No more passwords? The “master keys” explained in three questions

No more passwords?  The “master keys” explained in three questions

No more passwords scribbled on a piece of paper? Apple, Microsoft and Google intend to replace them with “access keys” (which can be translated as “access keys”), a system that has been in the making for years.

iPhones open to passkeys on Monday, September 12, with the release of its new iOS 16 core software, and Apple computers will follow in October, with the arrival of new Mac OS Ventura core software. . Windows, for its part, is now ready to exchange “passkeys” with iOS, while its publisher Microsoft shows its intention to add all the additional passkey functionality soon. As for Google, the company wants “allow developers to use” this technology on Android by the end of 2022. The stakes are high for users, software from these three companies equips the vast majority of computers and smartphones in circulation.

Password weaknesses are now known: many users choose passwords that are too simple for specialized software to guess, use the same keywords for many services, or inadvertently hand them over to hackers when caught in phishing campaigns. Access keys, which will be offered to everyone more and more often instead of the traditional password when creating an account on a site or an application, are supposed to solve these problems. explanations.

Also read: The password, an endangered species

How do passkeys work?

With access keys, to register for a service, an application or a site (merchant, for example), you must use a device that belongs to you: a smartphone, a computer or a tablet. At the time of registration, the smartphone creates two encrypted keys, unique and specific to each service. On the one hand, the private key, which remains on the smartphone, on the other, the public key, which the site or application in question has.

The service will be a kind of enigma for the smartphone, a “challenge”

Subsequently, with each connection attempt, the service will pose a kind of enigma to the smartphone, a “challenge” that only it can solve thanks to its private key. Once this “challenge” has been resolved, to finalize the connection, the user must mark his approval and prove that he is indeed the owner of the smartphone, for example, by placing his finger on the fingerprint reader, presenting his face, typing a PIN or drawing a picture on the screen.

After the account is initialized, the private key joins a keychain with all the keys created for each service used, hosted on the smartphone and, this is one of the great novelties, in an online storage space: Google Drive, Apple iCloud or Microsoft OneDrive, depending on the software that is equipped the device. Therefore, the access keys will be accessible to all devices that share the same ecosystem, for example, a user’s iPhone, iPad and Macbook. They will be hosted in an encrypted online space that no one except the user can open.

Can access keys be shared between Google, Microsoft and Apple?

Yes. Access keys can travel across ecosystems, but unfortunately they don’t automatically sync between Apple, Microsoft, and Google clouds. You have to transfer each of them manually.

Consider the scenario of someone who has signed up for a new service on their iPhone, which now stores the corresponding passkey. This individual cannot connect to the same service on your Windows computer, since it does not belong to the same ecosystem: it cannot receive this access key through iCloud. Also, you cannot connect to this service from a loved one’s Macbook, even if it belongs to the same ecosystem, since this computer is connected to another iCloud than yours.

The user can scan this QR code with their smartphone, in which the passkey is stored

However, when opening the service’s website on one of these computers, the user is offered to display a QR code, which is a kind of connection request. You can then scan this QR code with your smartphone, in which the access key is stored. This smartphone automatically checks for the presence of the nearby computer, via a Bluetooth wireless connection, to ensure that the request does not come from a hacker operating remotely. It only remains for the individual to approve the authentication, as in the procedure described above, for example by placing his finger on the fingerprint reader.

The scenario with the QR code will be similar every time the user needs to connect with two different ecosystems, for example, a Windows computer with an Android phone or an Android phone with a Mac computer.

For convenience, at the end of this procedure, many services offer to create a new access key for the computer that you did not have, in order to avoid repeating this laborious procedure with each new connection. contacted by The world, Google and Microsoft also confirm that they are working to open up access key management to third parties, such as password manager publishers like LastPass or Dashlane, for example. These could store the access keys in their own cloud and make them accessible in different ecosystems.

What happens if my smartphone is lost, broken or stolen?

Unlike passwords, access keys can’t be written down on paper, memorized in the corner of your head, or lumped together in a password manager. They are locked in the encrypted memory of the smartphone, which is an added incentive to carry this device with you at all times.

The only solution: request new passwords from dozens of customer services (…). an obstacle course

This can be inconvenient, for example, when you want to replace an Apple smartphone with an Android model (or vice versa). It is imperative to wait before reselling the old smartphone to be able to manually copy your access keys to the new phone, one by one, which promises to be complex and laborious. The inconvenience can be even greater in case of theft or breakage of the smartphone: if you do not have another device that belongs to the same ecosystem as the lost device, you will not be able to recover the access keys stored in the cloud. The only solution: request new passwords from dozens of customer services, proving your identity each time. An obstacle course.

Things would be easier if you could copy your entire set of access keys from one ecosystem to another. “It’s a very active discussion right now,” acknowledges Andrew Shikiar, executive director of the FIDO Alliance, which coordinates this technology. But to achieve this, we will have to find a secure way to do it, explains Arnaud Jumelet, a security expert at Microsoft France:

“One of the mechanismswrenchThe security of the passkeys is that the user gives his consent for each transfer, wrench by wrench. We want to prevent a virus from absorbing all the access keys at once, and it will not be easy to find a technology that guarantees this and allows the migration of an entire keychain. »

Finally, some services will continue to collect our emails and telephone numbers, in particular to be able to identify us in case we lose our access codes. According to Srinivasan Sampath, who leads several IT security projects at Google, many services will even continue to use passwords in the years to come. “But the more users use their passwords as a priority to identify themselves, the more passwords will be reserved for exceptional cases, systematically attracting the attention of service administrators. » They will be able to devote all their attention to these particular cases.

#passwords #master #keys #explained #questions

Leave a Reply

Your email address will not be published. Required fields are marked *