It is years ago that everyone will kill him, but no one succeeds. Ever since computers have existed, passwords have poisoned our daily lives. You need to make it complex without forgetting it, manage it in dedicated software, change it regularly, be careful not to pass it on to anyone, and so on.
In 2018, the FIDO Alliance consortium thought it had initiated the beer by proposing the FIDO2 standard. It relies on a rather ingenious asymmetric cryptography mechanism to get rid of these cumbersome secret codes. But the mayonnaise did not take, and the password is still very much alive. The alliance now offers a new standard: “Multi-device FIDO”, which has received support from the major technology giants (Google, Apple, Microsoft). Here are five questions to fully understand what it’s all about.
Why was FIDO2 a failure?
On paper, FIDO2 is a good password option. The user who wants to connect to an online service must first proceed to a registration, which consists of generating in his “authenticator” – a browser, a smartphone, a connected clock, etc. – a private key and a public key. The public key is sent to the service provider and the private key remains stored in the terminal. When the user wants to connect, he sends an authentication message signed with the private key to the service provider, who can confirm the signature with the public key. That’s all. The big advantage is that there is no password to enter and the risk of phishing is eliminated.
The problem is that very few online services have implemented the FIDO2 standard. And that’s logical because this registration procedure is too tedious. Since the generated private key is unique for each authentication, it would be necessary to sign up for each terminal and each service. However, individuals handle many different terminals and renew them frequently. With three terminals and twenty departments, it theoretically provides… 60 registration procedures! And for every new terminal you buy, you have to fill yourself with twenty new sign-ups. We quickly preferred a centralized password manager in the cloud. You fill it out once and you’re done.
What answer does the FIDO Multi give?
Two improvements were to simplify the use of FIDO technologies at the level of the general public. The first is a “roaming” feature, which allows you to use FIDO authentication on a system that is not registered. The process can thus be forwarded via Bluetooth to a nearby authentication, typically a smartphone, where the user will validate the connection. The advantage is that the individual no longer has to register at each terminal. In the end, he can even settle for just one, provided of course that the systems are interoperable with each other.
The other news is the ability to centrally store the private keys with the authentication provider (ie the smartphone). Therefore, if the latter is lost, the user can easily restore his accesses without having to go through new registration procedures.
The goal is ultimately to have a system that is easy to manage. ” From a user experience perspective, this would be very similar to how one interacts with a password manager today when it comes to registering and logging in securely to websites. . However, it will be much more secure because the service server does not receive a password but a public key “, Explains a spokesman for the FIDO Alliance.
How can you be sure that the terminals will be interoperable?
Authentication roaming via Bluetooth will be an integral part of the FIDO standard. All systems that implement “Multi-device FIDO” will be automatically interoperable. The good news, moreover, is that the three giants Google, Apple and Microsoft have announced that they will integrate this new authentication technology into their platforms. Thus, we can hope that Android, Windows, iOS and macOS systems are all interoperable at roaming level. This would cover almost the entire consumer computer market.
To date, however, no deadline has been set. We also do not know if service providers will finally take the plunge and take FIDO on their side. This is not a matter of course, because the platforms need to be adapted. The inertia is likely to be strong because it is a not insignificant investment.
See also video:
Is FIDO with multiple devices as secure as FIDO2?
None. What we gain in terms of usability, we lose a little in terms of security, because the two new features also introduce two new risks. From now on, it will be necessary to rely on the computer giants for the protection of the private keys. The fact that they are stored centrally also risks arousing the appetite of hackers … or intelligence services. How will these private keys be stored at Google, Apple and Microsoft? Will they implement end-to-end encryption, as most cloud password managers do? For now we do not know.
The other new risk is passing on the authentication procedure via Bluetooth as it creates a new attack surface. However, the Alliance minimizes this risk. On the one hand, this takes place in a context of closeness. On the other hand, the underlying FIDO protocol “does not depend on Bluetooth security features for the security of the authentication procedure. Conversely, it uses standard cryptographic features on the application layer to protect the data.explains the consortium.
What happens if I change ecosystem?
This is likely to be the major disadvantage of this whole construction because backing up private keys in advance will not be interoperable from one ecosystem to another. With Multi-device FIDO, the idea is to use your smartphone as a means of accessing all services. In fact, the private keys are therefore stored either at Google or at Apple. But nothing says there will be a gateway from one ecosystem to another, and the FIDO Alliance website suggests the opposite. Therefore, it is likely that the day the user replaces his Android smartphone with an iPhone, he will have to make all the registrations about. With a password manager this problem does not exist.