Tech giants Google, Microsoft and Apple are currently devising a new cybersecurity paradigm that promises to put an end to phishing as we know it. This major innovation in current authentication standards utilizes proven information and communications technology such as Bluetooth, smartphones, and authentication protocols (collectively known as FIDO) to securely interface with computers—and the web.
Essentially, the security model takes multifactor authentication (MFA) to a new level and to one that is desperately needed. The beauty and elegance of the design is that it eliminates the need for passwords, while replacing it with another proven concept called passkeys. In essence, the passkey or device can be a mobile phone, USB fob, or other device capable of supporting biometrics.
The passkey concept is only one of three critical layers that constitute this new MFA and help make it virtually impenetrable. Each authenticated device stores a security token (i.e., passkey) that enables a user to securely logon to desktops, laptops, tablets, and websites with ease. Moreover, the token can be stored simultaneously across multiple devices and is cross platform compatible (e.g., Windows, Linux, iPhone, Android), as well as open source in design.
Furthermore, if a user’s phone or computer is lost, destroyed, or stolen the security token can be retrieved from other previously authenticated devices the user may have in their possession. Stolen or lost devices that contained passkey tokens were a major conundrum for previous multifactor cybersecurity methods. If the user lost their passkey device, so went their secure access to the computer. They had to resort to using a vulnerable username and password.
The next critical layer of big tech’s authentication model is the user. Using either a fingerprint, phone camera or webcam, a user is capable of logging into an authenticated computer or website without the use of a username and password. Note the mention of “website”. The passkey device (i.e., phone or fob) will combine the stored digital signature with a validated URL to authenticate the user when logging into a website. Herein lies one aspect of its strong anti-phishing capabilities.
The final major element or process of this FIDO based authenticator utilizes Bluetooth technology. Thus, in order to be successfully authenticated the user’s phone or other device containing the token has to be within range of the device that the user is logging into such as a desktop, laptop or tablet PC. Bluetooth has a maximum range of 30ft—hackers typically reside on the other side of the planet. This step provides the crushing blow to hackers working remotely who attempt to phish a user with so called man-in-the-middle attacks.
Of course, one possible outcome of this new MFA solution by the tech giants is a bifurcation of the Internet or Web, something we haven’t heard of since the issue of Net Neutrality that emerged in the early part of the century. If this new authentication model does take off or quickly becomes a de facto standard at the enterprise level, whole sections of the Internet or Web could become deemed unsafe and be labeled a variant of the Dark Web due to a lack of adoption or cost. Perhaps industry or the government will step in to fix the potential chasm, since phishing has become a global epidemic with no end in sight – until now.
To review, Google, Microsoft and Apple will be the first to implement their new MFA on their respective platforms. The first vestiges of this new MFA standard may debut this Fall and in the 2023 New Year on the tech giants’ properties. But no doubt, SMB will eventually follow suit once it is fully tested and refined, but perhaps at a cost. So, phishing is not about to go away overnight, especially for the SMB sector.
Further reading:How Apple, Google and Microsoft Will Kill Passwords and Phishing in One StrokeHow FIDO Addresses a Full Range of Use CasesOne Step Closer to a Passwordless FutureExpansion of FIDO Standard and New Updates for Microsofthttps://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633