It seems most here seem to have misunderstood the significance of this development. Rather than you supplying a secret (e.g. a password) to the other party to identify yourself, you just give them a public key. It doesn’t matter if a hacker somehow obtains your public key because it’s useless without the corresponding private key, which always stays on your devices. That’s a big change because people traditionally have used weak passwords and it eliminates the problem of having passwords stolen when a company’s systems are breached.
When your device needs access to the private key, that’s when FaceID, TouchID, etc., comes into play. On your phone, you’ll likely still be able to use your passcode to give access, just like the way ApplePay works now, and on your Mac or PC, you’ll probably be able to use your password to unlock your keychain. Those are just implementation details.
Right now, I can use TouchID on my Mac to log in to Apple’s websites if I’m using Safari. If I’m using Brave or Firefox, I can’t. To get into my Fastmail account, I could use a Yubikey if I’m on Firefox or Brave but, until recently, I couldn’t with Safari. The current situation is a mess. Apple, Microsoft, and Google are hoping to make the more secure authentication method work seamlessly across systems, devices, and browsers so that people will actually use it.
The companies would be shooting themselves in the foot if they put in unnecessary obstacles which slowed adoption. I highly doubt Apple would require the use of FaceID or TouchID since that would be a showstopper for a lot of people.
Like the time I didn’t want to use two-factor authentication but Apple forced me into using it to get out of some situation and then it was impossible to undue. The above mention of computers being tied to phones. Apple’s ongoing history of annoying tactics to get users to upgrade software (and hardware I might add). The writing is on the wall and the tone of the comments is wary for good reason.
I had the first phone with touch-id and I wasted many hours trying to get it to work. Scanned my fingers countless times and finally gave up because it never even improved. After trying the same on a later phone or two with supposed improvements, I fared no better. I don’t expect to ever waste my time on this again. As long as I have a choice - but choice isn’t guaranteed.
I believe the issue is that you’ll likely have no choice. Like the addition of 2FA, this change will increase security for all of us. The big tech companies had issues with hackers impersonating users, so they added security steps like 2FA to prevent us from losing control of our accounts. And keeping passwords secure from hackers is an added cost that these companies I’m sure would love to set aside at some point.
Unfortunately, moaning and groaning about it won’t stop it from happening if (when?) this goes forward. These companies and then every other online service likely won’t give you a choice not to participate, especially over time. Over the great long-term trying to hold onto older hardware and OSes goes only so far - just as one example, at this point it’s getting impossible for anyone with a phone older than an iPhone 6 to continue using it, since the carriers are dropping or have dropped the 3G networks those phones used for phone calls.
I’m guessing that something like FIDO won’t be a required change at first. But it’s probably a good idea to know that this change is coming.
(And I remain interested in knowing how they’ll solve the problem of someone traveling with only a phone and then losing it and replacing it, or even somebody whose only device is a phone who needs to replace it - how will Apple/Google allow that person to re-establish their account without a device with them that already has a keychain? That’s an “implementation detail” I’m interested in seeing detailed before this goes forward.)
Time magazine says delivery drones were supposed to be on the job in 2018 Whatever Happened to Amazon's Drone Delivery Service? | Time in an article they published last year. Self-driving cars without steering wheels or brake pedals were supposed to be in commercial use by now as well.
The Time article is fairly optimistic about eventually having delivery drones, but I suspect the reality will be limited use in limited environments. Looking at the situation with autonomous cars, which I have written about, truly driverless cars can’t be used everywhere all the time. The near future is cars that can drive themselves on well-maintained limited-access highways (GM has designated about 200,000 miles of such highways in North America that meet their standards) but that’s less than 10% of all the public roads in the US alone. Driving on city streets, rural unpaved roads (about 1.2 million miles of the latter in the US), or through construction zones is a much harder problem. Managers who don’t understand technology fooled themselves into thinking they could scale demos into safe and cost-effective products usable by everyone.
On this topic, what does “FIDO” mean? I could find no definition for what I assume is an acronym in Adam’s article or anywhere on the organization’s web site.
Something I don’t understand about this proposal is that it sounds like a downgrade in security. It’s clearly an improvement for the people who use secr3T!as their password on every site, but for those of us using a password manager to supply a unique 30-character random set of alphanumeric+symbol passwords to each account, if someone gets your computer password or phone passcode, they have access to everything. Am I misunderstanding how this will work?
Apparently. If someone has your computer password or phone passcode today, they have access to everything using Keychain, so it’s identical to the current situation.
Well, of course I meant if you continue to want to use online services as they move to a solution like this. Not using them is always a choice, but you can continue to not use them with an iPhone or Android phone going forward.
As @ddmiller says, not if you’re using a third-party password manager. I guess you can argue that it’s only consolidating two passwords into one, but I still feel like it’s a regression security-wise, especially as most phone passcodes are just digits, whereas password manager passwords are likely to be stronger.
One can only hope that Apple, Google, Microsoft, et. al., will provide a way to revoke the sync of FIDO cryptographic keys for a lost device. In the case of Apple, perhaps it will be as simple as revoking a device as a trusted device from another device, as can be done now, so that all iCloud Keychain items can be revoked from the device.
Because FIDO keys are only used when the device is connected to the internet, perhaps Apple and Google will prevent any device from authenticating a nearby computer using CTAP attempting to log in if the phone is in airplane mode.
I have no idea how FIDO is going to do this, but I do something similar with SSH on my various computers.
I use the OpenSSH software on a Linux PC to generate a public/private key pair. Actually, I’ve created two - one for personal use and one for work.
I upload the appropriate public key to each system I want to access via SSH. This includes computers at home and servers at work.
I keep the private keys to myself, but I do copy them to my other computers. My employer’s computers have the work keys. My personal computers have the personal keys.
When I try to access a site using SSH (e.g. via the slogin command), the two systems use the keys for authentication and I never provide a password.
If I feel that I need to replace keys for some reason, I can generate a new public/private key pair. Then I go to each of the computers I access and replace the public key with a different one. Once every system using the original key has been replaced, I can blow away the corresponding private key (or keep it around, just in case I later find out that I didn’t upgrade everything).
I do have to keep track of my private keys. If they get lost, then I will need another mechanism (e.g. password + 2FA) to log in so I can replace the public keys with newly-generated ones. If the remote site doesn’t prove a mechanism, then it could be a long annoying support session with the site’s owner to prove my identity in order to install a replacement public key. This is why I have them on multiple computers and I keep a printout in a file cabinet at home for use as a last resort. (SSH uses a text-encoded representation for the files.)
I assume FIDO is going to be doing something similar, but somehow automating the key-pair generation and synchronization work so ordinary users don’t need to know what’s going on under the covers.
And it will be very interesting to know what kind of recovery options they define. If you need to use password+2FA or an e-mail reset code, then you’re not really any more secure than today.
While this may not always meet the bar for use cases that require, say, AAL3, it is a huge improvement in security compared to passwords: each of the referenced platforms apply sophisticated risk analysis, and employ implicit or explicit second factors during authentication, thus giving AAL2-like protections to many of their users. This shift from letting every service fend for themselves with their own password-based authentication system, to relying on the higher security of the platforms’ authentication mechanisms, is how we can meaningfully reduce the internet’s over-reliance on passwords at a massive scale.