On Thursday, Google, Microsoft and Apple announced an agreement under the aegis of the FIDO Alliance association (Fast Identity Online Alliance) to build a system allowing authentication on websites and mobile applications without a password. According to Google, the objective is to be able to connect to an online service only by unlocking your smartphone via your fingerprint, a facial recognition system or with a pin code. “The new approach will protect against phishing and logging into a service will be radically safer than passwords and other technologies such as unique codes sent by SMS”, promises Apple. The system should be in place within twelve months.
Corinne Henin, cybersecurity expert, decrypts for our newspaper the springs of this agreement and its implications for Internet users.
What do you think of Google, Microsoft and Apple’s decision to end passwords?
Corinne Henin: As long as passwords are an easy way in for hackers, ending passwords isn’t necessarily a bad thing. This is rather good news.
Afterwards, it opens up a lot of debate, because they want to use everything that involves the use of biometric data as a protocol. You force to go through a biometric system: what does it open behind? I do not really know.
Apple explains in its press release that password-only authentication is “one of the most important security issues on the web”. Is this actually the case?
Yes it’s a security problem, especially since when you want to buy on a website, you are asked to create an account, then on another site you are again asked to create another… We multiply the passwords, and quite often users will put the same everywhere. It just needs to be weak or end up in dark web databases for them to be used on all sites.
Even if you use a password that meets security standards, that is to say with small and large characters, numbers, special characters… A human being cannot remember so many complicated passwords. So it will either use the same or simple but different passwords.
The goal is for users to be able to log in simply by unlocking their smartphone. Is it safe?
If you don’t get your phone hacked, then it will be safe, because it’s based on crypto: it’s a private element that will allow you to be identified. Basically, it’s as if you had the key and they had the padlock and it’s only if the two elements are together that it works.
What is the interest for these web giants?
They use their dominant position, since they represent 95% of the smartphone and computer market, to force the passage of this standard. They may also think that it would be good to stop with all these problems of hacked accounts, it gives them bad press. Or they want to show they care about their users.
This system will be implemented within 12 months. In the meantime, what are the tips for protecting your password?
What I advise is to use a password manager that you will unlock with a single password to remember or a file, and it is the manager that contains all your different passwords.
There are also USB keys that have long passwords on them: if you put it on your computer and press it, it sends the passwords to the computer.
We would like to thank the author of this write-up for this outstanding web content
