One-time codes have similar problems, though there are some modern mitigations you can put in place. Password managers can provide hints about phishing - such as not offering to fill a password on a phishing site that looks otherwise legitimate - but they still can’t prevent someone from manually entering the password themselves and getting phished. Remembered passwords also don’t offer any kind of phishing resistance. Some password managers and second-factor solutions can help with recovery but tend to face similar problems. This can reduce the entire account’s security level to the level of security of the email provider, which is generally not something you control. This means apps and websites need a separate recovery flow, which today is usually a link in an email. Also, if passwords are in your head, you can forget them. And single-use codes can also help but are still subject to many of the same problems as passwords, since they’re still typeable, phishable, shared secrets. A password manager can be used to create strong and unique passwords, but it is only as strong as the password - and potentially additional factors - that you use to protect it. Passwords that can be remembered probably aren’t strong and unique for every account. They’re all pretty easy to use, they all work on most devices, and they’re more or less always with you. But for this video, I’m going to be focusing on nonfederated authentication options. Federated authentication lets people keep their trust confined to a small number of highly protected accounts. Some apps and websites alternatively choose to outsource authentication entirely to a third party through federated authentication, such as Sign in with Apple. macOS Monterey and iOS 15 even have a code generator built in to the iCloud Keychain password manager, which you can learn more about in the “Secure login with iCloud Keychain verification codes” video from my teammate Eryn. Service owners can also add additional steps to the login flow, such as requiring a password plus an additional factor like an OTP for instance, an SMS or a generated one-time verification code. iCloud Keychain’s password manager is built in to your Apple devices, and we’ve made APIs available for third parties to integrate their own password managers into the system. Password managers can create strong, unique passwords per account, and can provide hints about some forms of possible phishing. But it turns out that people generally aren’t good at coming up with and remembering strong and unique passwords for every account. At first, passwords were mostly stored in people’s heads. Authentication technology has continued to evolve to try to mitigate some of these risks. In fact, according to the 2020 Verizon Data Breach Investigation Report, more than 80 percent of hacking-related data breaches involved the brute force of credentials or using lost or stolen credentials. And if a secret like a password does get out, using weak passwords or reusing the same password across multiple accounts can quickly compound the problem. Phishing - such as fake emails and phone calls or misleading websites - is the most common way for the wrong party to learn a secret. Each time that secret is shared, there’s a risk that someone other than the intended recipient learns that secret. Most authentication today relies on the user and server sharing a secret - like a password - when the account is created, and resharing that secret during every authentication. First off, protecting secrets is hard, especially when those secrets are shared. As authentication technologies have evolved over the years, there are a few fundamental lessons that the industry has learned. But developers, users, and the industry as whole have collectively learned that this great convenience of being able to quickly authenticate to sign in to an account comes at a cost to account security. The iconic User name and Password field pair is instantly recognizable and really easy to use, and most people immediately know what to do when they encounter it. Every time you sign in to an app or website today, you’re probably entering a password. ♪ Bass music playing ♪ ♪ Garrett Davidson: Hi, I’m Garrett, an engineer on the Authentication Experience team, and I'm very excited to give you a peek into what we’ve been working on: the first step Apple is taking to support the industry-wide transition away from passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |