Apple
Based on the FIDO authentication standard, Apple’s new “Access Codes” allow users to log in to sites and apps without using passwords. Provided service providers play along.
During the WWDC conference, Apple presented a new authentication technology supposed to usher in a future without passwords. For each online service or compatible application, the new Apple operating systems will offer the user to generate an “Access Code” (or “Passkey” in English) which will allow connection without using a password. outmoded. This access code is saved in the keyring of iCloud and therefore accessible from any “iDevice” of the user, whether it operates under iOS, iPadOS, macOS, tvOS or watchOS.
The connection procedure also works from non-Apple terminals, provided you have an iPhone on hand. As we could see during the conference, all you have to do is scan a QR code to enlist the phone. Thereafter, it will suffice to validate the connection via Touch ID or Face ID.
Behind this new technology is, in fact, the FIDO Alliance consortium, which has been trying for several years to impose its authentication standard without passwords. The level of security is significantly higher, as it uses an asymmetric cryptography protocol to validate connections, which makes it impervious to phishing attacks.
However, the user who wants to connect to an online service must first proceed to an enrollment which consists in generating in an “authenticator” device – a browser, a smartphone, a connected watch, etc. — a private key and a public key. The public key is transmitted to the service provider and the private key remains stored in the terminal. When the user wants to connect, he sends an authentication message signed with the private key to the service provider, who can verify the signature with the public key.
The concern, until now, is that the enrollment procedure was too tedious: it was necessary to generate private keys for each service and each terminal that the user had. This is why the FIDO Alliance has created a new version of its standard. Called “Multidevice FIDO”, it allows the connection procedure to be relayed to an authenticator device, which simplifies use. And that’s exactly what we see in the Apple conference.
However, will we really be able to “replace passwords for good”, as Darin Adler, vice-president of Internet Technologies at Apple, hopes during the keynote. Nothing is less certain at present, as service providers will have to play the game and implement this authentication technology on their side.
Apple