Tag: password-free authentication

FIDO Alliance closer to password-free authentication

Article

Facebook login page

FIDO Alliance could be having us move off passwords when we use online services

FIDO Alliance says it has finally killed the password • The Register

From the horse’s mouth

FIDO Alliance

Charting an Accelerated Path Forward for Passwordless Authentication Adoption – FIDO Alliance

My Comments

The FIDO Alliance and WebAuthN groups are moving towards a password-free authentication approach for online services. This is based around a device-local private authentication key associated with your username for that online service that is only released when you enter your device PIN / screen-unlock code or scan your fingerprint or face where your device supports it. A corresponding public key is stored in the user’s account record on the online service’s servers and used to “test” the private key to complete the user-verification process.

Samsung Galaxy Tab Active 8" business tablet press picture courtesy of Samsung

The smartphone will end up as a key authentication device especially if you sign in with your fingerprint or face

But there is a problem associated with the reality that most of us own multiple computing devices. This can typically manifest in us owning a smartphone, a mobile-platform tablet like an iPad and/or a regular desktop or laptop computer. There is also the fact that most of us will end up owning “connected-TV” equipment be it a smart TV, set-top device or games console that is a gateway to online video services. Or we may even end up using various smart-home platforms including Amazon Echo or Google Home.

The problem also includes lifecycle issues associated with today’s devices such as acquiring a new device or replacing a broken, lost or stolen device. Or it could include where one is using another device on a temporary basis like using a friend’s computer or a computer at a hotel business centre.

Then there is the issue of phishing even with multifactor authentication because there is no way of identifying whether a user is signing in to the real online service or not.

Solutions

Bluetooth as a means for authentication

Logitech MX Anywhere 3 mouse on glass table near laptop

Or you could authenticate online services from a laptop’s fingerprint reader or your smartphone

One factor being examined is the use of your smartphone as a roaming authentication device. Part of what will be looked at is using Bluetooth LE as a machine-to-machine link between the device you are signing in from and your phone to conditionally release online-service authentication keys.

This avoids you entering a one-time-password in to a phishing site for example because you are not transcribing information in to a site. The Bluetooth functionality is also about device proximity – your smartphone is close to the device you want to sign in from.

I also see the Bluetooth link appealing to client devices that have limited user interfaces like connected-TV devices, printers and the Internet Of Things. It avoids the need to log in to your online service to transcribe a “binding code” to use it with connected-TV devices or, at worst, “hunt and peck” a username and password to associate it an online service.

It will also support bare-bones provisioning to new devices irrespective of the platform such as when you, as an iOS or Android mobile-platform user, want to set up you Windows laptop to work with your online services.

As well, it could come in to its own with temporary-use scenarios like shared computers or equipment installed in places like hotels. It could even include adding one’s online video service account to smart TVs or set-top devices installed in hotels, holiday home or common rooms for temporary use.  I could even see this earn its keep as an alternative to cards for authentication at kiosk-type setups like ATMs.

Multi-device authentication

The multi-device approach would be on the likes of Apple, Google and Microsoft coming to the party. This is because it would be based on device operating systems and associated cloud-driven account services like Apple ID (MacOS, iOS, tvOS), Google Account (Android, ChromeOS) and Microsoft Account (Windows, XBox).

In some cases, it may extend to device vendors or other entities who run their own cloud-driven account services and want them as the login of choice for your online world. Even account services typically managed by businesses or education establishments could become “primary” account services typically for large fleets of organisation-owned devices.

Amazon Echo Show 10 press image courtesy of Amazon

Even smart displays like the Amazon Echo Show 10 could be in on the action

This approach would have the operating system create and use the authentication key and store these with your account on the cloud-driven account service. It would come in to its own if you are adding a device that works with the same platform as what you were using, for example onboarding an iPad to the same Apple ID as your iPhone.

The system can distinguish between an extant device and a newer device through another device-bound authentication key that underscores that you are authorised to use the service with that physical device. Here, it can be about deeming that particular new device as trusted and under your control or some corporate setups may use it as a way to constrain use of the service to devices they have control over.

Online services would have to support a number of authentication keys for the same username with these associated with different computing platforms an end-user is likely to use. As well, another requirement that would be expected is to have one authentication key able to work across a vendor’s different operating systems such as a mobile OS and a desktop OS. This is due to vendors architecting their mobile operating systems for battery efficiency while the desktop operating systems are maintained for performance.

Situations

Moving between devices or platforms

Apple TV 4th Generation press picture courtesy of Apple

.. as could the likes of connected-TV and set-top-box setups like the Apple TV

If you are moving your online life between devices of the same platform, the multi-device authentication would  have all the platform-level authentication keys moved across similar to what happens with a password vault app.

The Bluetooth authentication approach will come in to play if you have devices of a different platform. But you have to have one of the devices still alive and in your possession for this to work properly.

What really may happen is that you may use Bluetooth authentication to “enrol” other computing devices and have them seen as trusted devices once one or more of your devices support the necessary standards. Then, whichever one of them that is “alive” like, per se, your regular computer or your mobile-platform tablet would be used to authenticate your replacement smartphone to your secure online circle even if this was to replace a lost, stolen or damaged phone.

If you intend to completely move off a platform, you can simply delete from your online services all the credentials associated with that particular platform. This may be through account management options offered by the online service where you revise what platforms you are logged in from.

Multiple-platform setups

Most of us are likely to operate a multiple-platform setup for our online lives. This will typically range from an iPhone and a Windows or Macintosh computer through an Android phone, an iPad and a Windows computer.

Online services will be likely to keep with your username, multiple sets of access credentials for each computing platform you are using. There will still be the ability to keep a platform-specific authentication key for your devices that operate a particular platform along with another for a different platform.

Gaps yet to be filled

One gap that needs to be filled is software-to-software authentication like what is expected for email or document-contribution setups or even the Internet of Everything. Such setups typically rely on stored credentials to authenticate the user with their account on that service along with client software like email clients having continual access to that service.

This may have to be about adapting protocols like IMAP4 or XML-RPC to device-generated authentication credentials and supporting multiple sets of these credentials for one user account. This would be important where multiple client devices are being used for the same online service such as a smartphone and a laptop for an email service.

Conclusion

Even the common reality of users operating multiple devices or using a highly-portable device like a smartphone as an authentication device will not escape the goal of a password-free online-service future. Here it would primarily be about authenticating with a device-local PIN or your fingerprint

Windows 10 to benefit from the FIDO authentication standards

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.