It’s been years since everyone wants to kill him, but no one succeeds. Since computers have existed, password has poisoned our daily lives. You have to make it comprehensive, without forgetting it, manage it in dedicated software, change it regularly, be careful not to give it to anyone, etc.
In 2018, the FIDO Alliance believed that it had initiated beer by proposing the FIDO2 standard. It relies on a relatively sophisticated mechanism of asymmetric cryptography to get rid of these cumbersome secret codes. But the mayonnaise didn’t work and the password is still very much alive. The alliance now offers a new standard: “Multi-device FIDO”, which has received support from major technology giants (Google, Apple, Microsoft). Here are five questions to fully understand what this is all about.
Why did FIDO2 fail?
On paper, FIDO2 is a great password alternative. The user who wants to connect to the online service must first proceed to the registration, which consists in generating in his “authenticator” – browser, smartphone, connected watch, etc. – private key and public key. The public key is passed on to the service provider and the private key remains stored in the terminal. When a user wants to connect, he sends a private message signed private key to a service provider who can verify the signature using the public key. That is all. The big advantage is that no password is required and the risk of phishing is eliminated.
The problem is that there are very few online services that have implemented the FIDO2 standard. And this is logical, because this writing process is too lengthy. Because the generated private key is unique for each authenticator, it would be necessary to register for each terminal and each service. However, individuals manipulate and frequently renew many different terminals. With three terminals and twenty departments, this theoretically means… 60 registration procedures! And for each new terminal purchased, you have to fill yourself with twenty new propositions. We quickly preferred a centralized password manager in the cloud. You fill it up once and you’re done.
What answer does FIDO Multi-device provide?
Two improvements should make it easier for the general public to use FIDO technologies. The first is the “roaming” feature, which allows FIDO authentication to be used on an unregistered system. Thus, the process can be transmitted via Bluetooth to a nearby authentication device, usually a smartphone, where the user verifies the connection. The advantage is that the individual will no longer have to register every terminal. In the end, he can even settle for just one, provided, of course, that the systems are interoperable.
The second novelty is the possibility of central storage of private keys at the authenticator’s supplier (ie smartphone). If the latter is lost, the user can easily restore his access without having to go through new registration procedures.
How can you be sure that the terminals will be interoperable?
Bluetooth authentication roaming will be an integral part of the FIDO standard. All systems that implement “Multi-device FIDO” will be automatically interoperable. In addition, the good news is that the three giants Google, Apple and Microsoft have announced that they will integrate this new authentication technology into their platforms. So we can hope that Android, Windows, iOS and macOS are all interoperable at the roaming level. This would cover almost the entire consumer computer market.
However, no date has been set to date. We also do not know whether service providers will finally decide and accept FIDO on their side. This is not self-evident, as platforms need to adapt. Inertia is likely to be strong, as it is a significant investment.
See also the video:
Is FIDO as secure as FIDO2 for multiple devices?
No. What we gain from ease of use, we lose a bit of security, because the two new features also pose two new risks. From now on, it will be necessary to trust computer giants to protect private keys. The fact that they are stored centrally also jeopardizes the appetites of hackers or intelligence agencies. How will these private keys be stored by Google, Apple and Microsoft? Will they implement end-to-end encryption like most cloud password managers? We don’t know yet.
The second new risk is the transmission of the authentication procedure via Bluetooth, as it creates a new attack surface. However, the Alliance minimizes this risk. On the one hand, it takes place in a context of closeness. On the other hand, the basic FIDO protocol “Does not depend on the security features of the Bluetooth authentication procedure. On the contrary, it uses standard cryptographic functions at the application layer to protect data.the consortium explains.
What happens when I change the ecosystem?
This is likely to be a major disadvantage of this whole design, as a priori private key backups will not be interoperable from one ecosystem to another. With Multi-device FIDO, the idea is to use your smartphone as a means of accessing all services. In fact, private keys will be stored with either Google or Apple. But there is no indication that there will be a gateway from one ecosystem to another, and the FIDO side suggests the opposite. On the day a user replaces their Android smartphone with an iPhone, they are likely to have to re-register. While this problem does not exist with the password manager.