Based on materials from The Verge
On February 25, Google introduced a new feature in Android that has the potential to greatly impact our online security. The company announced that all devices on Android starting from version 7.0 are now FIDO2 certified and can be authenticated without a password. Suddenly, millions of users Android around the world found that everyone had a security key in their pocket. And this key has the potential to one day send passwords into the past, and with them all their attendant problems and vulnerabilities.
Passwords are the main way to keep our digital lives safe, but they are getting worse at this task. Most people use endless words and phrases over and over that are easy to guess, and the underlying technology itself is vulnerable to a wide range of attacks. All that is required of an attacker is to convince you that a particular website or email is from your bank or some other online service, so he can force you to reveal your password (a so-called phishing attack) and gain access to your account.
But thanks to the FIDO2 standard, the system can change. Instead of typing a string of characters (or a password manager or browser does it for you), you authenticate with a security key or biometric reader, such as a fingerprint sensor. Previously, most of these keys existed in the form of USB sticks or Bluetooth – dongles, but according to information from Google, your Android – smartphone can perform the same authentication as the security key. Using your smartphone as a security key means you don't need to remember anything and information won't be intercepted.
The standard has the potential to completely replace passwords, and Google is actively working to bring that future to fruition. “In the world we'd like to see, you don't even need to authenticate with traditional password, say,” says Stephen Soneff, product manager at Google. “If you’ve already logged into your phone, this can be used as a 'bridge' to the next device where you want to log in through your Google account, and you don’t even need a username for your Google account.”
To offer this authentication method, websites use a portion of the FIDO2 standard called WebAuthn, an open protocol endorsed by the World Wide Web Consortium (W3C) in early March. This is a small but growing list of sites: Dropbox added support last May, Microsoft joined in December, and Google supported WebAuthn as of April 10th. To be able to log in using this standard, your browser must also support WebAuthn, although Chrome, Edge, Firefox and Safari have already started doing this.
However, only one of these sites actually uses the FIDO2 standard to completely eliminate passwords. Integration from Microsoft allows you to use both Windows Hello and a physical security key as the only thing you need to log into your account. At the same time, Google and Dropbox use WebAuthn as an extra layer of security alongside the traditional password or code generator app to authenticate with your smartphone. Not that it was bad. After all, WebAuthn is a safer way to pass the second stage of authentication, since it cannot be phished, as is the case with a six-digit code, but the full potential of this function remains undiscovered.
Most companies are not yet ready to ditch passwords altogether. Soneff says Google is committed to achieving a password-free future, but cannot promise when this functionality will come true.
When Dropbox first announced its support for WebAuthn last year, it said that “By leveraging WebAuthn for two-factor authentication, the balance is right for most users right now.” When asked for comment, the company's chief security officer, Rajan Kapoor, said: “We hope that one day passwords will no longer be the only or even a priority method of authentication.” However, he added: 'There are a number of usage and implementation issues that need to be addressed for passwords to fail.'
Now that every modern Android device has achieved FIDO2 certification, Dropbox's compliance levels seem less of a problem. However, there is still work to be done on the usability of the technology. For example, what happens if you lose your authentication device? The recovery mechanism is a tricky one, and according to Soneff, Google is looking at a number of ways to solve it. “The recovery mechanism is often the weakest link in attacks,” he says. This will be a key challenge in the case of large scale recovery. '
There is also a difficulty with iPhone. FIDO2 authentication cannot become ubiquitous until smartphones from Apple can be used as security keys along with their counterparts on Android. Yes, technically websites can ask users iPhone to use separate hardware security keys, such as USB devices from Yubico, but Soneff thinks the high price tag preventing the purchase of a specialized device means that this type of security key is unlikely. whether it will be used by someone other than corporate users.
Obviously Apple is also interested in getting rid of passwords. The company already allows you to use Apple Watch to log in to your Mac, and rumor has it that this functionality will be expanded in the future. Apple is well aware of the shortcomings of passwords, and she is clearly working on how to get rid of them. But it is clearly more comfortable solving the problem within its closed ecosystem than adopting a common industry standard such as FIDO2.
Brett McDowell of the FIDO Alliance declined to answer a question about the possibility of devices Apple receiving FIDO2 certification. He said adding FIDO2 functionality does not require certification. It is, after all, an open standard. He stated that certification is an “opportunity” for vendors to be confident that their product can interoperate with others in the market and meet the standard. In other words, 'certification is optional'.
But even when the technology itself is completed, passwords are unlikely to disappear completely. McDowell is confident that passwords will continue to exist alongside FIDO2 authentication for a “significant period of time.” Just like phones now allow the use of a PIN as an alternative to biometric authentication. You can unlock the device by fingerprint in 99% of cases, but your PIN remains available at any time.
“User habits and the marketplace will make the password exotic, but that exotic will have to be sustained for a long time,” McDowell says. “Over time, the market will simply show that the password is less and less attractive, viable and effective.”