很明显,五月的第一个星期四是“世界密码日”。为了庆祝节日,苹果,谷歌和微软为了杀死密码发起了“联合的努力”。这些主要操作系统的制造商想要“扩展由来自FIDO联盟和万维网联盟创建的通用无密码登录标准”。
The first Thursday of May is apparently “World Password Day,” and to celebrate Apple, Google, and Microsoft are launching a “joint effort” to kill the password. The major OS vendors want to “expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.”
这个标准被称为“多设备FIDO凭据”或“passkey”。这个新的方案将让您尝试登录的app或网站向您的手机发送通知来验证。您只需要解锁手机,用pin或者生物识别认证,然后您就能继续登录了。对于有在手机上两步验证的设置的人来说,这听起来很熟悉。但这是对密码的取代,而不是多余了一步验证。
The standard is being called either a “multi-device FIDO credential” or just a “passkey.” Instead of a long string of characters, this new scheme would have the app or website you’re logging in to push a request to your phone for authentication. From there, you’d need to unlock the phone, authenticate with some kind of pin or biometric, and then you’re on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.
用户交互的图示如下:
A graphic has been provided for the user interaction:
一些两步验证系统通过网络推送通知,不过这个新的FIDO方案通过蓝牙工作。白皮书指出,“蓝牙需要物理上的近距离,这说明我们现在有着一种在验证中利用用户的手机但防止诈骗的方式。”蓝牙在兼容性方面的名声很差,而且我也不确定“安全”是否真的成为过真正的关心点,但是FIDO联盟说明蓝牙只是“验证物理距离近”且真正的登录过程“不需要依赖蓝牙的安全属性。”当然,这说明两个设备都需要搭载蓝牙功能。这是大多数智能手机和笔记本电脑上的基本功能,但对于更老的台式机来说会有些困难。
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, “Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user’s phone during authentication.” Bluetooth has a terrible reputation for compatibility, and I’m not sure “security” has ever been a real concern, but the FIDO alliance notes that Bluetooth is just “to verify physical proximity” and that the actual sign-in process “does not depend on Bluetooth security properties.” Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.
就像密码管理器可以把您所有的登录信息保护在一个主密码之下,您的passkey也可以被如苹果和谷歌的大公司备份。这将允许您轻松地在新设备上转移凭据,防止您丢失凭据,并使在设备之间同步passkey更简单。如果您丢失了设备,您仍然可以登录您在这些大公司的账号(额——用密码?)来恢复您的其他保存的账号。把多个设备设置为验证器也是一个好主意。
Similar to how a password manager can unify your logins under a single password, your passkeys can be backed up by some big platform-holder like Apple or Google. This would let you easily bring your credentials to a new device, prevent you from losing them, and make it easy to sync passkeys across devices. If you lose your device, you can still recover your accounts by signing in (uh—with a password?) to your big platform-holder account. It may also be a good idea to have more than one device set up as an authenticator.
这些公司已经尝试“无密码化”好多年了,但是达成目标一直很困难。谷歌从2008年开始在博客文章上有一整个时间线。如果密码很长,随机,保密,唯一的话,它们可以正常工作。但是人为因素一直都是个问题。我们不善于记住长,随机的字符串或文字。我们很想写下密码或重复使用它们,而且那些诈骗手段会尝试把您的密码泄露给第三方。当一个安全漏洞被发现,用户名和密码的组合很容易被共享,网上也有那些被暴露密码的数据库。
Companies have been trying to go “passwordless” for years, but getting there has been tough. Google has a whole timeline on its blog post starting from 2008. Passwords work fine if they are long, random, secret, and unique, but the human element of passwords is always a problem. We aren’t great at memorizing long, random strings of characters. It’s tempting to write down passwords or reuse them, and phishing schemes try to trick you into giving your password to a third party. When a security breach happens, username and password pairs are easy to share, and there are huge databases of compromised credentials out there.
FIDO的博文说“这些新的功能将在几年内在苹果,谷歌,微软平台上可用。”苹果看起来是发起“passkey”趋势的公司,他们已经在iOS15和macOS Monterey上有了这套系统,不过它还不与其他平台兼容。谷歌也被发现在安卓的Play服务中有passkey支持,那么在这个系统就绪后应该可以快速被更老的安卓设备支持。
The FIDO blog post says: “These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.” Apple, which seems to have started the whole “passkey” trend, already has a system up and running in iOS 15 and macOS Monterey, but it’s not compatible with other platforms yet. Google’s passkey support has already been spotted in Play Services on Android, so it should quickly be supported by even older Android devices as soon as it’s ready.
原文:Apple, Google, and Microsoft want to kill the password with “Passkey” standard | Ars Technica
Comments