goodbye mental strain and hi security promise Apple, Google and Microsoft

For years, the scourge of Internet users was spam, tsunamis of spam that converged from all sides to flow into our mailboxes. But while it is on the verge of disappearing, another plague took over: passwords, the number of which continues to rise with the galloping dematerialization of our society. These passwords, which we are asked at every step of the Internet, whether it is to connect here to its basic online services (security, banking, insurance, telecommunications, doctor, transportation, travel, etc.), which to its social network, even to its various e-mail accounts, to its online apps for the office as well as for leisure … they are in abundance and everyone has to make their own little emergency solution (type A mnemonic systemujourdhuiA-N @ ntes-ilfaitB3au! and / or paper or digital list) not to forget a single one that does not end up in the water.

And that’s exactly what Grahame Williams, director of Identity and Access Management at Thales, pointed out yesterday at World Password Day, when he said that passwords “became more and more dangerous” because they were “let hacked”:

“Recent research shows that many CEOs still use ‘12356’ as their password.”

In fact, the second major problem is security, the danger of having your account hacked – or even all of your accounts – and of no longer being able to access your data or for a ransom. When it’s not exactly identity theft that lies in wait … In short, a heavy daily mental strain to cope with, and a security order that goes beyond human understanding. Because, literally overwhelmed by their cognitive capacity, Internet users then use passwords that are too easy to guess, or even always the same, to simplify their lives … but also for villains of all stripes in ambush.

According to an old study (2016) by Skyhigh Networks By analyzing the 11 million passwords offered for sale on Darknet, 10.3% of Internet users use one of the 20 most popular passwords on the Internet. Which means that in less than 20 attempts, anyone can hack almost every tenth account.

Shock alliance to facilitate and secure the use of the Internet

But good news a priori, the internet giants Google, Apple and Microsoft took advantage of World Password Day, Thursday, May 5, to announce that they were teaming up to put an end to this ordeal. The press release released from Mountain View, Google’s stronghold, announces that the three giants will join forces to build a system that allows approval without having to remember a series of cabalist characters.

The new feature will enable websites and apps to offer consumers consistent, secure and easy password-free logins across all devices and platforms.

“With the new feature, consumers will be able to easily authenticate to websites and mobile applications, without passwords and securely, regardless of device or operating system,” sums up the FIDO.Alliance (Fast Identity Online Alliance) in a press release.

FIDO is the focal point of this technological revolution, an alliance of manufacturers working to improve, facilitate and secure digital authentication. FIDO was officially launched in February 2013, but it was founded a year earlier, in 2012, by the alliance of major players such as PayPal, Validity Sensors (these two are the original core created in 2009 around cryptography, public key) , Lenovo, Nok Nok Labs, Infineon and Agnitio. It was in 2012 that work began on a password-free authentication protocol.

Since then, hundreds of technology companies and service providers around the world have worked through the FIDO Alliance and W3C to create the password-free login standards already supported by billions of devices. runs on all modern operating systems and web browsers (iOS, macOS, Safari, Chrome, Android, Edge, Windows, etc.), according to FIDO’s press release.

Billions of devices … for billions of users: According to the Live Stats website, Internet users today number 5.3 billion worldwide. The number of Internet users multiplied by 10 between 1999 and 2013, and is constantly accelerating (1 billion Internet users in 2005, 2 billion in 2010, 3 billion in 2014).

“Fido IDs” for authentication on all platforms

In yesterday’s press release, Google explains that the goal is for users to be able to connect to an online service simply by unlocking their smartphone (via their usual method: fingerprint, face recognition, multi-digit code, etc.).

Specifically, a website can ask the internet user if he wants to “authenticate himself with his FIDO identifiers”. This message is displayed simultaneously on his phone, where the user simply has to accept, by unlocking his screen, to be connected to the page. Smartphones will retain these encrypted identifiers, called “access keys” (access keys). Once you are registered with Fido, you will no longer need to create or enter a password.

The promise is that Fido authentication will be available regardless of operating system or browser, and regardless of device, as it will be possible to convert a new device via Bluetooth using a first device that already has the credentials. It will also not be necessary to use double approval via SMS, designated as obsolete since … 2016.

A solution by leaps and bounds within twelve months

The three technology giants have committed to implement this new system within twelve months, on Android and iOS (the mobile operating systems from Google and Apple), on Chrome, Edge and Safari (browsers from Google, Microsoft and Apple) and on Windows and macOS (Microsoft and Apple operating systems for computers).

“Password-only authentication is one of the biggest security issues on the web”, Apple notes in its statement, which adds:

“The new approach will protect against phishing and logging in to a service will be radically more secure than passwords and other technologies such as unique codes sent via SMS. »

For Andrew Shikiar, CEO and CMO of the FIDO Alliance, “This new capability should usher in a new wave of FIDO implementations low friction alongside the continued and growing use of security keys, giving service providers a wide range of options for implementing a modern, phishing-resistant authentication. “

(with AFP and Reuters)