Yesterday, the FIDO Alliance published a new White Paper describing future authentication technologies. In collaboration with the W3C WebAuthn working group, it will bring two features that we had break down addiction to classic passwords.
The organization wants to standardize use your smartphone as a security keywhich approves login on a computer or other device via Bluetooth.
At the same time, it will allow synchronize stored dataso they will be easily transferred between devices. FIDO directly anticipates that the synchronization will take place at the level of a higher account (Apple / Google / Microsoft ID), or that universal Bluetooth will be used so that data can be transferred between the platforms of different companies.
We already have similar functions today. Android can use a portable key to sign in to a Google Account. It passes the credentials via Bluetooth to a computer with Chrome or another compatible browser. And when it comes to synchronization, Apple has taken a step forward there, which can transfer stored data between iOS 15 and macOS Monterey through iCloud.
Safe and simple at the same time
The goal of the FIDO Alliance is therefore to combine the security of hardware tokens (USB / NFC keys such as Yubikey or GoTrust Idem) with the “friendliness” of classic passwords. A smartphone is an ideal tool because almost everyone owns it.
It will be resistant to phishing, because it does not transmit passwords or one-time codes that would need to be written somewhere, and it also communicates with the computer via Bluetooth, which in principle almost eliminates a targeted remote attack.
But for simplicity, it was necessary to add that synchronization as well. You can easily transfer classic passwords or the entire database stored in an administrator such as 1Password or LastPass between devices. However, this has not yet been practically possible with the so-called FIDO Credentials based on cryptography (Apple is an exception), because the stored data was firmly tied to the key, ie the mobile phone. If you lost him, it would be a mess. And if you buy a new, so complicated extra work.
As new FIDO Alliance technologies become operational, the current restrictions will fall. You can use your mobile phone without a special application to log in to Google, Facebook or, for example, the state administration through mojeID, which also implements FIDO standards. And when you buy a new one or use two at the same time, the service in the operating system harmonizes everything so that you don’t have to manually add the other mobile phone as additional keys to all places (ie the Google, Facebook and my ID).