Say hello to bio­met­rics — and bid hack­able pass­words adieu

Winnipeg Free Press - - NEWS - MICHAEL OLIVEIRA

THE death of the pass­word could be upon us.

A new se­cu­rity stan­dard re­cently en­dorsed by the World Wide Web Con­sor­tium has ex­perts ex­cited about the prospect of mak­ing lo­gins “un­phish­able” and end­ing the vul­ner­a­bil­i­ties that cur­rently ex­ist be­cause so many users have poor “pass­word hy­giene” and reuse the same one across count­less web­sites.

The Web Au­then­ti­ca­tion (We­bAuthn) stan­dard de­vel­oped col­lab­o­ra­tively by mem­bers of the FIDO Alliance — which in­cludes the likes of Ama­zon, Face­book, Google, In­tel, Len­ovo, Mi­crosoft, PayPal, Sam­sung and Visa — al­lows web surfers to use bio­met­rics such as fin­ger­prints or fa­cial scans in­stead of in­putting a pass­word. Plug­ging a com­pat­i­ble USB de­vice into a com­puter can also be used to by­pass pass­word screens on par­tic­i­pat­ing web­sites.

“I don’t think the pass­word will be killed to­mor­row, or even within the next three to six months, or even year,” says Joni Bren­nan, pres­i­dent of the non-profit Dig­i­tal ID and Au­then­ti­ca­tion Coun­cil of Canada.

“But there’s a shift and a jour­ney that needs to hap­pen and to fi­nally move past hav­ing so many pass­words and ide­ally not hav­ing pass­words at some point — this I think is a re­ally key step.”

Mozilla’s Fire­fox browser al­ready has im­ple­mented the tech­nol­ogy while Google and Mi­crosoft have also com­mit­ted to up­dat­ing their browsers.

Users who adopt the new stan­dard will ba­si­cally be up­grad­ing to a level of se­cu­rity used for pro­tect­ing state se­crets, says Van­cou­ver na­tive John Bradley, stan­dards ar­chi­tect for the se­cu­rity hard­ware com­pany Yu­bico, a board mem­ber of the FIDO Alliance.

“Essen­tially you’re mov­ing peo­ple from be­ing able to do re­mote at­tacks to phish you to ac­tu­ally hav­ing to break into your house and steal your phone... and ex­tract your PIN from you at gun­point. It sig­nif­i­cantly raises the bar,” says Bradley, who pre­dicts some pop­u­lar web­sites may start of­fer­ing the new type of lo­gin within a cou­ple of months.

He says se­cu­rity ex­perts call the lo­gin method “un­phish­able” be­cause there’s no in­di­ca­tion yet that hack­ers could com­pro­mise it.

“So peo­ple would have to move onto other so­cial-en­gi­neer­ing schemes,” he ex­plains.

“But there isn’t some­thing you could tell some­one over the phone if (a scam­mer) called you up... there isn’t any­thing the user can ac­tu­ally dis­close to some­body else (to re­veal their lo­gin), so it makes it very dif­fi­cult for the at­tack­ers. I’m sure they’ll come up with some other scheme to keep se­cu­rity peo­ple in busi­ness, but this would cut off what’s be­com­ing a ma­jor pain in the neck for peo­ple.”

Bradley notes that users who choose to use bio­met­rics as an un­lock­ing mech­a­nism needn’t worry about their fin­ger­prints be­ing handed over to web­sites they visit. Bio­met­rics are not up­loaded dur­ing the lo­gin process and are not stored on the user’s de­vice.

“All the bio­met­rics are lo­cal to the de­vice, so you’re not send­ing your fin­ger­print to the web­site — that would be a bad thing from a pri­vacy per­spec­tive,” he says.

Bren­nan ex­pects some peo­ple might be ner­vous about us­ing their bio­met­rics rou­tinely for log­ging in on­line and fear they’ll be mis­used. She ad­mits it took her a while to warm to Ap­ple’s Touch ID fin­ger­print tech­nol­ogy on its de­vices.

“Over time I saw there was a con­ve­nience there and I was able to learn what was hap­pen­ing,” she says.

“That was a per­sonal de­ci­sion.”

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.