Security Bits Logo

Security Bits – Even More Cambridge Analytica/Facebook, WebAuthn

Followup 1 — Meltdown/Spectre

Followup 2 — The Cambridge Analytica/Facebook Kerfuffle

Security Medium — WebAuthn

One of the biggest problems on the modern web is authentication. Password, passwords everywhere, and barely a drop of security to show for it!

The fundamental problem with password on the web is that they rely on websites securely storing a secret on your behalf, and it turns out many of them are terrible at that! So, we need separate passwords for every site, but we humans are terrible at that, so we need password managers. But now all our eggs are in one basket. Sure, if you choose well it’s a single really well engineered basket, but it was still created by humans, so it’s almost certainly imperfect! Also, password managers are usually secured by a password too, so now all your security rests on the strength of a single password!

To be clear, a well-implemented and well-used password manager is infinitely more secure than re-used passwords, but better than terrible is not the same as ideal!

How could we get rid of passwords? We could introduce some kind of trusted third party into the picture, someone or something that can vouch for our identities. Both users and websites would need to trust this third party to do a good job of authenticating the user, and, not to lie to websites. Finding a single third party that every user and every site will be happy to trust is an impossible task, so how else can this circle be squared?

The alternative is an agreed mechanism by which users can choose a third party they trust, and websites can be confident that the interaction with the nominated third party will work reliably and securely. In other words, an universal authentication protocol that’s open, free, and widely implemented.

To provide real alternatives to passwords this protocol will need to be able to address hardware devices like fingerprint scanners, facial recognition systems, security tokens and all other devices we might dream up in the future. Website don’t get to talk directly to hardware because that would be a security calamity, so, what’s needed is for our browsers to provide a bridge to the hardware.

So, we need an open protocol that’s freely available, and implemented by all the main-stream browsers. No small feat!

Enter the standards body that governs the web, The World Wide Web Consortium (W3C), and the FIDO Alliance. This week the W3C consortium, of which all the major browser vendors are a member, announced that a new protocol for web authentication has been drafted, and that it’s now progressed to the Candidate Recommendation stage of the certification process — that’s the penultimate stage!

The protocol is called WebAuthn (a contraction of Web Authentication), and when implemented by browsers will allow users to authenticate to participating websites without the use of a password. Instead, users will be able to authenticate themselves using biomentric sensors already implemented in devices, and hardware tokens like the popular UbiKey.

WebAuthn builds on the existing FIDO standard, so all existing FIDO devices will be compatible with WebAuthn.

What happens now?

First, the standardisation process has to complete, then, the browser vendors will need to implement the final standard, and finally, websites will have to buy into this new tech. The good news is that the browser vendors seem to be on-board with this, with Microsoft, Google, and Mozilla already committed to supporting WebAuthn within the next few months.

This is not the end of passwords, but it just might be the beginning of the end of their domination of web authentication!

Links

Notable Security Updates

Notable News

  • Cloudflare launches a new privacy-focused public DNS service at 1.1.1.1 (more on this in this week’s CCATP) — www.macobserver.com/…
  • 🇨🇦 With perfect timing, Canada’s new Digital Privacy Act is finally brought into force, meaning companies will be required to inform people when their data is breached — globalnews.ca/…
  • In preparation for the GDPR, Instagram will ‘soon’ start offering the ability to download all your data — nakedsecurity.sophos.com/…
  • 🇺🇸 23 advocacy groups get together to sue Google for allegedly breaching COPA by profiting from targeting YouTube at kids under 13 nakedsecurity.sophos.com/…
  • 🇺🇸 A report finds that many US law enforcement agencies actually can unlock iOS devices because they have bought products and/or services from companies like GrayKey who’s GrayBox appliance is able to unlock the latest iPhones on the latest version of iOS at least some of the time — motherboard.vice.com/…
  • Security researchers have discovered that the patch level indicated by Android on many phones may not be an accurate indication of the phone’s actual patch level! This appears to be due to a mix of genuine accidental omissions of some patches when manufacturers merge Google’s code into their custom version of Android, and out-right fraud — www.wired.com/… & srlabs.de/…
  • 🇺🇸 Signing credit card slips is about to become history, even in the US — www.nytimes.com/…

Suggested Reading

Leave a Reply

Your email address will not be published.

Scroll to top