Numbers and letters. Uppercase and lowercase letters. At least eight characters, including at least one punctuation mark. To watch a movie, check your bank account, read an article in Les Echos or access a social network, passwords have become necessary for our connected lives. And they have to be more and more complex.
According to a study conducted in 2020, each of us would use an average of a hundred different passwords … Since no human being can remember that much, we have developed different methods of bypassing. Some always use the same passwords, which is of course the worst method – in case of data leakage, hackers will be able to gain access to all accounts protected by the same password. Others write them down in a notebook next to their computer, which is also not a good idea.
No “memory” solution is perfect
Finally, others use a password manager, a kind of digital safe that contains all user passwords. Network giants like Apple or Google offer them, along with specialized players such as Dashlane, NordPass (author of a study on the number of passwords), 1Password, etc. Their tools automatically link users to sites or apps, and are themselves protected by a single password that unlocks all accounts.
“It’s very good on paper, but it adds a weak point: if this unique password is compromised, the attacker has access to all your manager’s passwords,” explains Loïc Guézo, cybersecurity expert at Proofpoint and secretary general of Clusif, a cybersecurity association. administrations.
How next? Simply by deleting passwords. This is the goal of the FIDO Alliance (Fast IDentity Online), a group of digital industry players launched in 2012 to find a safer and easier solution for users. “FIDO has been launched to combat data leaks, which are almost always linked to passwords,” Andrew Shikiar, executive director of the FIDO Alliance, told Echos. The idea is to reduce our dependence on passwords to limit cyber attacks. »
New identification technology
After a decade of research and initiatives that are not too visible to the general public, the work is nearing completion. Last month, Apple, Microsoft and Google announced support for a new identification technology called “Multi-device FIDO”. In the process, on June 6, during its WWDC developer conference, Apple introduced a tool called Passkeys that is based on this technology and will be integrated into the following Mac, iPhone, iPad or Apple TV operating systems. Instead of entering passwords, users will be able to use biometric sensors (face shape or fingerprint) of their device to identify themselves on all sites and digital services that have adopted the FIDO solution.
And that’s just the beginning: Microsoft announced last week that the technology is coming to the Azure cloud offering, and Google is expected to release announcements soon. “The goal of FIDO members is to promote standards, modeled on Bluetooth (wireless, editor’s note), HDMI (high-definition video) or USB,” says Andrew Shikiar. Apple, Microsoft or Google are competing fiercely in many areas, but in some cases they know how to work together. All of these companies, and hundreds of others, believe that a strong standard of identification would benefit everyone. »
Great advantages … and disadvantages
Based on a system of public and private keys (see opposite), the system is designed so that no password circulates on the network, which reduces the risk of interception. At the same time, after the initial registration procedure, it should make life easier for Internet users, who will no longer have to create a password for each new service. And it works on a variety of devices – using a Bluetooth connection, your phone can unlock access to a service on your tablet or computer. “I see this as a normal and logical development, which aims to make digital transformation more ergonomic for users,” says Loïc Guézo. Biometrics are very ergonomic, because they enable easier work. This fluidity, of course, hides more and more complex security tools and protocols… ”
The advantages of this approach are twofold: you will not have to remember new passwords for each application or website, and the application or website does not have to worry that passwords will be lost. User passwords in case of hacking. But this represents a profound change: Internet users and service providers will pass on identification to an external service provider, smartphone or operating system provider. “We are switching from owner to tenant mode, as was the case with music: you no longer own discs, you rent access to your music from a streaming platform,” explains Jonathan Uzan, a cybersecurity expert at BCG Platinion. We will abandon the ability to choose and manage our passwords ourselves and entrust it to private companies such as Google or Apple. This is not necessarily a bad thing, but you need to be aware of it. »
Do you agree that you are even more dependent on Google?
The success of this initiative will depend primarily on service providers and websites, which will be free to adopt this solution, which is free for them. It will all depend on the trust they are willing to place in the digital giants. “It’s not going to happen overnight,” admits Andrew Shikiar. I think the adoption will be strong in the next few months, but it may take two or three years for users to see the difference in scope. »
FIDO, user manual
“Multi-device FIDO” technology is based on cryptographic tools and biometric sensors on smartphones.
– The exchange of passwords between Internet users and servers has been replaced by a pair of encrypted keys.
– The public key is stored on the server, and the private key on the terminal that belongs to the user – mostly his smartphone.
– To connect, the user must activate his private key, which communicates with the public key of the access authorization server. He does this using the biometric technology of his terminal. Depending on the model, this may be face, iris or fingerprint recognition.
– If the device does not have a biometric sensor, or if it does not work, the user can activate his private key using a numeric code or password, but this is never changed online.
When our behavior can identify us
Abacus: this is the name of the project that Google introduced in 2016 to replace passwords with… behavior of Android smartphone users. The assumption is that the way we knock, our voice, and even the way we walk are relatively unique. Once combined with other elements (terminal type, location, etc.) and analyzed by artificial intelligence, these elements can provide a “trust rating” to guarantee the user’s identity. A smart and innovative approach, but a bit worrying: if I change the way I type or walk, will I still be recognized?