Tag Archive for FIDO

| October 9, 2024
Comments Off on Passkeys: The Future of Online Security

Passkeys: The Future of Online Security

Passkeys: The Future of Online SecurityI have been writing about the impact of bad passwords since 2010. One of the most appalling bad password statistics comes from the Identity Theft Resource Center (ITRC). They have tracked over 1 billion data breach victims in the first half of 2024. Enough is enough, there is finally a workable answer to passwords: passkeys.

Passkeys were developed by the Fast Identity Online (FIDO) Alliance to log in to apps and websites without using a username and password combination. Instead, a passkey uses a pair of cryptographic keys generated by your device to unlock your account. Google and Apple will store your unique public key. Your private key is only stored on your device, and after your device authenticates your identity, the two keys combine to grant you access to your account.

According to FIDO research, 38% of consumers (PDF) are not familiar with passkey technology. A significant percentage of users do not understand passkeys, let alone trust them to protect their data and identities.

How passkeys work: A step-by-step guide

passkeys utilize public-key cryptography.Unlike traditional passwords, passkeys utilize public-key cryptography. That means every passkey has two parts: a public key and a private key. Together, they keep your accounts secure by allowing websites and apps to check that you are who you say you are. Here’s an overview of the passkey process:

  1. Creation: When you create a passkey, your device generates a pair of cryptographic keys – a public key and a private key.
  2. Storage: Apps or websites store your unique public key, while your private key is only stored on your device. After your device authenticates your identity, the two keys combine to grant you access to your account.
  3. Authentication: When you log in, the app or website sends a challenge to your device. Your device uses the private key to sign this challenge, proving your identity without revealing the private key.
  4. Verification: The app or website verifies the signed challenge using the public key. If it matches, you’re granted access.

The benefits of passkeys:

  • The benefits of passkeysStrong by default: You don’t have to create anything manually or worry about whether your private key is long or random enough.
  • No Need to Remember: You only need to authenticate with biometrics (or your device passcode) to sign in to your account.
  • Private Keys Are Never Shared: You don’t have to worry about how the website is storing your credentials.
  • Public Keys Can’t Be Used to Figure Out Your Private Key: If a criminal breaches a website’s servers, the best they can hope to find is your public key. The public key cannot be used to sign in to your account. Nor can it be reverse engineered to reveal your private key.
  • Strong Defense Against Malware: Criminals often create fake but seemingly authentic websites to trick you into sharing your login details.
  • Protection Against Ransomware: Many ransomware attacks start with social engineering emails. Once in, they continue by installing keystroke sniffing software that can watch people enter their IDs and passwords.
  • Improved User Experience: Signing in with a passkey is more convenient, faster, and smoother than using traditional passwords.

Why you should use a passkey instead of a password

Securing your online accounts is more important than ever in today’s digital age. Traditional passwords have been the go-to method for authentication for decades, but they come with several drawbacks. Here’s why you should consider using passkeys instead of passwords:

  • Enhanced Security: Passkeys use public-key cryptography, which involves a pair of cryptographic keys: a public key and a private key.
  • Convenience and Ease of Use: Remembering multiple complex passwords can be a hassle.
  • Protection Against Phishing: Phishing attacks are a common method used by cybercriminals to steal passwords.
  • Reduced Risk of Data Breaches: Data breaches often result in the exposure of millions of passwords.
  • Seamless Cross-Platform Experience: Passkeys are designed to work seamlessly across different devices and platforms.
  • Future-Proof Technology: As technology evolves, so do the methods used by cybercriminals.

Some consumers still don’t trust this form of security because they assume that anyone stealing their phone could log into their accounts. This isn’t true, as the criminal would still need your face, fingers, or eyes.

rb-

Even if you don’t fully trust passkeys, you should distrust your passwords more. It’s likely that your credentials have already been stolen and are on the dark web.

There is wide consensus in the tech community that passwords are an unsustainable security framework. Even password managers that let you use one strong master password could be at risk. First, some of them have been hacked and then there is the risk that those protected passwords are no longer secure.

A reasonable answer

A passwordless system is the only reasonable answer.

There is not a single passkey to solve all problems. You will have different passkeys for different systems and platforms.

However, this doesn’t really matter. The signup for passkeys is easy and consistent on all platforms in that there will never be a password attached to it. It will use the same biometrics you use for your other platforms, services, and their respective passkeys. In other words, it can feel like it’s one passkey for all online systems.

While passwords have served us well for decades, it’s time to embrace a more secure and convenient alternative. Passkeys offer enhanced security, ease of use, and protection against phishing and data breaches. By making the switch to passkeys, you can enjoy a safer and more seamless online experience. It’s true that the industry is still doing a poor job of explaining why you should embrace passkeys, you should like it because passkeys will ultimately save your data and digital identity.

Are you ready to make the switch to passkeys? Let us know your thoughts!

 

Related article

 

Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook or Mastodon. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| October 25, 2017
Comments Off on Biometrics Hype

Biometrics Hype

Biometrics HypeFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is rolling across the Intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, Samsung has released the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

However, this awesome idea appears to lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 being unlocked using just a photo (at the 1:09 mark). To their credit, Samsung has acknowledged that the Face Unlock feature is more for convenience than for security. The biometric feature cannot be used for mobile payments. While weak facial recognition software may be a convenience for the user, it could also be very convent for others, too.

The troubles with Face Unlock date back to 2011.  In 2011 SlashGear reported that Google (GOOG) admitted the security system could be fooled by a picture of you and not the real thing. CNet reports that the technology was developed by PittPatt, a startup originating from Carnegie Mellon University, which was later acquired by Google.

FBI’s facial recognition database

Next Generation Identification databaseThe Guardian reports during testimony before congress the FBI admitted that about half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports from 18 states including Michigan.

The FBI first launched its advanced biometric database, Next Generation Identification (NGI), in 2010. NGI augmented the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the gathering of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.

 

“I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.

rb-

So anyone with a photo of you, or maybe even just access to your Facebook (FB) photos, could potentially access your phone. There are two important reasons why biometrics won’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

 

no real way to hide biometric data from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to hide this data from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team gummy bears to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft stepped up its biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports other biometric factors to secure your PC. Some of the factors are fingerprints and iris recognition. For facial recognition though, Microsoft (MSFT) has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects. Microsoft uses RealSense to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. FIDO was founded in 2013 to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| April 15, 2017
Comments Off on Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a PixFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

Samsung Galaxy S8However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed  that Face Unlock which was later acquired by Google (GOOG).

photographs are stored in facial recognition databasesJust to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.States allowing FBI to search driver license pictures

 

I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.” So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

There's no real way to conceal your eyes, face or fingerprints from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face, or fingerprints from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| September 24, 2016
Comments Off on FIDO

FIDO

FIDOSince 2013 there have been nearly 5 billion data records lost or stolen according to the Breach Level Index. The UN says there are 6.8 billion mobile phone accounts which mean globally 96% of humans have a cell phone. It would seem that these factoids could interact to cut the pace of lost or stolen data records. An effort is underway to use mobile devices to better secure data called FIDO.

https://fidoalliance.org/FIDO (Fast ID Online) is an open standard for a secure and easy-to-use universal authentication interface. FIDO plans to address the lack of interoperability among strong authentication devices. TargetTech says FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012. FIDO members include AgnitioAlibaba, ARM (ARMH), Blackberry (BBRY), Google (GOOG), Infineon Technologies, Lenovo (LNVGY), Master Card, Microsoft (MSFT), Netflix, Nok Nok Labs, PayPal, RSA, Samsung, Synaptics, Validity Sensors and Visa.

The FIDO specifications define a common interface for user authentication on the client. The article explains the goal of FIDO authentication is to promote data privacy and stronger authentication for online services without hard-to-adopt measures. FIDO’s standard supports multifactor authentication and strong features like biometrics. It stores supporting data in a smartphone to eliminate the need for multiple passwords.

encrypted virtual containerThe author writes that FIDO is much like an encrypted virtual container of strong authentication elements. The elements include: biometrics, USB security tokens, Near Field Communication (NFC), Trusted Platform Modules (TPM), embedded secure elements, smart cards, and Bluetooth. Data from authentication sources are used for the local key, while the requesting service gets a separate login to keep user data private.

FIDO is based on public-key cryptography that works through two different protocols for two different user experiences. According to TargetTech the Universal Authentication Framework (UAF) protocol allows the user to register an enabled device with a FIDO-ready server or website. Users authenticate on their devices with fingerprints or PINs, for example, and log in to the server using a secure public key.

authenticate users with a strong second factorThe Universal Second Factor (U2F), originally developed by Google, is an effort to get the Web ecosystem (browsers, online service providers, operating systems) to authenticate users with a strong second factor, such as a USB touchscreen key or NFC on a mobile device.

FIDO’s local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server or in the cloud. By abstracting the protocol implementation, FIDO also reduces the work required for developers to create secure logins.

Samsung and PayPal have announced a FIDO authentication partnership. Beginning with the Samsung Galaxy S5 users can authorize transactions to their PayPal accounts using their fingerprints, which authenticates users by sending unique encrypted keys to their online PayPal wallets without storing biometric information on the company’s servers.

Samsung and PayPal FIDO authentication partnershipFIDO promises to clean up the strong authentication marketplace, making it easier for one-fob-fits-all products. The open standards shift some of the burdens for protecting personally identifiable information to software on devices or biometric features, and away from stored credentials and passwords. ComputerWeekly described FIDO’s potential this way:

The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server.

In the past, multiple-factor authentication methods were based on either a hardware fob or a tokenless product. These products use custom software, proprietary programming interfaces, and much work to integrate the method into your existing on-premises and Web-based applications.

same authentication device can be used in multiple ways for signing into a variety of providersComputerWeekly says FIDO will divorce second-factor methods from the actual applications that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without one being aware of the others or the need for extensive programming for stronger authentication.

Integrating FIDO-compliant built-in technology with digital wallets and e-commerce can not only help protect consumers but reduce the risk, liability, and fraud for financial institutions and digital marketplaces.

The big leap that FIDO is taking is to use biometric data – voiceprint, fingerprint, facial recognition, etc. and digitize and protect that information with solid cryptographic techniques. But unlike the traditional second-factor authentication key fobs or even the tokenless phone call-back scenarios, this information remains on your smartphone or laptop and isn’t shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will stay on the originating device. With this approach, ComputerWeekly says FIDO avoids the potential for a Target-like point-of-sale exploit that could release millions of logins to the world, a big selling point for many IT shops and providers.

Target-like point-of-sale exploitIt can eliminate having to carry a separate dongle as just about everyone has a mobile phone these days this is a mobile world we live in, and we need mobile-compatible solutions; otherwise, you’re behind the curve right out of the gate.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,