Tag: multiple device use

Article

FIDO Alliance could be having us move off passwords when we use online services

FIDO Alliance says it has finally killed the password • The Register

From the horse’s mouth

FIDO Alliance

Charting an Accelerated Path Forward for Passwordless Authentication Adoption – FIDO Alliance

My Comments

The FIDO Alliance and WebAuthN groups are moving towards a password-free authentication approach for online services. This is based around a device-local private authentication key associated with your username for that online service that is only released when you enter your device PIN / screen-unlock code or scan your fingerprint or face where your device supports it. A corresponding public key is stored in the user’s account record on the online service’s servers and used to “test” the private key to complete the user-verification process.

The smartphone will end up as a key authentication device especially if you sign in with your fingerprint or face

But there is a problem associated with the reality that most of us own multiple computing devices. This can typically manifest in us owning a smartphone, a mobile-platform tablet like an iPad and/or a regular desktop or laptop computer. There is also the fact that most of us will end up owning “connected-TV” equipment be it a smart TV, set-top device or games console that is a gateway to online video services. Or we may even end up using various smart-home platforms including Amazon Echo or Google Home.

The problem also includes lifecycle issues associated with today’s devices such as acquiring a new device or replacing a broken, lost or stolen device. Or it could include where one is using another device on a temporary basis like using a friend’s computer or a computer at a hotel business centre.

Then there is the issue of phishing even with multifactor authentication because there is no way of identifying whether a user is signing in to the real online service or not.

Solutions

Bluetooth as a means for authentication

Or you could authenticate online services from a laptop’s fingerprint reader or your smartphone

One factor being examined is the use of your smartphone as a roaming authentication device. Part of what will be looked at is using Bluetooth LE as a machine-to-machine link between the device you are signing in from and your phone to conditionally release online-service authentication keys.

This avoids you entering a one-time-password in to a phishing site for example because you are not transcribing information in to a site. The Bluetooth functionality is also about device proximity – your smartphone is close to the device you want to sign in from.

I also see the Bluetooth link appealing to client devices that have limited user interfaces like connected-TV devices, printers and the Internet Of Things. It avoids the need to log in to your online service to transcribe a “binding code” to use it with connected-TV devices or, at worst, “hunt and peck” a username and password to associate it an online service.

It will also support bare-bones provisioning to new devices irrespective of the platform such as when you, as an iOS or Android mobile-platform user, want to set up you Windows laptop to work with your online services.

As well, it could come in to its own with temporary-use scenarios like shared computers or equipment installed in places like hotels. It could even include adding one’s online video service account to smart TVs or set-top devices installed in hotels, holiday home or common rooms for temporary use.  I could even see this earn its keep as an alternative to cards for authentication at kiosk-type setups like ATMs.

Multi-device authentication

The multi-device approach would be on the likes of Apple, Google and Microsoft coming to the party. This is because it would be based on device operating systems and associated cloud-driven account services like Apple ID (MacOS, iOS, tvOS), Google Account (Android, ChromeOS) and Microsoft Account (Windows, XBox).

In some cases, it may extend to device vendors or other entities who run their own cloud-driven account services and want them as the login of choice for your online world. Even account services typically managed by businesses or education establishments could become “primary” account services typically for large fleets of organisation-owned devices.

Even smart displays like the Amazon Echo Show 10 could be in on the action

This approach would have the operating system create and use the authentication key and store these with your account on the cloud-driven account service. It would come in to its own if you are adding a device that works with the same platform as what you were using, for example onboarding an iPad to the same Apple ID as your iPhone.

The system can distinguish between an extant device and a newer device through another device-bound authentication key that underscores that you are authorised to use the service with that physical device. Here, it can be about deeming that particular new device as trusted and under your control or some corporate setups may use it as a way to constrain use of the service to devices they have control over.

Online services would have to support a number of authentication keys for the same username with these associated with different computing platforms an end-user is likely to use. As well, another requirement that would be expected is to have one authentication key able to work across a vendor’s different operating systems such as a mobile OS and a desktop OS. This is due to vendors architecting their mobile operating systems for battery efficiency while the desktop operating systems are maintained for performance.

Situations

Moving between devices or platforms

.. as could the likes of connected-TV and set-top-box setups like the Apple TV

If you are moving your online life between devices of the same platform, the multi-device authentication would  have all the platform-level authentication keys moved across similar to what happens with a password vault app.

The Bluetooth authentication approach will come in to play if you have devices of a different platform. But you have to have one of the devices still alive and in your possession for this to work properly.

What really may happen is that you may use Bluetooth authentication to “enrol” other computing devices and have them seen as trusted devices once one or more of your devices support the necessary standards. Then, whichever one of them that is “alive” like, per se, your regular computer or your mobile-platform tablet would be used to authenticate your replacement smartphone to your secure online circle even if this was to replace a lost, stolen or damaged phone.

If you intend to completely move off a platform, you can simply delete from your online services all the credentials associated with that particular platform. This may be through account management options offered by the online service where you revise what platforms you are logged in from.

Multiple-platform setups

Most of us are likely to operate a multiple-platform setup for our online lives. This will typically range from an iPhone and a Windows or Macintosh computer through an Android phone, an iPad and a Windows computer.

Online services will be likely to keep with your username, multiple sets of access credentials for each computing platform you are using. There will still be the ability to keep a platform-specific authentication key for your devices that operate a particular platform along with another for a different platform.

Gaps yet to be filled

One gap that needs to be filled is software-to-software authentication like what is expected for email or document-contribution setups or even the Internet of Everything. Such setups typically rely on stored credentials to authenticate the user with their account on that service along with client software like email clients having continual access to that service.

This may have to be about adapting protocols like IMAP4 or XML-RPC to device-generated authentication credentials and supporting multiple sets of these credentials for one user account. This would be important where multiple client devices are being used for the same online service such as a smartphone and a laptop for an email service.

Conclusion

Even the common reality of users operating multiple devices or using a highly-portable device like a smartphone as an authentication device will not escape the goal of a password-free online-service future. Here it would primarily be about authenticating with a device-local PIN or your fingerprint

The idea of a Zoome or similar platform user joining the same videoconferences frp, multiple devices could be considered in some cases

Increasing when we use a videoconferencing platform, we install the client software associated with it on all the computing devices we own. Then we log in to our account associated with that platform so we can join videoconferences from whatever device we have and suits our needs.

But most of these platforms allow a user to use one device at a time to participate in the same videoconference. Zoom extends on this by allowing concurrent use of devices of different types (smartphone, mobile-platform tablet or regular computer) by the same user account on the same conference.

But why support the concurrent use of multiple devices?

There are some use cases where multiple devices used concurrently may come in handy.

Increased user mobility

especially with tablet computers and 2-in-1s located elsewhere

One of these is to assure a high level of mobility while participating in a videoconference. This may be about moving between a smartphone that is in your hand and a tablet or laptop that is at a particular location like your office.

It can also be about joining the same videoconference from other devices that are bound to the same account. This could be about avoiding multiple people crowding around one computing device to participate in a videoconference from their location, which can lead to user discomfort or too many people appearing in one small screen in a “tile-up” view of a multiparty videoconference. Or it can be about some people participating in a videoconference from an appropriate room like a lounge area or den.

like in a kitchen with this Lenovo Yoga Tab Android tablet

Similarly, one or more users at the same location may want to simply participate in the videoconference in a passive way but not be in the presence of others who are actively participating in the same videoconference. This may simply be to monitor the call as it takes place without the others knowing. Or it could be to engage in another activity like preparing food in the kitchen while following the videocall.

As far as devices go, there may be the desire to use a combination of devices that have particular attributes to get the most out of the videocall. For example, it could be about spreading a large videoconference across multiple screens such as having a concurrent “tile-up” view, active speaker and supporting media across three screens.

Or a smartphone could be used for audio-only participation so you can have the comfort of a handheld device while you see the participants and are seen by them on a tablet or regular computer. As well, some users may operate two regular computers like a desktop or large laptop computer along with a secondary laptop or 2-in-1 computer.

Support for other device types by videoconferencing platforms

.. or a smart display like this Google-powered Lenovo smart display

Another key trend is for videoconferencing platforms to support devices that aren’t running desktop-platform or mobile-platform operating systems.

This is exemplified by Zoom providing support for popular smart-display platforms like Amazon Echo Show or Google Smart Display. It is although some of the voice-assistant platforms that offer smart displays do support videocall functionality on platforms own by the voice-assistant platform’s developer or one or more other companies they are partnering with.

Or Google providing streaming-vision support for a Google Meet videoconference to a large-screen TV via Chromecast. It is something that could reinvigorate videoconferencing on smart-TV / set-top box platforms, something I stand for so many people like a whole family or household can participate in a videoconference from one end. This is once factors like accessory Webcams, 10-foot “lean-back” user interfaces and the like are worked out.

It can also extend to the idea of voice-assistant platforms extending this to co-opting a smart speaker and a device equipped with a screen and camera to facilitate a videoconference.  This could be either with you hearing the videoconference via the smart speaker or the display device’s audio subsystem.

What can be done to make this secure for small accounts?

There can be security and privacy issues with this kind of setup with people away from the premises but operating the same account being able to join in a videoconference uninvited. Similarly, a lot of videoconferencing platforms who offer a service especially to consumers may prefer to offer this feature as part of their paid “business-class” service packages.

One way to make this kind of participation secure for a small account would be to use logical-network verification. This is to make sure that all devices are behind the same logical network (subnet) if there is a want for multiple devices to participate from the same account and in the same videoconference. It may not work well with devices having their own modem such as smartphones, tablets or laptops directly connected to mobile broadband or people plugging USB mobile-broadband modems in to their computers. Similarly, it may not work with public-access or guest-access networks that are properly configured to avoid devices discovering each other on the same network.

Similarly, device-level authentication, which could facilitate password-free login can also be used to authenticate the actual devices operated by an account. A business rule could exist to place a limit on the number of devices of any class but operated by the same consumer account able to concurrently join a videoconference at any one time. This could realistically be taken to five devices allowing for the fact that a couple or family may prefer to operate the same account across all the devices owned by the the members of that group, rather than have members maintain individual accounts just bound .

Conclusion

The idea of allowing concurrent multiple-device support for single accounts in a videoconference platform when it comes to videoconference participation is worth considering. This can be about increased mobility or user comfort or to cater towards the use of newer device types in the context of videoconferencing.