For years, Big Tech has insisted that the death of the password is imminent. For years, these assurances were empty promises. Password alternatives, such as push, OAUTH single sign-on, and trust platform modules, have introduced as many usability and security problems as they have solved. But now we are finally on the verge of finding a password alternative that will actually work.
The new alternative is known as security keys. In general, access keys refer to various schemes for storing authentication information in hardware, a concept that has been around for over a decade. What’s different now is that Microsoft, Apple, Google and a consortium of other companies have united around a single access key standard led by the FIDO Alliance. Not only are access keys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing and similar account takeover attacks.
On Monday, PayPal said US-based users will soon be able to log in using FIDO-based access keys, joining Kayak, eBay, Best Buy, CardPointers and WordPress.com as online services offering the password alternative. In recent months, Microsoft, Apple and Google have all updated their operating systems and apps to enable security keys. Access key support is still patchy. For example, keys saved on iOS or macOS work on Windows, but the opposite is not yet available. In the coming months, however, all this should be cleared up.
what exactly is master key?
Security keys work almost the same way as FIDO authentications, allowing us to use our phones, laptops, computers and Yubico or Feitian security keys for multi-factor authentication. Like FIDO authentications stored on these MFA devices, access keys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device manufacturers. There is no way to recover cryptographic secrets stored in authentications unless you physically disassemble the device or subject it to a jailbreak or rooting attack.
Even if an adversary were able to extract the cryptographic secret, they would still have to provide the fingerprint, facial scan, or, in the absence of biometric options, the PIN associated with the token. In addition, hardware tokens use FIDO’s Cross-Device Authentication Flow, or CTAP, which relies on Bluetooth Low Energy to verify that the authentication device is in physical proximity to the device trying to log in.
Until now, FIDO-based security keys have primarily been used to provide MFA authentication, short for Multi-Factor Authentication, which requires someone to present a separate authentication factor in addition to the correct password. The additional factors that FIDO offers usually come in the form of something the user has — a smartphone or computer that contains the hardware token — and something the user is — a fingerprint, face scan, or other biometric that never leaves the device.
So far, attacks against FIDO-compliant MFAs have been rare. For example, a sophisticated credential phishing campaign that recently broke through Twilio and other leading security firms failed against Cloudflare for one reason: Unlike other targets, Cloudflare used compatible hardware tokens FIDO, which was immune to the phishing technique that used by the attackers. Rape victims all relied on weaker forms of SMA.
However, where hardware tokens may provide one or more authentication factors in addition to a password, access keys do not rely on any password. Instead, authentication keys combine multiple authentication factors, typically the phone or laptop and the user’s face scan or fingerprint, into a single package. Access keys are managed by the device’s operating system. At the User’s option, they may also be synchronized via end-to-end encryption with a User’s other devices using a cloud service provided by Apple, Microsoft, Google or another provider.
Access keys are “discoverable,” meaning that an enrolled device can automatically send one through an encrypted tunnel to another enrolled device trying to log into one of the site’s accounts or apps. When the user logs in, the user authenticates using the same biometric or device password or PIN to unlock their device. This mechanism completely replaces the traditional username and password and provides a much simpler user experience.
“Users no longer need to register each device for each service, which has long been the case for FIDO (and all public key cryptography),” said Andrew Shikiar, FIDO’s CEO and Chief Marketing Officer. . “By allowing the private key to be securely synchronized across an operating system cloud, the user only needs to register once for a service and is then essentially pre-registered for that service on all of their other devices. This improves the end-user experience and makes very significantly possible for the service provider to begin removing passwords as a means of account recovery and re-registration.”
Ars Review editor Ron Amadeo summed it up nicely last week when he wrote: “Security Keys exchange WebAuthn cryptographic keys directly with the site. There is no reason for a human to tell a password manager to generate, store, and recall a secret. all happens automatically, with much better secrets than the old text box supported, and with improved uniqueness.”