Another Step Toward a Password-Free Future

Perhaps I am mistaken, but I believe replacement technology for password logins already exists, for free, through Steve Gibson and GRC’s SQRL (pronounced Squirrel).

Steve’s website for SQRL looks far to complicated for me. And, I don’t see macOS listed.
Apple’s development looks enticing but lots of us are still using keyboards and computers without faceid or fingerprint, so I guess that’s out too, at least for now.

Passwords can be a pain, but touch can be fallible for some people. My wife was unable to record a usable fingerprint on a screen for an employer identification system, and required special processing. I don’t know the failure rate, but the technician said it was not zero.

Hope this is not too much of a tangent…

One thing that always made me feel a bit uneasy about biometrics is that it’s firmly tied to me. For one, it pretty much uniquely identifies me, but also, it cannot be revoked. User/pass can be complete anonymized garbage and I can still throw it away and redefine at any time should that become necessary (eg. a breach, leak, hack, etc.). My face or fingerprint I can neither redefine nor discard. However, would I be correct in assuming that as long as I stick with my M1’s TouchID and my A14’s FaceID, I don’t really need to worry about identification/revocation because the actual biometric information is held within Secure Enclave and that does not allow reading out the biometric information by anybody (or any software)?

My bank implemented some sort of hand scanner and we couldn’t easily get my hand scanned in. I told them to forget it and I’ll continue to give them paper deposit slips. Apparently it’s supposed to open my account for them from the other side of the counter.

Diane

I’ve always worried about false negatives and false positives with biometrics.

TouchID: What if your finger is missing or disfigured? Maybe I’ve watched too many scifi movies, but what about using a rubber fingertip impression?

FaceID: What about disfigurement? I don’t know what indicia FaceID uses, so I don’t know how it copes with injuries, eyeglasses, beards, masks, photos.

Some businesses I deal with have offered to let me authenticate myself using my voice. I’ve declined. Voice can be spoofed. And I don’t like samples of my voice being saved (which is why I don’t use Siri, Alexa, or Google).

And, expanding on something Simon said, if your account is hacked, you can’t very well change your fingerprint or face.

I would hope there would also be support for something like a Yubikey. There still needs to be some way of authenticating if you don’t have a Mac, iPhone, or iPad.

Weren’t we supposed to have drones delivering packages by now? Touch-id was huge failure for me but it isn’t necessary. Biometrics can only work when it’s one of multiple ways of “logging in.” It’s good to have low expectations.

I vaguely recall reading somewhere that TouchID required a ‘living’ touch. A wax/rubber impression would fail and - as I understand it - so would cutting someone’s finger off to try and operate it.

I certainly don’t recall there being a date associated with that and never expected to see it here by now. My understanding is that the technology has been proven for some time now, but there’s a lot more to fielding such things that take time. Making a business case for it is probably the biggest hurdle now, but I suspect there are still regulatory issues involved to allow it in all areas of the country. If you are actually interested in following it’s progress, here’s a recent summary: Drone Delivery: Benefits, Use Cases, & Retailer Examples.

As far as TouchID is concerned, it’s been working close to perfectly for me on both my iPhone 7 and 10.5" iPad Pro.

Since my wife uses me a lot for support, I have set up her iPhone and iPad with TochID using one finger from me and one from her. She does not have any devices that use FaceID so I have not tried that. I wonder if that is possible? (Currently I am out traveling, so I can not test to set up an alternate FaceID with her.)

I doubt they’re storing a recording of your voice. More likely they’re running the recording through an audio analysis and storing the result. Kinda like a SHA-256 hash. It can’t be reversed into the original recording. When you subsequently use your voice as your password they run it through the same processing and compare the results.

I have no idea how reliable this really is. It requires trusting that whoever implemented this knows what they’re doing. We read stories weekly about companies’ security measures being anything but secure so I can certainly understand not wanting to participate on those grounds.

“ If you’re wearing a face mask or potentially other face coverings, Face ID with a mask can analyze the unique characteristics around your eyes. When using Face ID with a mask, you can still use Face ID to authenticate apps, unlock your iPhone, and use Apple Pay.

This feature is available on iPhone 12 and later with iOS 15.4 and later.”

Of course Apple et. al. are trying to get this universally implemented. It will require everyone to own a cell phone, which adds significant revenue. It also means that in order to use my computer, I will not be able to simply log in, I will have to associate a new cell phone with it. Not an overwhelmingly happy situation.

What will be done for accessing a deceased person’s online accounts? When my father died, I had all his usernames and passwords for his accounts to use to manage his estate. If access is tied to his body, how will estate trustees manage the legacy online holdings?

I am generally 10 years, maybe even 20, behind the curve, I don’t use fingerprints or face-recondition or anything. I don’t take my phone with me everywhere I go, and I pay cash or at the most, use a credit card. I wouldn’t give these “advances” a second thought if they weren’t so strict and undemocratic. There are already places that don’t accept cash, and for now I can ignore them and move on, but the prospects of being forced to use all these identifying one-way technologies is really alarming to me.

It seems most here seem to have misunderstood the significance of this development. Rather than you supplying a secret (e.g. a password) to the other party to identify yourself, you just give them a public key. It doesn’t matter if a hacker somehow obtains your public key because it’s useless without the corresponding private key, which always stays on your devices. That’s a big change because people traditionally have used weak passwords and it eliminates the problem of having passwords stolen when a company’s systems are breached.

When your device needs access to the private key, that’s when FaceID, TouchID, etc., comes into play. On your phone, you’ll likely still be able to use your passcode to give access, just like the way ApplePay works now, and on your Mac or PC, you’ll probably be able to use your password to unlock your keychain. Those are just implementation details.

Right now, I can use TouchID on my Mac to log in to Apple’s websites if I’m using Safari. If I’m using Brave or Firefox, I can’t. To get into my Fastmail account, I could use a Yubikey if I’m on Firefox or Brave but, until recently, I couldn’t with Safari. The current situation is a mess. Apple, Microsoft, and Google are hoping to make the more secure authentication method work seamlessly across systems, devices, and browsers so that people will actually use it.

The companies would be shooting themselves in the foot if they put in unnecessary obstacles which slowed adoption. I highly doubt Apple would require the use of FaceID or TouchID since that would be a showstopper for a lot of people.

I think you are missing that people do not like all the arm-twisting to adopt technologies that aren’t ready or right for them.

What arm twisting?

Like the time I didn’t want to use two-factor authentication but Apple forced me into using it to get out of some situation and then it was impossible to undue. The above mention of computers being tied to phones. Apple’s ongoing history of annoying tactics to get users to upgrade software (and hardware I might add). The writing is on the wall and the tone of the comments is wary for good reason.

I had the first phone with touch-id and I wasted many hours trying to get it to work. Scanned my fingers countless times and finally gave up because it never even improved. After trying the same on a later phone or two with supposed improvements, I fared no better. I don’t expect to ever waste my time on this again. As long as I have a choice - but choice isn’t guaranteed.

I believe the issue is that you’ll likely have no choice. Like the addition of 2FA, this change will increase security for all of us. The big tech companies had issues with hackers impersonating users, so they added security steps like 2FA to prevent us from losing control of our accounts. And keeping passwords secure from hackers is an added cost that these companies I’m sure would love to set aside at some point.

Unfortunately, moaning and groaning about it won’t stop it from happening if (when?) this goes forward. These companies and then every other online service likely won’t give you a choice not to participate, especially over time. Over the great long-term trying to hold onto older hardware and OSes goes only so far - just as one example, at this point it’s getting impossible for anyone with a phone older than an iPhone 6 to continue using it, since the carriers are dropping or have dropped the 3G networks those phones used for phone calls.

I’m guessing that something like FIDO won’t be a required change at first. But it’s probably a good idea to know that this change is coming.

(And I remain interested in knowing how they’ll solve the problem of someone traveling with only a phone and then losing it and replacing it, or even somebody whose only device is a phone who needs to replace it - how will Apple/Google allow that person to re-establish their account without a device with them that already has a keychain? That’s an “implementation detail” I’m interested in seeing detailed before this goes forward.)

Time magazine says delivery drones were supposed to be on the job in 2018 Whatever Happened to Amazon's Drone Delivery Service? | Time in an article they published last year. Self-driving cars without steering wheels or brake pedals were supposed to be in commercial use by now as well.

The Time article is fairly optimistic about eventually having delivery drones, but I suspect the reality will be limited use in limited environments. Looking at the situation with autonomous cars, which I have written about, truly driverless cars can’t be used everywhere all the time. The near future is cars that can drive themselves on well-maintained limited-access highways (GM has designated about 200,000 miles of such highways in North America that meet their standards) but that’s less than 10% of all the public roads in the US alone. Driving on city streets, rural unpaved roads (about 1.2 million miles of the latter in the US), or through construction zones is a much harder problem. Managers who don’t understand technology fooled themselves into thinking they could scale demos into safe and cost-effective products usable by everyone.

There’s always a choice. A simple flip phone is one of those choices, one I’m prepared to take.

On this topic, what does “FIDO” mean? I could find no definition for what I assume is an acronym in Adam’s article or anywhere on the organization’s web site.

Here’s an acronym and a couple names that “FIDO” needs to understand in order to meet its stated goals:

DoD
Medicare
Social Security

What’s happening in those areas?

Fast IDentity Online

Thanks. Turns out that Apple’s press release on this topic contains the same definition and brief description of FIDO (as a footnote).

Something I don’t understand about this proposal is that it sounds like a downgrade in security. It’s clearly an improvement for the people who use secr3T!as their password on every site, but for those of us using a password manager to supply a unique 30-character random set of alphanumeric+symbol passwords to each account, if someone gets your computer password or phone passcode, they have access to everything. Am I misunderstanding how this will work?

Apparently. If someone has your computer password or phone passcode today, they have access to everything using Keychain, so it’s identical to the current situation.

Well, of course I meant if you continue to want to use online services as they move to a solution like this. Not using them is always a choice, but you can continue to not use them with an iPhone or Android phone going forward.

Well, not a password manager app probably. You still have a separate authentication with that.

As @ddmiller says, not if you’re using a third-party password manager. I guess you can argue that it’s only consolidating two passwords into one, but I still feel like it’s a regression security-wise, especially as most phone passcodes are just digits, whereas password manager passwords are likely to be stronger.

One can only hope that Apple, Google, Microsoft, et. al., will provide a way to revoke the sync of FIDO cryptographic keys for a lost device. In the case of Apple, perhaps it will be as simple as revoking a device as a trusted device from another device, as can be done now, so that all iCloud Keychain items can be revoked from the device.

Because FIDO keys are only used when the device is connected to the internet, perhaps Apple and Google will prevent any device from authenticating a nearby computer using CTAP attempting to log in if the phone is in airplane mode.

I have no idea how FIDO is going to do this, but I do something similar with SSH on my various computers.

I use the OpenSSH software on a Linux PC to generate a public/private key pair. Actually, I’ve created two - one for personal use and one for work.

I upload the appropriate public key to each system I want to access via SSH. This includes computers at home and servers at work.

I keep the private keys to myself, but I do copy them to my other computers. My employer’s computers have the work keys. My personal computers have the personal keys.

When I try to access a site using SSH (e.g. via the slogin command), the two systems use the keys for authentication and I never provide a password.

If I feel that I need to replace keys for some reason, I can generate a new public/private key pair. Then I go to each of the computers I access and replace the public key with a different one. Once every system using the original key has been replaced, I can blow away the corresponding private key (or keep it around, just in case I later find out that I didn’t upgrade everything).

I do have to keep track of my private keys. If they get lost, then I will need another mechanism (e.g. password + 2FA) to log in so I can replace the public keys with newly-generated ones. If the remote site doesn’t prove a mechanism, then it could be a long annoying support session with the site’s owner to prove my identity in order to install a replacement public key. This is why I have them on multiple computers and I keep a printout in a file cabinet at home for use as a last resort. (SSH uses a text-encoded representation for the files.)

I assume FIDO is going to be doing something similar, but somehow automating the key-pair generation and synchronization work so ordinary users don’t need to know what’s going on under the covers.

And it will be very interesting to know what kind of recovery options they define. If you need to use password+2FA or an e-mail reset code, then you’re not really any more secure than today.

Which is stored in my Keychain or TouchID on my iDevices.

I think you need to consider the big picture. From How FIDO Addresses a Full Range of Use Cases:

While this may not always meet the bar for use cases that require, say, AAL3, it is a huge improvement in security compared to passwords: each of the referenced platforms apply sophisticated risk analysis, and employ implicit or explicit second factors during authentication, thus giving AAL2-like protections to many of their users. This shift from letting every service fend for themselves with their own password-based authentication system, to relying on the higher security of the platforms’ authentication mechanisms, is how we can meaningfully reduce the internet’s over-reliance on passwords at a massive scale.

Yeah, I’ve been using key pairs in ssh for years (decades?), and my brief reading about FIDO suggests that at a high level it’s the same thing, except making the whole process easier (not that setting up key pairs for ssh is hard, but it’s definitely not something I’d expect non-techies to do). And if you use ssh-agent to store your private key passphrases in the keychain, it’s even closer. (And now that I think of it, I should also be able to store my private keys in keychain or 1Password or the like. I may have to do that.)

I don’t think it’s quite fair to say that passwords themselves suck; what sucks is the laziness of users to use good passwords to begin with and their penchant to reuse the same password for everything!

I work in this field so can offer some clarification. The idea behind “PassKeys” is that they can be shared between your devices and backed up through iCloud Keychain. If you lose your device, a new device can be restored from iCloud. The account provider (relying party or RP) can detect if you are using a new device and require additional account recovery steps if desired.

There are “platform authenticators” like Touch-ID built-in to your laptop, and “roaming authenticators” like FaceID on your iPhone. Both will eventually be supported. In most cases you will just need to unlock your phone by whatever means you use now. The RP can optionally require specific forms of biometric identification (or have other requirements).

As you might expect, Apple is working hard to ensure passwordless authentication is simple and reliable for websites that support the “WebAuthn” part of the FIDO standard. Many websites and other IoT devices won’t be updated so it will be a gradual transition.

For accounts that matter, having no password that can be guessed, intercepted, or phished combined with Apple’s attention to the user experience will be a welcome step forward.

After reading this very interesting and well-written document shared by @chirano I am confident that if you own more than one device, even from different vendors, you are in for a pleasant experience.

Using a phone or a computer with biometric input with no option to use manual password entry is not acceptable, and I don’t think any consortium of any tech companies can make that concept work due to both political considerations (blowback on facial recognition etc) and practical considerations (millions of US citizens dependent on government services, always behind in technology including ID).

As often said in DoD contexts: “Hope is not a strategy.”

I already use ID.me and/or login.gov for access to multiple government and a few other sites from all my devices, so FIDO will be a simple transition once implemented.

ID.me works to authenticate your status to Apple as a vet, but doesn’t get you into DFAS. Neither does login.gov. Also, what about Social Security and Medicare? Are you enrolled in either yet?

Maybe “FIDO will be a simple transition once implemented” or maybe it won’t. When will it be implemented? DFAS has a new page trumpeting two factor authentication…whoopee.

I’d be happy to hear about how you’ve overcome differences between gov’t sites or methods to minimize ID requirements. Often, I have to use Firefox because the latest version of Safari just doesn’t work. Never mind using a third party VPN. Solutions?

It shouldn’t be a problem then, as the announcement states:

Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

How does this work if you’re at a random computer that’s not yours (a friend’s or public terminal) and you want to sign in to an account to check something? At the moment, I can simply open 1Password on my phone and look up the password. Manually typing it into the computer is a small hassle but not a big deal. But I would not want to somehow associate my phone with the computer.

I currently use Yoti to access various government services, and on my Mac it presents a QR code on my screen which I scan with the Yoti app (on my phone it hands off between Safari and the Yoti app as you’d expect). This is easy, works well, and seems secure. Will such an option be available with the FIDO solution? (Or maybe this is the system Yoti is already using behind the scenes?)

I’m not an expert at this, but the Fido Alliance has a FAQ that answers questions like this. I think this one is answered here:

How does the user sign-in if a FIDO credential for the RP is not already available on the device?

This is best understood with an example: say the user has an Android phone where they already have a credential for the RP. Now they want to sign-in to the RP’s website on a Windows computer where they have never signed into the website before.

For existing devices, the user will point their browser to the RP’s website on the Windows computer. They see a ‘sign-in’ button on the login web page and hit that button.The user sees the option to add a new phone or use a previously paired one. If the user selects the paired phone and the phone is physically close (in BLE range) to the Windows computer the user sees a pop-up from the Android OS asking in essence “I see you are trying to sign-in on this nearby computer, here are the accounts I have. ” The user chooses an account at which point the Android OS asks “Please perform your unlock to approve sign-in to the computer with this account ”. The user performs the unlock and they are signed-in to the website

Alternatively, the user can use a security key that has been enrolled with the RP. In this instance, the user will point their browser to the RP website on the Windows computer. They see a ‘sign-in’ button on the RP’s login web page and hit that button. When the RP asks for FIDO authentication, the user is able to insert or tap their Security Key to unlock and they are signed-in to the website.

The flow described in this example would work regardless of the OS the user’s mobile phone is running and the OS and browser available on the target device for login (eg, computer, tablet, TV etc). The target user experience is very similar to that of a Phone Approval prompt commonly used today as a second-factor today. The crucial difference is that the approval is now phishing-resistant — this is because, when you approve a login on another device on a conventional phone approval, you don’t really know whether your other device is pointed to the correct website or a look-alike phishing site relaying information in real-time. In addition, the mobile phone approval also replaces the password (as opposed to being used as a second factor adjunct).

Thanks, that does sound like it would address that use case. I realise I should have read through the FIDO site, but I didn’t have time when I was reading this thread earlier, so thank you for taking the time to do so and extract the information. Great that they’re thinking through the various edge cases. I’m not sure I believe everything will work that smoothly between different devices and OSes (history doesn’t instil much confidence!), but if it does that’s excellent!

I agree. I think Apple’s website already supports Passkeys, and logging into it from my devices with TouchID or FaceID is quick and convenient without having to enter a user name, password, and second-factor code. If Apple, Google, and Microsoft manage to replicate this experience across the internet, it’ll be a very welcome change.

Yes, and in fact on my 2015 MacBook Air without TouchID I can log in to my Apple ID from Safari with just my computer account password rather than with my AppleID passphrase on Monterey - a perfect example of how FIDO might work if you don’t use biometrics.

I’ll look forward to further developments then, including addressing the concerns associated with lost or stolen devices and the use of PINs. I also look forward to see how this scheme is utilized with the millions of U.S. government users, as well as multiple EU government users.

Hopefully there will be a lower-cost, non-subscription alternative. . . Perhaps a dedicated YubiKey.

I don’t want to see people who do not want or cannot afford a smartphone to feel compelled to join the crowd. But it is getting difficult to live even a partially-disconnected lifestyle.

My wife has been a gardener for over 40 years while very rarely wearing gloves. Her fingerprints are essentially kaput and we could not get Touch ID to work on her iPhone. We recently upgraded to the 2022 SE3 and it does not offer Face ID as an option. Fortunately, neither of us mind relying on a 6 number code to access Apple Wallet, etc.

Eventually. When the spec is finalized and there are interoperable implementations and the bugs have been fixed. But as with all major changes to network infrastructure, there will be some bugs and some early adopters will encounter painful problems before they are fixed.

But hopefully, no major web sites will force you to transition to it before the tech matures.

I think the biggest problem is going to be for people like my parents, who do not have smartphones and do not want to get them. They are very happy with land-lines and simple mobile feature-phones. They might be able to use FIDO via an app on their computers, but that won’t help when traveling.

Based on what I’ve read so far, the biometrics are not your authentication key. The keys are generated randomly (similar to SSH private/public keys). The biometrics are used to securely store your private keys on your phone.

Assuming this is true, then there won’t be any political/privacy concerns that don’t already exist with today’s keychain technologies.

But, of course, this assumes that the implementation matches my understanding. If the biometrics are actually sent to some central server (no matter who runs it), then I agree with you 100%.

Thanks to @ddmiller for sharing the text about this.

It looks similar to the way 2FA systems work.

With 2FA, you log in, then the server asks for a device-generated code. Or (in the case of some), it sends a packet to a registered device and a companion 2FA app pops up a message asking if you want to approve the login.

The FIDO system looks similar, but without the password. You identify yourself and then the server contacts your trusted device (which you associated when creating the account), which asks if you want to log in or not.

ssa.gov allows both id.me and login.gov. medicare.gov doesn’t use either yet. va.gov also allows both along with DS Logon. There are a couple of other sites that use one or both, but can’t recall which at the moment.

Those of us who get old also are vulnerable to vision limitations, and smartphones are terrible for that. After cataract surgery I can see without glasses for the first time since I was 11, and have no problems driving, reading a newspaper or paper book, or using a computer. However, reading tiny type on a small screen is difficult to impossible. When AT&T turned off 3G they gave me a 4G flip phone, but the display lettering is so small I can’t read the caller ID it until I put my reading glasses on; about its only good feature is the HDVoice sound. I can appreciate smartphones as elegant technology, but their user interface doesn’t work for me. It gets rather annoying.

YubiKeys do indeed work with FIDO as a roaming authenticator. The disadvantage is you need two YubiKeys in order to have a backup. Many users will already have a smartphone that can offer a level of user experience Yubikeys can’t.

Hi Jeff,
It’s OK to want what you want. I’m sure you are well aware that a flip-phone is not a smartphone, which can have a much larger screen. My iphone announces who is calling (and I don’t accept calls from “Unknown caller”), so I don’t need to look at the caller ID.
Much of this thread is about fear of change. I hate changes at my age.
However, my attempts to stay safe in a world that changes (whether I want it or not) will someday fall short. My ability to keep up with the threats will diminish as I get older. And I can tell from some of the comments that it is difficult to understand an unfamiliar technology.
I’ll happily go beyond passwords for something more secure and easier to use.