Soon the end of the hassle of passwords? The giants of new technologies want to put an end to this form of authentication, which remains the most commonly used online until now despite its weaknesses in terms of security and the challenge for internet users to keep complex passwords up to date and different in order not to be exposed to data leakage or hacking.
Apple, Google and Microsoft intend to replace them with “passkeys”, an online mode of connection to solve password problems. The three companies announced last spring that they would gradually support this common standard within their respective operating systems and browsers to allow Internet users to connect to their favorite online services without having to define, remember and manage their usual fleet of passwords.
The three giants are based on the work of the Fido alliance (Fast IDentity Online or fast online identity), an industry association which, since 2012, has coordinated the development of new connection standards to overcome the excessive dependence on the Internet. respecting passwords by instead favoring local forms of authentication such as biometric verification or drawing a diagram.
How “access keys” work
The “access keys” correspond in some way to access keys. They are necessarily linked to the user’s main device. When you register with a service, merchant website or application, the latter must necessarily use a device belonging to him, because the verification process involves storing a private key locally.
Specifically, the user will have to start by defining on his smartphone how he wants to identify himself with his “passkey”. Either through a multi-digit PIN code or a pattern to draweither via biometrics, fingerprint or facial recognition. This process will then be used to connect to online services without having to enter a password. Websites will simply ask users if they want to authenticate with their FIDO ID.
When you sign up for an online service, the smartphone creates two unique encrypted keys specific to that service. The private key remains stored on the user’s device and the public key is shared with the service administrator. On each connection, the service will verify that the two keys match. But the user’s private key can only be used if they have unlocked it on their device by his secret code or his biometric fingerprint. Thus, even in case of data leakage on the side of the application publisher, cyber criminals will not be able to exploit the stolen public keys.
A similar system is already offered by Apple with its Face ID facial recognition tool that allows iPhone users to enable facial scanning to access certain online services and accounts. The support of the three American technology giants for the FIDO device should allow this practice to be generalized on a larger scale to make life easier for users and strengthen computer security.
Once an “access key” has been configured, the private key includes a keychain that stores all the private keys created for the various services used on the user’s device. These keys can also be stored in a secure online storage, iCloud from Apple, OneDrive from Microsoft or Google Drive, to be recognized on the different devices using the same account, or to find them in case of loss of the key. ‘unit. Apple, Google and Microsoft insist that the private keys are then stored in an encrypted space that cannot be opened except by the user.
The “access keys” are still far from being generalized
If they carry promises, the “keys” also have limits. They are not yet compatible from one ecosystem to another, and users may face difficulties in renewing them if they change their head unit to a competing brand.
The rollout of “access keys” will be progressive. Apple opened up its iPhones and Mac computers to this new standard after its September keynote. Google has allowed Android developers to use “passkey” features since early December. And Microsoft recently announced that its Azure service will soon support passwordless logins. The announcements should multiply in the coming weeks.