This article is taken from the monthly journal Sciences et Avenir – La Recherche #913 of March 2023.
Life without a password… The dream of every Internet user: no more creating and typing those endless combinations of letters, numbers and special characters recommended by computer security experts. However, between e-commerce, social networks, administration, banks or online insurance, the current Internet user has to deal with dozens of personal accounts. It is impossible to remember all relevant passwords unless you use the same password multiple times, which should be done last to avoid being hacked too easily.
It is in this context that Apple launched Passkey on the occasion of the September 2022 rollout of iOS 16, the latest version of its mobile operating system. Promise ? Finished the password! This authentication system has actually been in preparation for many years as part of the Fido alliance, bringing together technology manufacturers (Meta, Amazon, Intel, Microsoft, Paypal, Google, etc.) around defining authentication standards. It has also been adopted by Google for Android mobile devices and Chrome browsers, Microsoft and even Paypal.
When a user registers with an online service or mobile application using an access key, two cryptographic keys specific to the service in question are generated. One, the private key, remains in a locked and encrypted location on the user’s device. The other, the public key, is stored on the service server, but is neither secret nor hidden.
This article is taken from the monthly journal Sciences et Avenir – La Recherche #913 of March 2023.
Life without a password… The dream of every Internet user: no more creating and typing those endless combinations of letters, numbers and special characters recommended by computer security experts. However, between e-commerce, social networks, administration, banks or online insurance, the current Internet user has to deal with dozens of personal accounts. It is impossible to remember all relevant passwords unless you use the same password multiple times, which should be done last to avoid being hacked too easily.
It is in this context that Apple launched Passkey on the occasion of the September 2022 rollout of iOS 16, the latest version of its mobile operating system. Promise ? Finished the password! This authentication system has actually been in preparation for many years as part of the Fido alliance, bringing together technology manufacturers (Meta, Amazon, Intel, Microsoft, Paypal, Google, etc.) around defining authentication standards. It has also been adopted by Google for Android mobile devices and Chrome browsers, Microsoft and even Paypal.
When a user registers with an online service or mobile application using an access key, two cryptographic keys specific to the service in question are generated. One, the private key, remains in a locked and encrypted location on the user’s device. The other, the public key, is stored on the service server, but is neither secret nor private.
Each access request takes the form of a cryptographic challenge. That is, the public key of the online service creates a mathematical problem that can only be solved using the private key. To call the latter, the user first unlocks his device in the usual way for him (pin code, fingerprint, face recognition, etc.). He then enters his username and, instead of adding a password, clicks on the “Passkey” icon.
“The Internet user thus proves that he has the correct secret key, but does not disclose this key,” summarizes Mathieu Kunch, research professor at the National Institute of Applied Sciences (Insa) in Lyon and member of the privacy team at Inria (National Institute for Research in the field of digital sciences and technologies). The use of cryptographic keys is nothing new. On the other hand, the fact that the digital giants are implementing it on a large scale to make it a standard is the first.
Restrictions for moving to another technological universe
As we can see, the private key is tied to the user, as well as to his device or to several synchronized devices from the same technological environment (Apple, Google). Which makes the device all the more secure when up until then alternatives to passwords such as biometrics (see box below) or password managers have never been convincing. However, the access key has its limitations. If the Internet user originally generated their keys with Android, they will remain valid if they accept the Apple device, but they need to be transferred manually and one by one to the new secure space.
And, by definition, it’s impossible to run Passkey on a computer other than your own. In this case, the online service you want to access sends a QR code, which you must scan with your smartphone, which stores the corresponding private key. In this case, the Bluetooth connection must be activated to prove to the system that the smartphone and computer are nearby and that this is not a remote access attempt by a hacker.
Failed hopes of biometrics
A fingerprint, a pattern of veins on an arm, an iris, a face… Once upon a time, biometric data, inextricably linked to its owner, was considered the ideal form of authentication. However, they suffer from two main problems. Most of them are said to be traceable, meaning they can be recovered by a third party, not just fingerprints. In France, the National Commission for Computing and Liberties (CNIL) considers that, with the current state of technology, this applies to all biometric data. Another problem is their permanent nature. If the password is stolen, the user can set a new one and make the cracked one obsolete. This is not possible with biometrics. That’s why it’s recommended for precise access in contexts that are already very secure and private, and in addition to other means of authentication.
“But, above all,” notes Mathieu Kunsch, “this device strengthens the power of Gafam (web giants, editor’s note), which position themselves as digital authentication providers. And once again they make themselves indispensable.” It remains to be seen whether online services offer enough of this system to make it a long-term solution. Because, paradoxically, if password restrictions are universally recognized, research in terms of authentication is less about removing it than it is about strengthening it with other methods.
In 2015, a doctoral student at the Laboratory for Image Processing and Information Systems (Liris) near Lyon proposed to authenticate participants in the certification of online learning platforms by their “interaction footprints”. To enter the platform, the classic login-password pair remains valid; but then elements such as session duration, MCQ scores, content viewed, reaction time are recorded throughout the learning to characterize the learner’s online behavior. “With each new action, we calculate a signature that gets a score to tell if the person who has been trained has changed,” explains Fatma Derbel, author of the project. The idea is indeed to detect cheating if students are replaced in exams. An experiment is being prepared using this method.
Digital fingerprint associated with device data
Another researched area is browser fingerprinting, namely the digital fingerprint of the device, consisting of technical elements: operating system version, browser extensions, language, time zone, font size, sound settings, etc. It has already been proven that such a data set can distinguish one user from another. However, if it is used to track ads, this does not apply to online identity verification. Not even to pay, as noted by Antonin Duray, author in 2022 of a dissertation on browser fingerprinting at the Spirals team at the Cristal laboratory and at the Inria center at the University of Lille.
The solution developed for this dissertation not only collects 50 fingerprint attributes, but also determines their interdependence to make it easier to distinguish between devices. The algorithm weights each fingerprint uniqueness element, with those that change the most often having less weight. The challenge is to guarantee authentication (or block illegitimate access attempts) even if, by definition, the fingerprint is unstable (updates, changed settings, etc.). “The authentication system has a stock of multiple fingerprints for the same computer, and on each connection, the algorithm evaluates whether any changes are due to simple fingerprint evolution or too many differences, so it can be the same computer.” The Institute of Technology Research (IRT) B-Com has developed a similar device called the Serenity.
Fingerprint browser interest? Disabling a stolen password, in particular by phishing, when Internet users are lured with links to web pages that mimic those of legitimate sites (taxes, La Poste, banks, etc.). “When the thieves go to the real site, they may have a password, but they will be blocked because they will use the wrong computer,” summarizes Gaetan Le Guelvouit from IRT B-Com.
To manage fingerprint scalability, the team trained their algorithm on a database of millions of digital fingerprints and their evolution over time so that it can determine whether two fingerprints belong to two computers or the same one. Thus, the password is not replaced by a digital fingerprint; on the contrary, they are related to each other, with the second being calculated and verified when the Internet user submits the first. “A digital fingerprint cannot be falsified,” Antonin Durey warns, “a cyber attacker can collect it, copy it. Its role is to strengthen authentication by setting the level of risk of a connection attempt.” interaction or digital fingerprint will become personal data, the use of which will have to be regulated? There is always normative thinking behind technology.