Apple, Google, and Microsoft commit to support passwordless sign‑in

Topic

New Reply

[Alex5723]

https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/

Faster, easier, and more secure sign‑ins will be available to consumers across leading devices and platforms

In a joint effort to make the web more secure and usable for all, Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure…

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN…

I log into my bank account with iPhone’s Face-id for long time.
Before Face-id I used Touch-id.

• This topic was modified 3 years ago by Alex5723.

2 users thanked author for this post.

windbg, OscarCP

Reply | Quote

Replies

So it shall be up to each website to offer this alternative to the common User ID and password login. At some government agencies, such as NASA, it was adopted last year, requiring only the user’s PIN.

I do not use biometrics (such as video cam picture of face or thumbprints) to login, even though I could, because biometrics sometimes change: serious accidents might disfigure faces, erase a part or the whole of a thumbprint used to login, while less serious ones might result in bandages in face and fingers. Ways around this might or might not be available. Or, if available, then not properly, or even at all set up by the user.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

At some government agencies, such as NASA, it was adopted last year, requiring only the user’s PIN.

That is not what FIDO.. offers. The new passwordless will use the SAME PIN you use to unlock your Mac, smartphone.. and the log-in should be automatic. No keying needed.

Reply | Quote

I’ve always thought PINS were 4 or 6 digit numbers. That’s a lot less secure  than the 24 character passwords I store in my password vault. (lower, upper, special characters, numbers).

Reply | Quote

It would take up to 112 hours to brute force a 4 digit PIN, because each PIN entry takes 40 seconds.

Reply | Quote

Alex: “It would take up to 112 hours to brute force a 4 digit PIN, because each PIN entry takes 40 seconds.”

A six-digit pin takes me six-seven seconds to enter. So does it take ten times longer to a person with very poor coordination and eyesight? In such a case biometrics might be a solution.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Those new-fangled ‘biometric’ unlock features are all well and good, if they work. IF

My ‘smart’ phone regularly tells me “Face not recognised” (MY face), and before that (before I got fed up with the stoopid feature and disabled it) “Fingerprint not recognised” (MY fingerprint)

The only thing that consistently and reliably unlocks my phone (a newish Samsung Galaxy A32 5G), is the typed password

1 user thanked author for this post.

PKCano

Reply | Quote

Microsoft : This World Password Day consider ditching passwords altogether

..But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months…

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

Download and install Microsoft Authenticator (linked to your personal Microsoft account).
Sign in to your Microsoft account.
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator….

Reply | Quote

NaNoNyMouse wrote:

Those new-fangled ‘biometric’ unlock features are all well and good, if they work. IF

They work every time if you use an Apple device.
No Android device has secure Face-id.

Reply | Quote

Not necessarily so.
I set up fingerprint login on my iPhone. It does not work.
In my old age, the skin on my fingers gets dry, wrinkles, creases. The fingerprint I registered two logins ago no longer works. I login with a password/PIN and reregister my fingerprints. It MAY work for two or three logins.
If that fingerprint is used to access online sites, then that also doesn’t work.
The only thing I have found consistent is my password/PIN.

6 users thanked author for this post.

wdburt1, NaNoNyMouse, wavy, OscarCP, GeeBeeDee, windbg

Reply | Quote

Same for me.  I admit that fingerprint login on my iPhone is convenient and works 80% of the time but definitely not when fingers are anything but clean and dry.  I’m very glad that multiple finger can be registered though.  My left thumb is what I instinctively use but when I sliced it I was grateful that other fingers worked.  My biggest concern is biometric logins without an alternative method.

1 user thanked author for this post.

OscarCP

Reply | Quote

In my case it is not just my age, but the fact that there are little straight grooves cutting across the fingerprint pattern of all my fingers: optical fingerprint identification has never worked for me because of that, and has caused me inconveniences when doing something that required to use it for some official purpose or other. Somehow those straight grooves confuse the system. Every time.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

A six-digit pin takes me six-seven seconds to enter.

We are talking brute force. The hackers PC enters a PIN gets rejection, enter another, gets rejection…after a some rejects he is locked out and has to reset and start over…

1 user thanked author for this post.

OscarCP

Reply | Quote

Alex: “We are talking brute force. The hackers PC enters a PIN gets rejection, enter another, gets rejection…after a some rejects he is locked out and has to reset and start over…”

I see how that can be a problem for a legitimate user if getting the PIN stolen in this way — when login in with only a PIN. But not when logging in with a PIN plus a plug-in device that has stored, besides other information, the PIN. When logging in (in my case, first to the NASA Mac assigned to me, then several more times along the way, as well as to unlock the screen when it locks after a sufficiently long period with no activity), both the PIN one has entered and the one in the plugged in device are compared by the software answering the door, before one is allowed to get in, or to proceed from there to do certain things, such as email with Outlook. So, besides figuring out the PIN by brute force, the hacker would need also to get hold of my plug-in device. Good luck with that.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Google : One step closer to a passwordless future

Today passwords are essential to online safety, but threats like phishing, scams, and poor password hygiene continue to pose a risk to users. Google has long recognized these issues, which is why we have created defenses like 2-Step Verification and Google Password Manager.

However, to really address password problems, we need to move beyond passwords altogether, which is why we’ve been setting the stage for a passwordless future for over a decade…

How will a passwordless future work?
When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.

Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.

To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off…

Reply | Quote

Alex5723 wrote:

t would take up to 112 hours to brute force a 4 digit PIN, because each PIN entry takes 40 seconds.

How does this square with this?

Alex5723 wrote:

The hackers PC enters a PIN gets rejection, enter another, gets rejection…after a some rejects he is locked out and has to reset and start over…

cheers, Paul

Reply | Quote

Alex quoted: “How will a passwordless future work?
When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.”

For individuals that access the internet for their own private purposes, using their own, personal cell phones, fine, this might, who knows, work out.

Personal or at work-provided phones are not used for things that have to do with or require effective IT security of data, personal information and work-related text messages and email in offices of the government and, I would imagine, of any large corporation, or even in many regular size businesses with PBX phone systems used for verbal communication only.
And among individual users, not everyone even uses a “phone” which, in this context, I am guessing does not means a landline one, or even a clamshell.

Do the people who write these things have ever had regular jobs? I mean, real jobs? (Doing PR, to me at least, does not count as “real” real.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

DrBonzo

Reply | Quote