[ad_1]
Now it's I hope to have been punctured into you to enable two-factor authentication on your online accounts, thus offering you more protection than a single password. And while the second most common factor is a digital code sent to your smartphone through an app, the physical tokens you plug into your computer have become increasingly popular. And now, they are trying to make the passwords obsolete.
On Monday, hardware authentication company Yubico announces a new generation of its YubiKey physical tokens supporting login without password. The YubiKeys 5 Series gets this simplified mojo from FIDO2, a new version of an open source standard that facilitates secure authentication. While companies like Microsoft are adopting the standard over the next few months, all you need for a secure connection is to log in and press your new YubiKey. That's all.
"We rely on many static references, such as your mother's passwords or maiden name – it's everywhere," says Jerrod Chong, senior vice president of products at Yubico. "So it's very important to think about the plumbing that needs to change, and FIDO2 brings a whole new range of capabilities."
The idea behind all FIDO tokens is that, instead of relying on a static data element, such as a password, you can authenticate with to have, like a YubiKey, and this device can perform all kinds of robust cryptographic checks without any extra work on your part. Yubico arrived early on the market and its products have become synonymous with larger movements in many ways, but other options based on the FIDO standard are available, including Google's Titan security keys. Titan does not support FIDO2 yet. (By way of disclosure, WIRED offers new subscribers a YubiKey 4 to encourage them to sign up.)
"It's very important that we think about the plumbing that needs to change."
Jerrod Chong, Yubico
Passwords have many serious flaws. Using a single-factor connection with a physical token instantly improves security in a number of ways. But physical tokens can also be stolen or abused by people close to each other. Thus, the YubiKeys Series 5 offer the possibility to request a local PIN code in connection with a connection without password. If you want to get technical in this regard, it immediately returns the passwords in one direction. But you never transmit this PIN code on the Internet, where it may be stolen. It simply allows the cryptographic authentication of YubiKey to continue.
"When we say without a password, it actually means that the first step is the possession of an authentication device, the second step is that you have to present the device, then you may have to d & # 39; other layers of protection ". "We believe that all this is part of a multifactorial evolution."
There are four models of YubiKeys Series 5 that incorporate different combinations of USB-A, USB-C and proximity communications. The most expensive model, the YubiKey 5 NFC, costs $ 45. At launch, no customer service is willing to support login without password. But Yubico says it wants to make all-in-one authentication keys available to users, so the FIDO2 upgrade can be done smoothly. And Microsoft worked closely with Yubico to launch technical support for Windows 10 and Azure.
"Password-free sign-in brings a quantum change in the way business users and consumers connect securely to applications and services," said Alex Simons, vice president of Microsoft's identity division. "With FIDO2, Microsoft is working to remove the dependency on password connections, with support for devices such as YubiKey 5."
Passwords are heavy and problematic, so the prospect of a password-free future can radically favor the adoption of physical authentication tokens like YubiKeys. But researchers warn that you should use them as part of a multi-factor authentication process, relying solely on a single hardware component. "The cryptography of these tokens is strong enough to be a prime factor of trust," says Matt Green, a Johns Hopkins cryptographer. "But the reason for two-factor authentication is that both factors are valuable.We could have ATMs with only one factor: a card, no PIN.But if someone steals your card Nothing protects you, the same applies here. "
So, even if it's tempting to imagine a truly password-free future, the closest solution you can get for now is a more accessible and accessible authentication approach. easy to use. And compared to the trash fire that is the current connection situation, it probably looks very good.
Biggest cable stories
Source link