Goodbye mental load and hello security, Apple, Google and Microsoft promise

For years, the scourge of Internet users was spam, tsunamis of spam that gathered from all sides to pour into our mailboxes. But just as they were on their way to disappearing, another disaster prevailed: passwords, the number of which continues to grow with the acceleration of the physicalization of our societies. These passwords that we require at every step of the Internet, whether it is to connect here to its basic online services (security, bank, insurance, communications, doctor, transportation, travel, etc.), there to its social networks, even to its various email accounts, to its applications Online for office or entertainment…they are plenty and everyone should make a small emergency solution (type A mnemonic system)ujourdhuiA-N @ntes-ilfaitB3au! and/or a paper or digital list) so you don’t forget a single list, and don’t end up in the water.

This was pointed out by Graham Williams, Director of Identity and Access Management at Thales, yesterday on World Password Day, when he said these passwords ‘It’s getting more and more dangerous’ because they were Easily hacked:

Recent research shows that many CEOs still use ‘12356’ as their password. »

In fact, the other big problem is the security issue, the risk of your account – or even all of your accounts – getting hacked and not being able to access your data, or for ransom. When it’s not identity theft that lies in wait…in short, a heavy daily mental burden to manage, and a security matter beyond human comprehension. Because Internet users, overwhelmed with their cognitive abilities, use easy-to-guess passwords, or even the same passwords always to simplify their lives…but also the lives of scammers of all stripes in the ambush.

According to an old study (2016) by Skyhigh Networks Analyzing 11 million passwords for sale on the Darknet, 10.3% of Internet users use one of the 20 most common passwords on the Internet. Which means that in less than 20 attempts, almost one in ten accounts can be hacked by anyone.

The shock of the coalition to mitigate and secure the use of the Internet

But the good news is beforehand, Internet giants Google, Apple and Microsoft took advantage of World Password Day, Thursday, May 5, to announce that they are working together to put an end to this ordeal. The press release published from Mountain View, the stronghold of Google, announced that the three giants will unite to build a system that allows authentication without having to memorize a series of gang signals.

The new feature will enable websites and apps to offer consumers consistent, secure, and easy password-free logins across all devices and platforms.

“With the new feature, consumers will be able to authenticate to websites and mobile apps easily, without passwords and securely, regardless of device or operating system,” FIDO (Fast Identity Alliance Online) link summarized in a press release.

FIDO is the backbone of this technology revolution, an alliance of manufacturers working to improve, facilitate, and secure digital authentication. FIDO was officially launched in February 2013 but was founded a year ago, in 2012, by a coalition of big players like PayPal, Validity Sensors (these two are the original kernels created in 2009 around cryptographic and public key issues), Lenovo, Nok Nok Labs, Infineon, and Agnitio. In 2012 work began on a passwordless authentication protocol.

Since then, hundreds of technology companies and service providers around the world have worked through the FIDO Alliance and the W3C to create passwordless login standards that are already supported by billions of devices. Works on all operating systems and modern web browsers (iOS, macOS, Safari and Chrome and Android, Edge, Windows, etc.), according to FIDO’s press release.

Billions of Devices… for Billions of Users: According to Live Stats, today there are 5.3 billion Internet users in the world. The number of Internet users multiplied by 10 between 1999 and 2013, steadily accelerating (1 billion Internet users in 2005, 2 billion in 2010, 3 billion in 2014).

“Fido IDs” to authenticate on all platforms

In a press release yesterday, Google explained that the goal is to enable users to connect to an online service simply by unlocking their smartphone (via their usual method: fingerprint, facial recognition, multi-digit code, etc.).

Concretely, any website can ask an Internet user if they want to “authenticate themselves with their FIDO IDs”. This message will appear simultaneously on his phone, since the user will only need to agree, by opening the screen, to connect to the site. Smartphones will keep these encrypted identifiers, called a “passkey” (access key). Once you register with Fido, there is no need to create or enter a password.

The promise is that Fido authentication will be accessible regardless of the operating system or browser, and regardless of the device, as it will be possible to transfer a new device via Bluetooth using the first device that already has the credentials. It will also not be necessary to use two-factor authentication by SMS, which has been identified as outdated since … 2016.

A solution in full swing, within twelve months

The three tech giants committed to implementing this new platform within twelve months, on Android and iOS (Google and Apple’s mobile operating systems), on Chrome, Edge and Safari (Google, Microsoft, and Apple browsers) and on Windows and macOS ( Microsoft and Apple operating systems for computers).

Authentication with passwords only is one of the biggest security issues on the web Apple notes in its statement that it adds:

The new approach will protect against phishing and log into the service radically more secure than passwords and other technologies such as unique codes sent via SMS. »

About Andrew Shekiar, CEO and Director of Marketing at FIDO Alliance, “This new capability should herald a new wave of FIDO applications.” low friction Combined with the constant and increasing use of security keys, giving service providers a full range of options to deploy Modern anti-phishing authentication.

(with AFP and Reuters)