Tag: online services

Articles

You can use security keys as a second factor for authenticating with Apple ID on your iPhone

iOS 16.3 Lets You Use a Physical Key for Added Security When Logging Into Your Apple Account (gizmodo.com.au)

Apple iOS 16.3 arrives with support for hardware security keys (bleepingcomputer.com)

Security Keys Are Now the Best Way to Protect Your Apple ID (lifehacker.com.au)

From the horse’s mouth

Apple

Apple advances user security with powerful new data protections (Press Release)

About Security Keys for Apple ID (Support article)

Use security keys to sign in to your Apple ID account on iPhone (Support article)

My Comments

Apple is making it feasible to use hardware security keys in iOS as an authentication factor for their Apple ID logon.

This is being desired as a “phish-proof” approach for secondary authentication or sole authentication due to a physical device not being easily coerced or fooled. As well, this “machine-to-machine” approach allows for stronger passkeys.

It is even seen as a preferred secondary authentication factor for online services used by journalists, human-rights defenders, the public service within democracies and others working with high-stakes information. This avoids such users being fooled in to releasing their online accounts to highly-targeted spear-phishing attacks.

Apple supports this on iPhones and iPads through the iOS/iPadOS 16.3 major feature update. This is also being written in to MacOS Ventura 13.2 for the Apple Mac regular computers whereupon you just use the security key as the secondary authentication factor. They primarily implement this as an alternative secondary authentication means to transcribing a six-digit number shown on your iPhone when it comes to two-factor authentication for your Apple ID.

In the context of the Apple Watch, Apple TV and HomePod devices, you use your iPhone that you set up with the security key authentication to provide the secondary authentication factor when you set these up for your Apple ID. Here, this is easier for limited-interface devices because another device is managing some of the authentication work with your Apple ID.

FIDO-compliant hardware security keys are supported with this update but they have to have an MFi Lightning plug or NFC “touch and go” interface to work with the current crop of iPhones in circulation. USB-C is also supported but you would need a USB-C to MFi Lightning adaptor for iOS devices except newer iPads that have this connector. You also may find that newer iPhones that are to come on the market soon will have the USB-C connector due to pressure from the European Union and some other jurisdictions.

There will be a requirement to set up two hardware keys with the same iOS device when you implement this feature. This is so you have a backup key in case the one you lose the one you regularly use or that one is damaged such as being laundered with your clothes.

Add to this that support does exist for app-level or Website-level verification with security keys within iOS. But it may allow Apple to build in and refine the necessary application-programming interfaces for third-party app developers who want to support this form of authentication.

What I see at least is the implementation of hardware security keys in the mobile platform context when it comes to multi-factor or password-free authentication for the user’s primary platform account. Who knows when Google will offer this feature for Android. Could this also be about leading towards the use of hardware security keys as a hardening factor for user account security?

Article

Cloudflare is intending to replace CAPTCHA authentication on Web forms with …

CAPTCHAs May Soon Go Extinct (gizmodo.com)

From the horse’s mouth

Cloudflare

Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness (cloudflare.com)

My Comments

The CAPTCHA is being used as a means to prevent spam emails or comments on Websites or to assure that people who register in an online context are real people.

But these measures, typically ranging from transcribing letters or identifying objects, can be very frustrating for many people. This is caused by hard-to-read or small letters or instructions relating to object identification being difficult to understand on a language or cultural context. As well, some of these CAPTCHAs don’t work well for mobile setups like smartphones which is increasingly the common way to use the Internet. That leads to abandoned registrations or online-shopping carts or people not joining in to online services for example.

you scanning your fingerprint on your flaptop’s fingerprint scanner or you entering your device’s PIN code to prove that a person is entering the data

CloudFlare are working on a different approach to authenticating the personhood of a device user without resorting to letters to transcribe or objects to identify. Initially they are using USB security keys for this purpose but are moving towards full WebAuthN implementation for this purpose.

This approach will work with WebAuthN-capable browser and operating-system setups and work in a similar vein to password-free authentication for online services using that technology. This will require you to enter your device PIN, use face recognition or use the fingerprint reader, operate a USB security key or an authenticator app on your smartphone to prove your personhood, as if you are enrolling in to an online service that implements WebAuthN technology.

The success or failure of the WebAuthN test will simply allow you to submit that form or not on the Website. The logic won’t cause any extra identifying factors to be stored on the online service’s server under default setups. But it may store a device-local cookie to record success so as to treat the session as authenticated, catering towards data revision approaches in wizard-based forms or long data-entry sessions.

A question I would have with this CloudFlare approach is how it can work with computing setups that don’t support WebAuthN. This will also include shared computing setups and public-access computers where the use of this kind of authentication may not be practicable for a single session.

But Cloudflare’s effort is taking WebAuthN further as a way to prove that a real person rather than a robot is actually operating an online account in a manner that is universal to abilities, languages and cultures.

You soon may not need to remember those passwords to log in to the likes of Facebook

The traditional password that you use to authenticate with an online service is in the throes of losing this role.

This is coming about due to a lot of security risks associated with server-based passwords. One of these is for us to use the same password across many online services, leading towards credential reuse and “stuffing” attacks involving “known” username/password or email/password pairs. As well, the password is also subject to brute-force attacks including dictionary attacks where multiple passwords are tried against the same account. It also includes phishing and social-engineering attacks where end-users are tricked in to supplying their passwords to miscreants, something I had to rectify when an email account belonging to a friend of mine fell victim to phishing. This is facilitated by users creating passwords based on personal facts that work as aide-memoires. Passwords can also be stolen through the use of keyloggers or compromised network setups.

Managing multiple passwords can become a very user-unfriendly experience with people ending up using password-vault software or recording their passwords on a paper ore electronic document. As well, some applications can make password entry very difficult. Examples of these include connected-TV or games-console applications where you pick each character out using your remote control’s or game controller’s D-pad to enter the password.

You will be able to set your computer up to log you in to your online services with a PIN, fingerprint or other method

The new direction is to implement passwordless authentication where a client device or another device performs the authentication role itself and sends an encrypted token to the server. This token is then used to grant access to the account or facilitate the transaction.

It may be similar to multifactor authentication where you do something like enable a mobile authenticator app after you key in your online service’s password. But it also is very similar to how a single-sign-on or social-sign-on arrangement works with the emphasis on an authenticated-session token rather than your username and password as credentials.

The PIN will be authenticated locally nd used to enable the creation of a session token for your online service

There will be two key approaches which are centred around the exchange of an asymmetric key pair between the client and server devices.

The first of these will be the primary client device like your laptop computer or a smartphone that you are using the online service on. Or it can be a secondary client device like your smartphone that is holding the private key. You authenticate with that device using a device-local PIN or password or a biometric factor like your fingerprint or face.

The same holds true for your Android or other smartphone

The second will involve the use of a hardware token like a FIDO2-compliant USB or Bluetooth access key or an NFC-compliant smart card. Here, you activate this key to pass on the credentials including the private key to the client computer for your online session.

It is being facilitated through the use of FIDO2, WebAuthN and CTAP standards that allow compliant Web browsers and online services to implement advanced authentication methods. At the moment, Windows 10 is facilitating this kind of login through the use of the Windows Hello user-authentication functionality, but Android is in the process of implementing it in the mobile context.

There is effectively the use of a form of multifactor authentication to enable the cryptographic key pair between the client and server devices. This is based around the device you are using and the fact you are there to log in.

The fingerprint reader on this HP Elitebook and similar laptops will become more important here

If the authentication is to take place on the primary client device like a laptop or smartphone, the device’s secure element like a TPM module in a laptop or the SIM card in a smartphone would be involved in creating the private key. The user would enter the device-local PIN or use the fingerprint reader to enable this key which creates the necessary session token peculiar to that device.

On the other hand, if it is to take place on a secondary device like a smartphone, the authentication and session-token generation occurs on that device. This is typically with the user notified to continue the authentication on the secondary device, which continues the workflow on its user interface. Typically this will use a Bluetooth link with the primary device or a synchronous Internet link with the online service.

The online service has no knowledge of these device-local authentication factors, which makes them less likely to be compromised. For most users, this could be the same PIN or biometric factor used to unlock the device when they switch it on and they could use the same PIN across multiple devices like their smartphone or laptop. But the physical device in combination with the PIN, fingerprint or facial recognition of that user would be both the factors required to enable that device’s keypair and create the session token to validate the session.

A hardware token can be in the form of a USB or Bluetooth security key or a NFC smart card. But this device manages the authentication routines and has private keys kept in its secure storage.

There will be the emphasis around multiple trusted devices for each service account as well as the same trusted device supporting multiple services. Some devices like hardware tokens will have the ability to be “roaming” devices in order to do things like enabling a new device to have access to your online services or allow ad-hoc use of your services on shared equipment such as the public-use computers installed at your local library. They will also work as a complementary path of verification if your client device such as a desktop PC doesn’t have all the authentication functionality.

Similarly, when you create a new account with an online service, you will be given the option to “bind” your account with your computer or smartphone. Those of us who run online services that implement legacy-based sign-in but are enabled for passwordless operation will have the option in the account-management dashboard to bind the account with whatever we use to authenticate it with and have it as a “preferred” authentication path.

Some of the passwordless authentication setups will allow use with older operating systems and browsers not supporting the new authentication standards by using time-limited or one-use passwords created by the authentication setup.

Questions that will arise regarding the new passwordless Web direction is how email and similar client-server setups that implement native clients will authenticate their sessions. Here, they may have to evolve towards having the various protocols that they work with move towards key-pair-driven session tokens associated with the particular service accounts and client devices.

There will also be the issue of implementing this technology in to dedicated-purpose devices, whether as a server or client device. Here, it is about securing access to the management dashboards that these devices offer, which has become a strong security issue thanks to attacks on routers and similar devices.

IT WILL TAKE TIME TO EVOLVE TO PASSWORDLESS

Article

The European Union will make steps towards a secure-by-design approach for hardware, software and services

Smarthome: EU führt Sicherheitszertifikate für vernetzte Geräte ein | Computer Bild (German Language / Deutschen Sprache)

From the horse’s mouth

European Commission

EU negotiators agree on strengthening Europe’s cybersecurity (Press Release)

My Comments

After the GDPR effort for data protection and end-user privacy with our online life, the European Union want to take further action regarding data security. But this time it is about achieving a “secure by design” approach for connected devices, software and online services.

This is driven by the recent Wannacry and NotPetya cyberattacks and is being achieved through the Cybersecurity Act which is being passed through the European Parliament. It follows after the German Federal Government’s effort to specify a design standard for routers that we use as the network-Internet “edge” for our home networks.

There will be a wider remit for EU Agency for Cybersecurity (ENSA) concerning cybersecurity issues that affect the European Union. But the key issue here is to have a European-Union-based framework for cybersecurity certification, which will affect online services and consumer devices with this certification valid through the EU. It is an internal-market legislation that affects the security of connected products including the Internet Of Things, as well as critical infrastructure and online services.

The certification framework will be about having the products being “secure-by-design” which is an analogy to a similar concept in building and urban design where there is a goal to harden a development or neighbourhood against crime as part of the design process. In the IT case, this involves using various logic processes and cyberdefences to make it harder to penetrate computer networks, endpoints and data.

It will also be about making it easier for people and businesses to choose equipment and services that are secure. The computer press were making an analogy to the “traffic-light” coding on food and drink packaging to encourage customers to choose healthier options.

-VP Andrus Ansip (Digital Single Market) – “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”

What the European Union are doing could have implications beyond the European Economic Area. Here, the push for a “secure-by-design” approach could make things easier for people and organisations in and beyond that area to choose IT hardware, software and services satisfying these expectations thanks to reference standards or customer-facing indications that show compliance.

It will also raise the game towards higher data-security standards from hardware, software and services providers especially in the Internet-of-Things and network-infrastructure-device product classes.

Spotify login screen with option to login using Facebook

A trend that is being associated with online services or applications is to provide “social sign-on” for new and existing users of these services. This is based around the concept of single sign-on where you use one set of credentials verified by one service to authenticate with one or more other services. This time, the credential pool that is used for authenticating users is your membership with a social network like Facebook or Twitter. The expression is sometimes extended to cover other authentication-data pools like Microsoft’s authentication services associated with Outlook.com/Hotmail, Windows 8 or XBox; or Google’s authentication services used for GMail and YouTube.

TripAdvisor webpage with social sign-on and personalisation from Facebook

In a social sign-on arrangement, your credentials are held and tested at the social-network’s servers and both the online service and the social network create a unique “token” or “key” to link and authenticate your presence on these services. The common methods that these services use are based around the OAuth or OpenID protocols used for single sign-on across multiple services.

Social sign-on concept diagram – relationship between the social network and online service

As well, your social attributes (name, birthdate, etc) that you have stored on the social network’s servers would be copied in to your account on the online service when this account is being provisioned. You will know about this when your social network pops up a screen asking you whether to allow the online service to gain access to your details held at the social network.

Advantages

There are some key advantages with using a social sign-on setup.

One is to benefit from a simplified provisioning process for your online service. This is without the need to key in the same data across multiple services. It also includes use of a pre-authenticated email address which is considered of high value with forums, commenting facilities and the like because most social networks especially Facebook, Google and Microsoft implement strong measures to combat fraudulent identities.

We also benefit because there are fewer sets of credentials to remember. As well, if a social network implements improved user-security measures like multifactor authentication or “trusted-device” operation, this flows on to the online service we use.

Some of the online services also can provide a personalised experience such as granting you birthday wishes on your birthday, including making those “special birthdays” such as the “big zeros” or the 21sts highly special.

Disadvantages

The disadvantages that can occur include weak links in the authentication protocols and a total dependence on access to and the security of a particular social-network account.

This also encompasses situations where a workplace or school may implement measures to shut out access to social networks in the name of productivity or an oppressive regime may shut out access to the popular social networks to curtail free speech. This can limit access to the online service because of its dependence on the social network.

How can it be operated properly

To assure users of their privacy, a social sign-on setup needs to identify any attributes that it is obtaining from a social network and give the user consent to obtain the attributes. As well, the login procedure should allow for one to create a login that is independent of a social network whether in conjunction with a social-network presence or not.

Similarly, the concept of social sign-on could be exploited by social networks and other authentication services to support simple-but-secure login for living-room applications. This is, from my experience, something that needs to be worked on because such devices require a lot of “pick-and-choose” data entry using a remote control’s D-pad to enter user credentials for online services. As well, many different users are likely to use the same living-room device.

Article

Keeping your details up to date when you move location may not be difficult

Moving houses can leave you disconnected | The Australian

My Comments

You may be moving house or business location for one of many different reasons but one common mistake many people make especially with their online life is not to factor it in when you do your move. This can lead to problems and customer-support calls when you have established yourself in your new location.

Your communications services

As soon as your move is imminent, make sure that your utilities including your communications services are set up to be connected and enabled at the new address by the day you move. If you can, make sure that you can keep the existing service going at your old address for the weeks that are bracketing the date of your move.

You may have to identify which of the communications services you can carry with you when you are moving. If this is a short move that is happening across town, you may be able to use the same services but longer-distance moves may require you to change operators. This is more so when you are moving in to an area where your current operator doesn’t have a footprint or cannot provide the service with the same level of continuity as before.

Your mobile phone may be a strong ally here

During the first week of your arrival at your new premises, you may have to spend some time “tweaking” your Wi-Fi network so that it is not clashing with your neighbours’ Wi-Fi networks. Here, you would have to change the channels that the router and/or access points work on, but you don’t have to change your SSID or security parameters.

Online services

As part of your move, you would be updating your contact details with your employer, your bank, the electoral registry, the taxman and similar organisations. But you may also need to manage other details like cloud-based storage services, online subscriptions and similar services. This may, for some services like social networks, require you to update your current physical address, email address or telephone numbers.

Some of these services may have particular dependencies like your email address or telephone number, especially for verification or authentication purposes. Here, they may allow you to supply multiple email addresses as “alternate” addresses and you can make use of this through the weeks or months that are bracketing your move date. As well, services that use an email address rather than a username as the login parameter may allow you to maintain this address as the login parameter even though you have changed email addresses.

Skype can serve as a temporary telephone service

If your service is dependent on an email address, you may have to supply an email address that isn’t related to a fixed Internet service for the duration of the move. This can be an address related to a Website you create, your workplace’s email address if you work for the same employer or simply a Webmail address like Gmail.com or Outlook.com (formerly Hotmail) . This is important if the fixed Internet service doesn’t operate in the territory you are moving into or you simply want to use your move as an excuse to change Internet-service operators.

If your service is dependent on a phone number, you may need to associate it with a currently-operating mobile phone number. Here, you may be able to add your mobile number to the phone numbers associated with the service or replace any defunct numbers with your working mobile or VoIP number.

For that matter, Skype offers an inbound VoIP service for an extra cost so you can allow people to contact you on your Skype account and software by dialling the equivalent of a landline number that is in a locality of your choosing. But some localities like Germany may make this difficult to preserve the integrity of their landline numbering plan.

Other issues you may look at include the feasibility of having your email and phone calls diverted to your new phone number or email address or, in the case of an email mailbox associated with a fixed broadband provider, keeping that mailbox open for as long as possible independent of you maintaining the broadband service. Depending on the service provider, this may be provided for a modest fee or for free especially if you are moving or your premises is undergoing renovations.

Special cases

Moving to temporary accommodation

What if you have to move to a hotel or similar location as part of a temporary move?

Some of you may be moving to temporary accommodation like a friend’s home, a short-term rental or a hotel for a significant time. This may be due to various reasons like major repairs or renovations taking place on your home, a project that is part of your work or until you find permanent accommodation when you move in to a new area.

Here, you may have to see if you can gain access to your fixed broadband service’s mailbox or simply shift your mailbox over to a geographically-independent email service like a Webmail or workplace/business account. You could then implement your mobile or VoIP service as the phone number for your online services and use this to receive all your calls.

Some hotels and similar locations may support inbound direct dial to the room’s phone, typically with a standard phone number that has the room number as the last digits. Here, it is worth asking the Front Desk in these places about whether these places offer this service and the number you need to give out. This will play its part as a specific landline number for the duration of your temporary stay there and can work with those services that can work with landline voice services.

Moving overseas

Another special case would be to move to another country. This ma be typically due to work or similar placements or the desire to simply emigrate somewhere else.

This is more about uprooting all your online services. Here, you may have to establish a mobile service in your destination country with a number local to that place and use this as your primary phone service. This can be facilitated with various “SIM-only” plans that most of the local providers have.

As well, you would have to use the geographically-independent email mailbox as your email address. Here, you can keep most of the cloud-based services going using the email address, and you can implement app-based two-factor authentication for those online services that rely on your mobile phone number as the second factor if they support app-based authentication.

Conclusion

When you move between locations, you need to make sure you can move your digital life. This includes having an email address or phone number that you can gain access to through the move associated with your online services and updating your details with these services so you can gain access to them at all times.

As well,it is also about making sure you have continual access to your communications and Internet services whether through the previous provider or a newer provider.