• About Us
  • Contact Us
  • Cookie policy (EU)
  • Home
  • Privacy Policy
  • Video
  • Write for us
Today Headline
  • HOME
  • NEWS
    • POLITICS
    • News for today
    • Borisov news
  • FINANCE
    • Business
    • Insurance
  • Video
  • TECHNOLOGY
  • ENTERPRISE
  • LIFESTYLE
    • TRAVEL
    • HEALTH
    • ENTERTAINMENT
  • AUTOMOTIVE
  • SPORTS
  • Travel and Tourism
  • HOME
  • NEWS
    • POLITICS
    • News for today
    • Borisov news
  • FINANCE
    • Business
    • Insurance
  • Video
  • TECHNOLOGY
  • ENTERPRISE
  • LIFESTYLE
    • TRAVEL
    • HEALTH
    • ENTERTAINMENT
  • AUTOMOTIVE
  • SPORTS
  • Travel and Tourism
No Result
View All Result
TodayHeadline
No Result
View All Result

Your Phone May Soon Replace Many of Your Passwords – Krebs on Security – Krebs on Security

May 7, 2022
in News
0
Your Phone May Soon Replace Many of Your Passwords – Krebs on Security – Krebs on Security
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter

Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

Image: Blog.google

The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

Sampath Srinivas, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.

Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.

Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”

“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.

Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.

Previous Post

How to Buy Your First Rental With No (or Low) Money Down

Next Post

Box Office: ‘Doctor Strange 2’ Flies to Sensational $90M Friday – Hollywood Reporter

Related Posts

Ozzy Osbourne, 73, is seen leaving Milk Studios in Los Angeles… after daughter escaped fire – Daily Mail
News

Ozzy Osbourne, 73, is seen leaving Milk Studios in Los Angeles… after daughter escaped fire – Daily Mail

https://www.dailymail.co.uk/tvshowbiz/article-10839359/Ozzy-Osbourne-73-seen-leaving-Milk-Studios-Los-Angeles-daughter-escaped-fire.html

Read more
Elon Musk, Brazilian president discuss connectivity, Amazon rainforest preservation efforts – Fox Business
News

Elon Musk, Brazilian president discuss connectivity, Amazon rainforest preservation efforts – Fox Business

https://www.foxbusiness.com/technology/elon-musk-brazilian-president-discuss-connectivity-amazon-rainforest-preservation-efforts

Read more
Warriors absorb power punch from Luka Doncic, Mavs in Game 2, setting stage for Stephen Currys knockout blow – CBS Sports
News

Warriors absorb power punch from Luka Doncic, Mavs in Game 2, setting stage for Stephen Currys knockout blow – CBS Sports

https://www.cbssports.com/nba/news/warriors-absorb-power-punch-from-luka-doncic-mavs-in-game-2-setting-stage-for-stephen-currys-knockout-blow/

Read more
Michigan governor declares state of emergency after powerful tornado rips through town, killing 1 person and injuring more than 40 – CNN
News

Michigan governor declares state of emergency after powerful tornado rips through town, killing 1 person and injuring more than 40 – CNN

https://www.cnn.com/2022/05/21/weather/gaylord-michigan-tornado-saturday/index.html

Read more
North Korea reports more fevers as Kim claims virus progress – The Associated Press
News

North Korea reports more fevers as Kim claims virus progress – The Associated Press

https://apnews.com/article/covid-politics-health-north-korea-0a198d8d7ee70ccf897e8a592ec14e32

Read more
Load More
Next Post
Box Office: ‘Doctor Strange 2’ Flies to Sensational $90M Friday – Hollywood Reporter

Box Office: ‘Doctor Strange 2’ Flies to Sensational $90M Friday - Hollywood Reporter

  • Trending
  • Comments
  • Latest
Its a Type of Genotoxicity: Virologist Explains mRNA Vaccine Conversion to DNA – The Epoch Times

Its a Type of Genotoxicity: Virologist Explains mRNA Vaccine Conversion to DNA – The Epoch Times

Chris Watts’ $660K family home where he strangled pregnant wife Shanann to death is secretly ON SALE in Colorado

Chris Watts’ $660K family home where he strangled pregnant wife Shanann to death is secretly ON SALE in Colorado

Sex/Life fans notice a HUGE editing fail in Adam Demos’ nude shower scene –

Sex/Life fans notice a HUGE editing fail in Adam Demos’ nude shower scene –

‘Heartbroken’ Dog Doesn’t Understand Why His Family Is Leaving Him At The Shelter

‘Heartbroken’ Dog Doesn’t Understand Why His Family Is Leaving Him At The Shelter

A Four-Step Approach to Spring Cleaning Your Command Database

A Four-Step Approach to Spring Cleaning Your Command Database

Free Last-Day-of-School Printables

Free Last-Day-of-School Printables

Starliner docks with ISS for the first time – SpaceNews

Starliner docks with ISS for the first time – SpaceNews

Ozzy Osbourne, 73, is seen leaving Milk Studios in Los Angeles… after daughter escaped fire – Daily Mail

Ozzy Osbourne, 73, is seen leaving Milk Studios in Los Angeles… after daughter escaped fire – Daily Mail

About Us

Todayheadline the independent news and topics discovery
A home-grown and independent news and topic aggregation . displays breaking news linking to news websites all around the world.

Follow Us

Latest News

A Four-Step Approach to Spring Cleaning Your Command Database

A Four-Step Approach to Spring Cleaning Your Command Database

Free Last-Day-of-School Printables

Free Last-Day-of-School Printables

A Four-Step Approach to Spring Cleaning Your Command Database

A Four-Step Approach to Spring Cleaning Your Command Database

Free Last-Day-of-School Printables

Free Last-Day-of-School Printables

Starliner docks with ISS for the first time – SpaceNews

Starliner docks with ISS for the first time – SpaceNews

  • Real Estate
  • Education
  • Parenting
  • Cooking
  • Travel and Tourism
  • Home & Garden
  • Pets
  • Privacy & Policy
  • Contact
  • About

© 2021 All rights are reserved Todayheadline

No Result
View All Result
  • Real Estate
  • Education
  • Parenting
  • Cooking
  • Travel and Tourism
  • Home & Garden
  • Pets
  • Privacy & Policy
  • Contact
  • About

© 2021 All rights are reserved Todayheadline

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Posting....