Microsoft, Google do a victory lap around passkeys • The Register

Microsoft today announced that it will now allow everyday people – not just business subscribers – to sign in to their Microsoft accounts and apps using passkeys with their face, fingerprint or PIN. their device.

The added support for Microsoft consumer accounts works across Windows, Google, and Apple platforms, and Redmond described the move as another step toward its 10-year dream: “A world without passwords.”

As of Thursday, users can sign in to their Microsoft accounts using passwords through desktop and mobile browsers, and we’re told mobile app support is coming soon.

The timing is no coincidence. Today is also World Password Day, which, although a made-up holiday, usually marks an opportunity for tech companies to brag about what they’re doing to stop password require or encourage users to remember or otherwise write down unique and strong passwords. for every app and online service they use.

True to form, Google also marked the occasion by proclaiming that its year-old support for passkeys had reached a major milestone.

“Today we announced that passwords have been used to authenticate users more than a billion times across more than 400 million Google accounts,” said project leaders Sriram Karra and Christiaan Brand.

When Microsoft rolled out Windows Hello and Windows Hello for Business in 2015, it detected about 115 password attacks per second, according to Redmond’s Vasu Jakkal, the company’s vice president for security, compliance, identity and management, and Joy Chik, president of identity and management. network access.

By 2023, this number had increased by 3,378% to over 4,000 per second.

“Password attacks are so popular because they still get results,” Jakkal and Chik wrote in a blog post announcing password support.

“It is unfortunately clear that passwords are not enough to protect our online lives,” they said. “No matter how long and complicated you create your password, or how often you change it, it still poses a risk.”

Access keys are based on a FIDO alliance standard supported by Apple, Microsoft and Google. Think of them as password replacements.

Simply put, the technology works like this: When you create an account for a website or app, your device generates a public-private cryptographic key pair. The backend of the site or app gets a copy of the public key and your device keeps the private key; this private key remains private to your equipment. When you log in, your device and the back-end authentication system interact using their digital keys to prove that you are who you say you are, and you can log in. If you don’t have the private key or can’t prove that you have it, you can’t log in.

Your device can secure this private key locally using something like facial biometric scanning, a PIN, or a fingerprint. So if someone wants to access your account, they will need your device and this secret PIN or biometric scan to unlock the private key (or somehow obtain a copy of the private key). This is considered more secure than requiring users to remember or store passwords, and guarantees a unique key pair per account. For those wondering about multi-factor authentication, it’s a bit built-in: Typically, a scammer will need to get their hands on your physical device and your secret or physical part of you to access the private key.

“Because this key pair combination is unique, your password will only work on the website or app you created it for, so you can’t be tricked into logging into a similar malicious website “Microsoft explained. “That’s why we say passwords are ‘phish-resistant’.”

Ultimately, they aim to simplify user security by relying on facial or fingerprint scanning instead of requiring people to remember a unique 47-character password for every damn app and website they access, including uppercase letters, lowercase letters, numbers, special characters, and the name of your first pet but only if it was a parakeet.

“The best part about passwords is that you’ll never have to worry about creating, forgetting, or resetting passwords again,” according to Jakkal and Chik.

To be honest, that’s probably an exaggeration. Criminals are cunning, and they can find ways to break the latter approach – and we’re not talking about cutting off people’s fingers or faces.

But on this World Password Day, we hope that we can enjoy the simplicity and security of passwords for at least a year. ®

News Source :
Gn tech

Back to top button