Posted on July 7, 2022
The article is available in the podcast here.
This is the latest news from Apple Mass 2022. The company launches its service passkey Allows websites to use FaceID or TouchID biometric sensors for authentication. The goal is clear: to kill passwords.
But why would you want to kill passwords? Is it California fashion? Does GAFAM have ulterior motives?
Who wants to kill passwords?
The website is managed by thousands of users, and all the data is collected together in a common storage space called the database. So the server has to sort in its database between each user request. But all user requests are the same!
Therefore it is necessary to authenticate the user in order to be able to secure their data. Since the beginning of the Internet, we have used the password model we know. When you register, you give your password to the site, and this is the secret. Then to call, you must give this secret back.
Since only you know the secret, this technique allows you to authenticate with certainty. Or almost… because over time, we realize that humans are pretty bad at randomly generating and remembering a secret. So we end up with users using weak and reused passwords on multiple sites.
You should know that a modern graphics card can try to crack 20 million passwords per second. So it can test 200,000 words in the dictionary 100 times per second. Any password based on a dictionary word including variations like
In theory, the password method seems ideal. In practice, user accounts are easy to hack, because the secrets that humans imagine are actually not secrets at all and can be easily found by a computer.
In the end, everyone wants dead passwords: software engineers who end up with security headaches on their hands; Users who are tired of forgetting and managing their passwords; Companies that don’t want to be overly secure in thwarting customer interaction or filing claims for data breaches.
And How else?
For several years, the model is based on information that we know It is replaced by a new model based on what havewhich can take several forms.
Use a third party account
This is the famous “Sign in with Google”. The authentication is migrated to Google, so you must have a Google account to authenticate. So we have a very secure Google account that is used to authenticate to other websites.
This system is very much present on smartphones, especially in Apple with FaceID and TouchID. Its sensors are already used to authenticate the user to unlock their smartphone and authenticate themselves in apps. Apple now wants to make websites accessible with passkey.
Microsoft provided the solution Welcome To unlock his Windows PC using his fingerprint or face.
Single use code
Today we use authentication by email or SMS. To prove that you have this email or this number, the website will send you a unique code, which you will have to copy on the login page.
FIDO USB key
Private USB keys called FIDO keys allow you to authenticate yourself online, which is less known but very practical. You must connect your key to the computer when accessing the website. You can get the high-end original (Yubikey) or cheaper competitors.
is he dangerous?
Therefore, from a cybersecurity point of view, all these methods significantly reduce the risk of being hacked via a password.
But if we look closely, at what model haveNote that our authentication is dependent on an external service. If the password is used, only you and the website are authorized to do the authentication. Now he will need a third party service.
Using “Connect with…” or passkey And the WelcomeYou rely on Google, Facebook, Apple, or Microsoft every time you authenticate online. The same to receive the codes, you must keep your email and phone number.
The USB key only avoids the dependency, since the system is independent, it only needs the website and you’re working.
A world without passwords is still a better world for our online security. So the GAFAMs who manage and are responsible for billions of user accounts have an interest in putting an end to passwords.
It should not be taken by choir boys, however, each of them develops their pawns to introduce their technology in order to make the user more dependent on it.
Also, I recommend switching to codes by email or SMS in addition to the FIDO key. Since these methods are often available simultaneously, we thus protect ourselves from over-reliance on our email service or telephone operator.