Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Is Helping Kill Passwords on a Billion Devices (wired.com)

Posted by msmash on from the how-about-that dept.

The FIDO Alliance -- a consortium that develops open source authentication standards -- has been pushing to expand its secure login protocols to make seamless logins a reality for several years. Today, it has hit the jackpot: Google. From a report: On Monday, Google and the FIDO Alliance announced that Android has added certified support for the FIDO2 standard, meaning that the vast majority of devices running Android 7 or later will now be able to handle password-less logins in mobile browsers like Chrome. Android already offered secure FIDO login options for mobile apps, where you authenticate using a phone's fingerprint scanner or with a hardware dongle like a YubiKey. But FIDO2 support will make it possible to use these easy authentication steps for web services in a mobile browser instead of laboriously typing in your password every time you want to log in. Web developers can now design their sites to interact with Android's FIDO2 management infrastructure.

5 of 123 comments (clear)

  1. No way to re-secure your body by Anonymous Coward · · Score: 5, Insightful

    Biometrics can be stolen or faked. But there's no way for the legitimate owner of that body to replace them when that happens.

    (posting this on the day my office is forcing a periodic password change on me)

  2. Re:You mean, like iPhone already does? by DontBeAMoran · · Score: 1, Insightful

    No, because your iPhone works with regular login forms.
    Which is, of course, the proper way to do it.

    --
    #DeleteFacebook
  3. Android is helping to spread pervasive tracking by sinij · · Score: 4, Insightful

    Corrected headline - Android is helping to spread pervasive tracking.

    User name and password is "something you know", and as such is not something that can be used without your explicit consent. Seamless login is "something you have", and since it is part of your phone, it doesn't require your explicit consent to be checked.

    Make no mistake, this is about removing what little anonymity is left from the Internet. FIDO standard is effectively a Real Name Only policy disguised as progress.

  4. I like my passwords... by b0s0z0ku · · Score: 4, Insightful

    I don't want to be dependent on a given device or ecosystem for using a website or an app, and I don't necessarily want to tie it to my identity via biometrics. I can make passwords arbitrarily complex, yet easy to remember, and even write them down in a little book (kind of hard to hack remotely).

    Password-less authentication isn't about security -- it's about control and LACK of security. Google wants to hold the keys to the city.

  5. Client certs are a UX nightmare by tepples · · Score: 4, Insightful

    One big difference between client certificates and U2F keys like this is that compared to a web browser's client certificate store, a U2F key is somewhat more hardened against attempts to copy out the private key. This lets a U2F key pass more tests for being "something you have."

    The other is that TLS client authentication have been a usability nightmare, particularly for non-technical users, in "all major browsers since the beginning of time itself."

    • No obvious button to "sign out" (use no client certificate) in order to retrieve a logged-out view of a resource or to switch between certificates associated with different user accounts.
    • Backing up certificates and moving them among devices isn't easy.
    • Certificates aren't associated to a domain. If the user uses the same certificate on all sites, this isn't quite as bad as sharing a password, but it does have the same cross-site tracking implications as third-party cookies. If the user uses a different certificate on each site, major browsers traditionally haven't helped the user figure out which certificate goes with each site

    Browser publishers haven't prioritized improving client certificate UX because of the low user base of client certificates. I've seen them on only two sites: StartCom (a defunct TLS CA) and Kount (an e-commerce fraud risk assessment platform).. But browsers could improve this UI in a few ways:

    • When a TLS site requests a client certificate, show a key icon in the location bar next to the TLS lock icon. This opens the certificate chooser. The user can click it again to log out.
    • Group certificates in the certificate chooser by the registrable domain* with which they were last used.
    • Let the user drag certificate files in and out of the certificate chooser.
    • Include client certificates in the browser's password sync feature.

    But good luck getting browser publishers to devote any time==money to this.

    *A "registrable domain" is a public suffix, as defined by Mozilla's Public Suffix List, plus one name part. If "co.uk" is a public suffix, for example, then "ebay.co.uk" is registrable.