromise user accounts. We consider security keys based on FIDO standards, including Titan Security Key and Android phone’s built-in security key, to be the strongest, most phishing-resistant methods of 2FA. FIDO leverages public key cryptography to verify a user’s identity and URL of the login page, so that an attacker can’t access users’ accounts even if users are tricked into providing their username and password.

    Reply
  11. Tomi Engdahl says:

    Liam Tung / ZDNet:
    Microsoft says it has gained FIDO2 certification for Windows Hello, Windows 10′s biometric authentication system, for the Windows 10 May 2019 update — Microsoft moves 800 million people closer to a no-password world. — Microsoft has passed another milestone on its quest to kill off passwords.

    Windows 10 says Hello to no passwords with FIDO2 certification
    https://www.zdnet.com/article/windows-10-says-hello-to-no-passwords-with-fido2-certification/

    Microsoft moves 800 million people closer to a no-password world.

    Microsoft has passed another milestone on its quest to kill off passwords. The company has now gained official FIDO2 certification for Windows Hello, the Windows 10 biometric authentication system.

    The certification applies to Windows 10 version 1903, aka the May 2019 Update, which is scheduled to be released to the public in late May and means Windows Hello has been approved as a FIDO2 ‘authenticator’.

    Windows Hello offers Windows 10 users access to their devices by using a fingerprint or facial-recognition sensors on the PC as well as PINs.

    “No one likes passwords (except hackers),” says Yogesh Mehta, group manager for Microsoft’s crypto, identity and authentication team in Azure Core OS.

    Reply
  12. Tomi Engdahl says:

    Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys
    https://security.googleblog.com/2019/05/titan-keys-update.html

    We’ve become aware of an issue that affects the Bluetooth Low Energy (BLE) version of the Titan Security Key available in the U.S. and are providing users with the immediate steps they need to take to protect themselves and to receive a free replacement key. This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.

    Reply
  13. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Yubico says it will replace some security keys used by US government and others due to a bug that reduces the randomness of cryptographic keys generated

    Yubico to replace vulnerable YubiKey FIPS security keys
    https://www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/

    Yubico staff discovers bug in YubiKey FIPS Series keys; offers replacements for affected customers.

    Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government’s Federal Information Processing Standards (FIPS).

    Boot-up bug temporarily reduces crypto key randomness

    Not a big deal, but not something to ignore either

    For example:

    - an RSA key may be impacted by up to 80 predictable bits out of a minimum of 2048 bits
    - for ECDSA signatures, the nonce K becomes significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures
    - for ECC key generation, the key may be impacted by up to 80 predictable bits out of the minimum 256-bit key length
    - for ECC encryption,16 bits of the private key becomes known

    All in all, the danger of an attacker exploiting this vulnerability is low, because of the complex requirements for intercepting the authentication operations and then breaking the rest of the cryptographic key.

    Reply
  14. Tomi Engdahl says:

    Somu is a tiny FIDO2 security key for two-factor authentication.

    Finally, an Open Source Nano Security Key
    https://blog.hackster.io/finally-an-open-source-nano-security-key-a8acb44ceca0

    Hardware security keys have been around for a while now. These devices work in conjunction with a password to enable two-factor authentication on websites like Google, Twitter, and GitHub — allowing for a more secure login process. But most popular security keys, like the Yubikey, are closed sourced

    now with the introduction of Somu, an open sourced alternative, tinkers are free to run wild

    The secret behind the Somu security key is — there are no secrets. SoloKeys, the company behind Somu, has released all of their software and hardware files for their devices to the open source community on GitHub.

    The Somu has a completely reprogrammable STM32L4 on it, as well as an RGB LED and two buttons.

    https://github.com/solokeys/solo

    Reply
  15. Tomi Engdahl says:

    Does anyone trust Google on the security of this completely sealed USB-C security device? It seems to me that this would be a great way to pass a backdoor to… parties… that would like backdoor access to your security. Thoughts?

    Google launches USB-C Titan security key
    https://www.techradar.com/uk/news/google-launches-usb-c-titan-security-key

    New USB-C security key will be available on Google’s store for $40

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*