Like Apple, Google and Microsoft will destroy passwords and phishing in one fell swoop
For more than a decade we have been promised that a world without passwords is just around the corner, and yet year after year this Nirvana security is proving unattainable. Now, for the first time, a workable form of authentication without passwords will soon become available to the masses in the form of a standard adopted by Apple, Google and Microsoft, which allows the use of cross-platform and cross-service access keys.
Password destruction schemes that have progressed in the past have suffered from many problems. The main drawback was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phone-linked accounts. Another limitation was that most decisions ultimately failed to be truly password-free. Instead, they gave users options to log in using face scans or fingerprints, but those systems eventually gave up the password, and that meant phishing, password reuse, and forgotten passwords were all reasons we hated passwords. – Don’t leave.
A new approach
What’s different this time around is that Apple, Google and Microsoft seem to support the same exact solution. Not only that, but the solution is easier than ever for everyday end users, and it’s less costly for major services like Github and Facebook. It has also been carefully designed and tested by experts in authentication and security.
Modern multifactor authentication (MFA) techniques have made significant strides over the past five years. Google, for example, allows me to download an iOS or Android app that I use as a second factor when signing in to my Google Account from a new device. Based on CTAP — abbreviation of Protocol from client to authenticator—This system uses Bluetooth to ensure that the phone is close to the new device and that the new device is actually connected to Google and not to a site disguised as Google. That means it’s not phishing. The standard ensures that the cryptographic secret stored on the phone cannot be extracted.
Google also provides Additional protection program which requires physical keys in the form of standalone keys or end-user phones to authenticate login from new devices.
The big limitation now is that MFA and password-free authentication are deployed differently – if at all – for each service provider. Some providers, like most banking and financial services, still send one-time passwords via SMS or email. Recognizing that these funds are not secure means of transmitting secret secrets, many services have switched to a method known as TOTP – short for One-time password based– allow you to add a second factor that effectively complements the password with the factor “something I have”.
Physical security keys, TOTP and, to a lesser extent, two-factor authentication via SMS and email are important steps forward, but three key limitations remain. First, TOTPs are created through authentication applications and sent by text or email are phishinglike regular passwords. Secondly, each service has its own closed platform of the Ministry of Foreign Affairs. This means that even when using non-phishing forms of MFA – such as standalone physical keys or phone-based keys – the user needs a separate key for Google, Microsoft and any other Internet property. Worse, each OS platform has different mechanisms for implementing MFA.
These problems give way to third place: simple unsuitability for most end users and the non-trivial cost and complexity that every service faces when trying to offer an MFA.