Berlin.
Many are careless with their access data on the Internet. An alliance around Google and Apple wants to simplify the registration – that’s how it works.
Accounts hijacked by criminals, login data stolen, strangers gain access to personal data or online banking – it’s a nightmare. Nevertheless, many go to work carelessly when it comes to secure passwords for their own online accounts.
So ended up in the annual ranking of the Hasso Plattner Institute (HPI). most popular passwords 2022 again “123456” in first place. “The lax handling of passwords is dangerous,” warned HPI boss Christoph Meinel. account protection is for many like tax return and spring cleaning: actually you should.
For this reason, actions like the worldwide Privacy Day (“Privacy Day”) on Saturday (January 28) drew consumers’ attention to the importance of careful use of passwords on the Internet.
Future without passwords: This is what the Fido alliance around Google and Apple is planning
The good news: in the future we will online accounts from banking to e-mails and online shops to Netflix, even without passwords. This future is closer than many believe – and is called “FIDO”.
The abbreviation stands for “Fast Identity Online”, in English: fast online identification. Behind this is an association of the most important technology giants worldwide with an ambitious goal: to make passwords superfluous. In the middle of last year, the non-commercial Fido Alliance made their proposal public.
Leading the way are the tech giants Google, Apple, Microsoft and Amazon, as well as Visa and Mastercard. Overall, there is talk of “hundreds of technology companies and service providers from all over the world”. The German is also involved Federal Office for Information Security (BSI). But how exactly will we protect our accounts without passwords in the future, and where can the method already be used?
Google Expert: Signing up is as easy as unlocking your phone
“We want to make it possible for users to log into apps or websites just as easily as unlocking their mobile phone,” says Patrick Nepper in an interview with our editorial team. The computer scientist is a product manager at the Google Safety Engineering Center, a global research center for data protection in Munich. There Nepper is working on the upcoming Password replacement. It’s called “passkeys”, i.e. access keys.
The technology is based on the standards that Google and other companies in the Fido Alliance worked out. “The close cooperation has the advantage that this type of registration will work everywhere in the future,” explains Nepper. Not only on websites and apps from Googlesuch as the Chrome browser or Android, but also with operating systems from the other major manufacturers Microsoft Windows or Apple with iOS and macOS.
Passkeys login: Two keys replace the password
So far, if you log into your online accounts, you enter your password next to your user name – and thus reveal your “secret”. at pass keys on the other hand, explains Nepper, a digital, cryptographic pair of keys is used: a private master key on one’s own device – such as a smartphone, laptop or USB stick – and a public key created for each app or website used.
the private keys does not leave your own device when logging in. “This secret is securely stored on your own device and is only used to sign a message that comes from the service provider during registration with your secret and send it back.” The provider can use the public keywhich he receives, determine whether the applicant possesses the correct private key without knowing it.
Fraudsters could do nothing with the stolen public key alone. Biometric data like fingerprint or face recognition will remain an important security feature in the future, namely when unlocking one’s own mobile phone or laptop in order to access the private master key.
Fido Method: These are the benefits of Passkeys
Nepper thinks that Fido login will prevail if everyone is aware of the advantages: The method is more convenient, users do not have to remember passwords or enter them with the TV remote control. And more secure: A passkey cannot be stolen during registration or end up publicly on the Internet due to a security leak at the provider.
Common browsers such as Google Chrome, Apple Safari, Mozilla Firefox and Microsoft Edge support it passwordless login already, as well as operating systems such as Windows, Android, iOS and macOS and many online services.
Login without a password: Google and Apple already offer it
Experts advise looking in the security section of the account settings of the respective service to see what options there are for using Fido. For example as Password replacement or as a second factor with the mobile phone. The device used should run a newer operating system that supports current versions of the browser used. The safe chip (TPM) required to store the private key is now found in most smartphones and in newer PCs and notebooks or in special USB sticks.
“In 2023 we will all come across the first websites and apps where we will be offered to use a passkey next time instead of passwords,” says Google manager Nepper. “But there is still a long way to go before passwords are no longer part of our everyday lives.”
Secure login: IT experts recommend these four password rules
In the meantime, IT pros recommend sticking to the generally accepted rules of password security. These four Password Rules From the point of view of experts, the following should be heeded when registering on the Internet:
- Each password should be as long as possible (more than 15 characters) and difficult to guess. Password managers and special websites can create them in seconds if required.
- Never use the same or very similar password for multiple accounts.
- Use a password manager. Some of these services are also available free of charge and as a convenient browser extension. The access data for all online accounts can be stored there, protected by a master password that is as strong as possible. With the Google password manager, Google offers its own service on request, as does Apple with the iCloud keychain.
- Enable two-factor authentication when possible. In addition to the password, a second factor is also checked, such as a generated code or the fingerprint on the cell phone.
You might also be interested in: Apple, Samsung and Co.: EU decides on standard charging cables
More articles from this category can be found here: Life
