Three Of The Largest Browser Developers Have Teamed Up In An Unprecedented Alliance To Quickly Turn The World Into A Hell Of A User Of Information Thieves With The Help Of FIDO And Passkey.
Passwords for more than a decade, we have been hearing the promise of living in a password-free world around Silicon Valley and Seattle; But year after year, there is no news of this promise being fulfilled.
Last year, we wrote that although the end of the mystery age, despite promises such as flying cars or life on Mars, is reasonably achievable, it faces significant problems that make it almost impossible to fulfill it soon.
Now, on World Password Day (the first Thursday in May, chosen by Intel), the three tech giants, Google, Apple, and Microsoft, in an unprecedented move, put aside rivalries and disputes and announced their full support for a new mechanism to be implemented.
For the first time, make password-free authentication possible for the general public across operating systems and services.
This collaboration is particularly unprecedented and surprising in that Apple has not developed a strict policy in support of its technologies. End Of Phishing Nightmare; How Do Google, Apple, And Microsoft Want To End The Age Of Passwords?
Why is this news so exciting to us?
If you are one of those lucky or very regular people who have never had your user information stolen and have not had personal experience of the significant hassle of choosing or changing your password, take a look at these shocking numbers :
- 2020: The year in which the most stolen information in the world was a password
- 82%: 2% of employees admitted using the same password for multiple accounts.
- 60%: Percentage of the same passwords used numerous times in various data leak attacks in 2020.
- Three-fourths: The number of employees who use the same password for work and personal accounts.
- 40%: Percentage of organizations that write down passwords on paper.
Password is one of the most vulnerable data of any person, and in many cases, the method of stealing it is the simplest type of hack, namely brute force, which can be done even by a complete beginner.
Users often prefer to choose phrases for the password that are easy to remember; For this reason, technology companies and infrastructure companies often have the responsibility to increase the security of Internet users.
There are several ways to protect your password, including multi-factor authentication or password management applications. However, as long as the password is available, hackers will find new ways to steal it. It can say that a strong password is a password that does not exist at all, and it is not unreasonable that this troublesome authentication method has no place in the future of our digital life.
Projects that have been proposed in the past to remove the password have had numerous problems.
The most critical weakness of all of them was the lack of a recovery mechanism for the time when the person lost access to the phone number or physical or mobile tokens connected to the account.
Another problem was that most solutions eventually could not altogether remove the password, and even the option of the face and fingerprint recognition still relied on the password, which means all the reasons for our hatred of the password, including the risk of phishing and theft of user information, repeated use of a password and Forgetting passwords persisted. In addition, none of these methods provided a solution for using the security token in all the different operating systems and services.
Why is the story different this time around?
Because Apple, Google, and Microsoft, which have developed the most popular browsers and the most popular smartphone brand in their hands, have finally agreed on a definite solution. This solution is called “multi-device authentication” or, in colloquial language, “Passkey” and was developed by the FIDO Alliance Industrial Group, A company whose mission is to develop authentication mechanisms without a password.
As the term “multi-device” implies, this mechanism works on all iOS or Android, or Windows-based devices and, in the first instance, on all Apple, Google, and Microsoft services.
A strong password does not exist at all.
The Passkey mechanism, in an article published by Fido Alliance in March this year, is, in fact, an upgrade to current authentication protocols, and not only is it straightforward for users to use; Rather, implementing it for extensive services such as GitHub and Facebook is much less expensive than the previously proposed methods; Because its infrastructure exists in the browsers and handsets, we are currently using.
Microsoft describes Passkey as a safer, faster, and more accessible alternative to completely secure passwords against phishing attacks. Google also mentions this mechanism as a historic and massive step towards a passwordless world. Fido Alliance itself says that this technology could replace passwords as the dominant authentication method on the Internet for the first time.
Current multi-factor authentication methods known as MFAs, such as time-consuming one-time passwords, have advanced dramatically over the past five years. Still, since these methods are different for each platform and each service has its separate authentication mechanism, they have not yet found a comprehensive solution to remove the password altogether.
Therefore, the Passkey mechanism is the best option to realize the dream of living in a password-free world, with the ability to implement it in all operating systems and services in an easy and low-cost way.
What exactly is the Passkey mechanism?
Before explaining the Passkey mechanism, let’s talk a little about current authentication methods; Because this mechanism is essentially an improved version of these methods. Cybersecurity experts divide authentication agents into three groups: What you know (for example, password). What you have (for example, a mobile phone); 3. What you are (for example, a fingerprint or any other biometric method).
On social networks such as Instagram, you may have encountered the option of two-factor authentication. The method you use for authentication involves two factors of high classification: what you know (password) + what you have (mobile phone). Even if a hacker accesses your password, they will need your phone to log in to your Instagram account, which is fortunately at your disposal.
The Passkey mechanism replaces the “what you know” factor with “what you are,”; While the “what you have” aspect is still valid. Instead of entering a password, the user uses biometric methods such as fingerprints or face scans. This method uses this method to unlock their phone, which is the second factor of this mechanism.
The secret to Passkey’s anti-phishing mechanism is the use of Bluetooth.
The secret to this anti-phishing mechanism is the use of Bluetooth. The Passkey system sends authentication requests via Bluetooth instead of the Internet to prevent hackers from accessing users’ accounts. In a password-free world, it is assumed that all Internet users own at least two devices (for example, a phone and a computer); Because their phone is supposed to be used as their authentication key.
When you record your fingerprint or face to unlock your phone, you also save this biometric factor as a security token to log in to your account. Now, whenever you want to log in to your Instagram account, whether from a PC, iPhone, or Android phone, without having to enter a password or even a username, click on the login button with Passkey to send a notification to your phone via Bluetooth. All you have to do is unlock your phone with a fingerprint or face scan to log in to your account right away.
There are two advantages to using Bluetooth in this method: It enables Passkey synchronization across multiple operating systems; ۲. Reduces the risk of hackers logging into user accounts; Because authentication is done locally. Also, since these tokens are also stored in the cloud, you do not have to worry about losing or replacing your phone and authenticate all your devices. According to Microsoft, the user’s biometric information is also never removed from the device; As a result, there is no need to worry about this.
A passwordless world within a few steps of us
Big technology companies have been talking about the end of cryptography for ten years, and it makes sense to continue to look at it with skepticism. We can not speak about a password-free world until all the pieces are in place and Passkey support is not widespread on most platforms and services. Google itself states that making this technology available to all devices and supporting all websites and applications will be time-consuming.
Passkey implementation will begin in late 2022 or early 2023
However, with the support of Google, Microsoft, and Apple for this project, it is the first time that we are very close to realizing this dream. According to Andrew Shikiar, CEO of FIDO Alliance, implementation of the system will begin in late 2022 or early 2023, and each of the three companies has its timeline to support Passkey next year.
Complete password removal is a complicated process; Because, for decades, it has been the only way to authenticate Internet users, and many people are reluctant to give it up. However, the support of tech giants for this approach is a huge step. We hope that we will never again have to type meaningless letters and numbers mCdC4css0! Zd570 to log in to any of our accounts!