For years everyone wanted to kill him, but no one succeeded. Ever since computers came into existence, the password has poisoned our daily lives. You need to make it complicated without forgetting, manage it with dedicated software, replace it regularly, be careful not to pass it on to anyone, etc.
In 2018, the FIDO Alliance consortium thought it had started beer, by proposing the FIDO2 standard. It relies on a relatively ingenious asymmetric cryptography mechanism to eliminate these complex secret codes. But the mayonnaise was not taken, and the password was still alive. The alliance now offers a new standard: the “Multi-device FIDO”, which has received support from major technology giants (Google, Apple, Microsoft). Here are five questions to fully understand what it’s all about.
Why did FIDO2 fail?
On paper, FIDO2 is a great alternative password. The user who wants to connect to an online service must first proceed with an enrollment that consists in building on his “authenticator” – a browser, a smartphone, a connected watch, etc. – a private key and a public key. The public key is sent to the service provider and the private key remains stored in the terminal. When the user wants to connect, he or she will send a verification message signed with a private key to the service provider, who can verify the signature using the public key. That’s all. The big advantage is there is no password to type and the risk of phishing is eliminated.
The problem is that very few online services implement the FIDO2 standard. And this is logical, because this registry procedure is very tedious. Because the generated private key is unique for each authenticator, it will be necessary to enroll for each terminal and each service. However, individuals operate many different terminals and renew them frequently. With three terminals and twenty departments, which theoretically makes… 60 enrollment procedures! And for every new terminal purchased, you have to fill yourself out with twenty new enrollments. We quickly preferred a centralized password manager in the cloud. Fill it out once, and you’re done.
What answer does FIDO Multi-device provide?
Two improvements should simplify the use of FIDO technologies at the general public level. The first is a “roaming” function, which will allow FIDO authentication to be used on a system that is not enrolled. Thus, the process can be relayed by Bluetooth to a nearby authenticator, usually a smartphone, where the user will authenticate the connection. The advantage is that there is no need to individually enroll each terminal. Eventually, he can even live in just one, as long as of course the systems are interoperable with each other.
The second new thing is the possibility of centrally saving private keys to the authenticator provider (i.e., the smartphone). If the latter is lost, the user can easily rebuild his or her accesses, without going through new registry procedures.
The goal, ultimately, is to have a system that is easy to manage. ” From a user experience perspective, this would be very similar to how someone interacts with a password manager today when it comes to registration and securely logging into websites. . However, it will be more secure, since the service server does not accept a password, but a public key », Explained a spokesperson for the FIDO alliance.
How can you ensure that the terminals are interoperable?
Roaming authentication via Bluetooth will be an integral part of the FIDO standard. All systems that implement “Multi-device FIDO” will automatically be interoperable. The good news, moreover, is that the three giants Google, Apple and Microsoft have announced that they will incorporate the new authentication technology into their platforms. We can expect that Android, Windows, iOS and macOS systems will be interconnected at the roaming level. It will cover almost the entire consumer computing market.
So far, however, no deadline has been given. We also don’t know if the service providers will finally give up and ratify FIDO on their side. This is unclear, as platforms need to adapt. Inertia is likely to be strong, as it is a negligible investment.
See also the video:
Is multi-device FIDO as secure as FIDO2?
No. What we gain in terms of ease of use, we lose a bit in terms of security, as the two new features also introduce two new risks. From now on, it will be necessary to trust the computer giants for the protection of private keys. The fact that they are stored in the middle also threatens to arouse the appetite of hackers … or intelligence agencies. Also, how can these private keys be stored in Google, Apple and Microsoft? Will they implement end-to-end encryption like most cloud password managers do? So far, we don’t know.
The second new danger is the relay of the authentication method via Bluetooth, as this creates a new attack surface. However, the alliance minimized this risk. On the one hand, it takes place in a context of proximity. On the other hand, the underlying FIDO protocol “does not rely on Bluetooth security features for the security of the authentication method. Conversely, it uses common cryptographic functions at the application layer to protect data.explanation of the consortium.
What happens if I change the ecosystem?
This is likely to be the major downside of this entire construction, as a priori private key backup will not be interoperable from one ecosystem to another. With Multi-device FIDO, the idea is to use your smartphone as a means of accessing all services. In fact, private keys will therefore be saved either by Google or Apple. But no one says there will be a gateway from one ecosystem to another, and the FIDO alliance site suggests the opposite. Therefore, on the day the user replaces his Android smartphone with an iPhone, he will probably have to redo all enrollments. As with a password manager, this problem does not exist.