Saltar al contenido

Apple joins industry efforts to remove passwords

Apple joins industry efforts to remove passwords

Apple has joined a real who is the technology vendors in the FIDO Alliance, which believes that standardized two-factor authentication is the way to go for connecting devices.

In a somewhat unusual move for Apple, the company has joined the Fast IDentity Online Alliance (FIDO), a group of authentication standards dedicated to replacing passwords with another faster and more secure way to connect to online applications and services.

Apple is among the latest technologies to join FIDO, whose members now include Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. The group also has more than a dozen financial services companies, including American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.

«Apple is rarely in the lead to join new organizations and often waits to see if it gains enough traction before joining. This is quite unusual for them, ”said Jack Gold, president and chief analyst at J. Gold Associates. «Apple often tries to present [sus] Own industry standards proposed for widespread adoption, but generally do not adopt true multi-vendor industry standards early on.

«FIDO has enough momentum now that I think Apple feels the pressure to join,» he said. «Especially in a cloud-based world, FIDO is a key authentication initiative that companies can’t really ignore.»

David Mahdi, senior director of security and privacy research at Gartner, said Apple’s move is noteworthy.

«It is a significant step in achieving a password-free world,» the Mahdi said. «Apple’s incorporation is a significant step.»

Established in 2012, FIDO’s goal is to drive two-factor authentication for services and applications, as passwords are inherently insecure. The investigation supports the group’s claim that 81% of all security breaches committed by hackers can be traced to stolen or weak passwords, according to the Verizon Data Violation Investigation Report.

«If you trust your username / email address and password, roll your dice when it comes to reusing passwords from other breaches or malware on your customers’ devices,» Verizon said in its report.

Together with the W3C, FIDO wrote and uses the Emerging Web Authentication API (better known as WebAuthn). The WebAuthn specification is already compatible, to varying degrees, with major browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge. These browsers also support the creation of cloud credentials using a U2F symbol, which can use Bluetooth, NFC, or USB to provide two-factor authentication to online applications and services.

In 2018, Apple announced that it is adding «experimental» support for Safari’s WebAuthn protocol. In December, Apple added native support for FIDO-compatible security keys, such as those from Yubico and Feitian, that use the WebAuthn standard for Near Field Communication (NFC), USB, or Lightning in iOS 13.3.

«FIDO is like Bluetooth for authentication, which means we have various devices with features and functions that can be used to ensure authentication,» said Mahdi.

For example, the Mahdi said, mobile devices or laptops can use fingerprint readers or facial recognition technology to allow connection. Any of the technologies could be used for authentication, but without a common language, it was difficult to do and required proprietary drivers and software.

«As such, it was much more complex to reliably allow strong authentication,» the Mahdi said. «FIDO, like Bluetooth, allows application developers and security leaders who want to enable strong authentication (for example, in a mobile application or website) to cover a wide range of authentication methods that are available on devices with a minimum code [y sin tener que hacerlo preocuparse por muchos controladores propietarios] «.

In general, the FIDO specification means that digital services from banks, e-commerce sites and others can recognize users through their devices, rather than through usernames and passwords. For example, users can register for an online service, create a username, register their devices, and select a preferred authentication method (for example, finger, face, and / or PIN). No password would be needed, the Mahdi said.

How the FIDO specifications work

The FIDO specification works by allowing anyone who uses it to access an online application or service with a pair of public and private keys.

When a user signs up for an online service, such as PayPal, the authentication device (a server) creates a unique public / private key pair. The private key is stored on the user’s device, while the public key is associated with that device through the online service or application.

Authentication is performed by the client server by sending an electronic challenge to the user’s device. Client private keys can only be used after the user locks them locally on the device. Local unlocking is done through a secure action, such as a biometric reader (ie fingerprint scanning or facial recognition), entering a PIN code, speaking into a microphone, or inserting a secondary device.

U2F is an open authentication standard that allows Internet users to access it securely with a security key instantly and without the need for drivers or client software, according to FIDO member and authentication provider Yubico. FIDO2 is the latest generation of the U2F protocol.

In April last year, Google joined the Alliance as part of the creation of new online identity management tools. Google has added two-factor authentication through the FIDO specification for Android 7 and later devices.

Jamf, a multi-factor business authentication management software provider for the Mac platform, joined FIDO last month.

«Because we supported many of these multi-factor devices and different identity providers, it got complicated pretty quickly,» said Joel Rennich, director of Jamf Connect, an Apple Mac identity management and authentication product. «And I still had the problem that we had to have a password again. On the Mac, there’s no built-in way to support your user credentials without entering a password. However, Apple has a pretty solid smart card installation. «

Rennich said Jamf embraces the FIDO authentication protocol because it is «incredibly» secure and allows a lot of flexibility thanks to the industry’s extensive support. In particular, thanks to FIDO’s use of highly secure elliptic curve cryptography, the same one used by Apple Secure Enclave, Jamf can now use the technology to create enterprise-class access to the iPhone, for example.

«So we can use that hardware that is already in the device to work with FIDO protocols with minimal effort. … This has made development very rapid, ”Rennich said.

Although not yet delivered, Jamf has also created a virtual smart card that allows users to connect to Mac devices in the cloud using elliptically curved crypto association keys, in the same way as the FIDO specifications.

«We are not here to speak for Apple … but you can certainly see that I do a lot more work in this environment. I think it’s a solid foundation. It’s an excellent standard, «said Rennich. «We hope Apple will do more with it. But in the meantime, we hope to be able to log in to the login window with a FIDO authenticator for Mac. «