For years, the scourge of Internet users was spam, tsunamis of spam that converged from all sides to pour into our mailboxes. But while it is on the way to disappearing, another scourge took over: that of passwords, the number of which continues to increase with the galloping dematerialization of our societies. These passwords that we are asked at every step on the Internet, whether it is to connect here to its basic online services (Security, bank, insurance, telecoms, doctor, transport, travel, etc.) , there to its social networks, even to its various email accounts, to its online apps for the office as for leisure… they abound and everyone has to make their own little emergency solution (type A mnemonic systemujourdhuiA-N@ntes-ilfaitB3au! and/or paper or digital list) so as not to forget a single one, failing to end up in the water.
And that’s just what Grahame Williams, director of identity and access management at Thales, pointed out yesterday on World Password Day, when he said that passwords « became more and more dangerous » because they were « easily hacked »:
“Recent research shows that many CEOs still use ‘12356’ as their password. »
Indeed, the other big problem is that of security, the danger of having your account hacked – or even all of your accounts – and of no longer being able to access your data, or for a ransom. When it’s not downright identity theft that lies in wait… In short, a heavy daily mental load to manage, and a security injunction that goes beyond human understanding. Because, literally overwhelmed in their cognitive capacities, Internet users then use passwords that are too easy to guess, or even always the same ones to simplify their lives… but also that of crooks of all stripes in ambush.
According to an old study (2016) by Skyhigh Networks analyzing 11 million passwords offered for sale on the Darknet, 10.3% of Internet users use one of the 20 most popular passwords on the Internet. Which means that in less than 20 tries, anyone could hack nearly one in ten accounts.
Shock alliance to lighten and secure the use of the Internet
But, good news a priori, the Internet giants Google, Apple and Microsoft took advantage of World Password Day, Thursday, May 5, to announce that they were joining forces to put an end to this ordeal. The press release published from Mountain View, the stronghold of Google, announces that the three giants will join forces to build a system allowing authentication without having to memorize a series of cabalistic signs.
The new feature will enable websites and apps to offer consumers consistent, secure and easy passwordless logins across all devices and platforms.
« With the new feature, consumers will be able to authenticate to websites and mobile applications easily, without passwords and securely, regardless of device or operating system », summed up the FIDO association. Alliance (Fast Identity Online Alliance) in a press release.
FIDO is the linchpin of this technological revolution, an alliance of manufacturers working to improve, facilitate and secure digital authentication. FIDO was officially launched in February 2013 but it was founded a year earlier, in 2012, by the alliance of major players such as PayPal, Validity Sensors (these two being the original core created in 2009 around cryptography issues public key), Lenovo, Nok Nok Labs, Infineon and Agnitio. It was in 2012 that work began on an authentication protocol without a password.
Since then, hundreds of technology companies and service providers around the world have worked through the FIDO Alliance and W3C to create the passwordless login standards that are already supported by billions of devices. running on all modern operating systems and web browsers (iOS, macOS, Safari, Chrome, Android, Edge, Windows, etc.), according to the FIDO press release.
Billions of devices… for billions of users: according to the Live Stats website, Internet users are today 5.3 billion in the world. The number of Internet users multiplied by 10 between 1999 and 2013, constantly accelerating (1 billion Internet users in 2005, 2 billion in 2010, 3 billion in 2014).
« Fido IDs » to authenticate on all platforms
In yesterday’s press release, Google explains that the goal is for users to be able to connect to an online service simply by unlocking their smartphone (via their usual method: fingerprint, facial recognition, multi-digit code, etc.) .
Concretely, a website can ask the Internet user if he wants to “authenticate himself with his FIDO identifiers”. This message will appear simultaneously on his phone, where the user will just need to accept, by unlocking his screen, to be connected to the site. Smartphones will keep these coded identifiers, called « passkey » (access key). Once registered with Fido, there will no longer be any need to create or enter a password.
The promise is that Fido authentication will be accessible regardless of operating system or browser, and regardless of device, since it will be possible to convert a new device via Bluetooth using a first device that already has the credentials. It will also not be necessary to use double authentication by SMS, designated as obsolete since… 2016.
A solution in leaps and bounds, within twelve months
The three technology giants have committed to implementing this new system within twelve months, on Android and iOS (the mobile operating systems of Google and Apple), on Chrome, Edge and Safari (the browsers of Google, Microsoft and Apple) and on Windows and macOS (the Microsoft and Apple operating systems for computers).
« Authentication with only passwords is one of the biggest security issues on the web », Apple notes in its statement, which adds:
“The new approach will protect against phishing and logging into a service will be radically safer than passwords and other technologies such as unique codes sent by SMS. »
For Andrew Shikiar, Executive Director and CMO of the FIDO Alliance, « This new capability should usher in a new wave of FIDO implementations low friction alongside the continued and growing use of security keys, giving service providers a full range of options to deploy a modern, phishing-resistant authentication. »
(with AFP and Reuters)