Become a MacRumors Supporter for $25/year with no ads, private forums, and more!
  • Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,473
14,166



Apple has joined the Fast Identity Online (FIDO) Alliance, an open industry association whose mission is to develop and promote stronger authentication standards and help reduce the world's over-reliance on passwords.

fido-alliance.jpg

Apple joins existing members Amazon, Facebook, Microsoft, Samsung and others in a common goal to secure online connections and support the adoption of the U2F authentication standard, which the alliance hosts.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or near-field communication (NFC) devices based on similar security technology found in smart cards. U2F security keys can be used as an additional method of two-step verification in online services that support the U2F protocol, such as Google, Dropbox, and Facebook.

Chrome, Firefox, Edge, and Opera browsers natively support U2F. With iOS 13.3, Apple's Safari also supports FIDO2-compliant physical security keys like the Lightning-equipped YubiKey.

With Safari support, the YubiKey 5Ci is a useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS.

FIDO was founded in 2013 by a group including Lenovo and Paypal to address the lack of interoperability among strong authentication. MacGeneration was first to spot Apple's logo added to the list of board members.

Article Link: Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards
 

gnasher729

Suspended
Nov 25, 2005
17,980
5,542
As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.
 
  • Like
Reactions: tennisproha
Comment

Shirasaki

macrumors G4
May 16, 2015
10,518
4,266
I will wait for a more advanced and secured standard that has many built in loopholes to replace our password and security questions.
 
Comment

needsomecoffee

macrumors regular
May 6, 2008
230
576
Seattle
Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.
 
Comment

cmaier

macrumors Core
Jul 25, 2007
21,850
25,351
California
How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.
No “we” aren’t.
[automerge]1581429482[/automerge]
Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.
FIDO is a second factor, not a replacement for the first factor (password).
 
Comment

Jsfrederick

macrumors newbie
Jul 22, 2017
18
17
Fredericksburg, VA, USA
FIDO is a second factor, not a replacement for the first factor (password).
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN
 
Comment

cmaier

macrumors Core
Jul 25, 2007
21,850
25,351
California
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN
Thanks for the info.
 
  • Like
Reactions: Peter K.
Comment

Gaspode67

macrumors regular
Jul 30, 2008
170
137
Oxon, UK
As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.
I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

MVIMG_20200211_181420.jpg
 
Comment

cmaier

macrumors Core
Jul 25, 2007
21,850
25,351
California
I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

View attachment 893632

To me this is a horror. I finally got to the point where I no longer have to carry any keys!
 
Comment

[AUT] Thomas

macrumors 6502a
Mar 13, 2016
676
821
Graz [Austria]
too many passwords - the bane of modern computing
password... modern computing? That's an oxymoron.

Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.

SmartCards existet for the past 20 years if not longer...
 
  • Like
Reactions: compwiz1202
Comment

konqerror

macrumors 68020
Dec 31, 2013
2,298
3,693
Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.

Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.
 
Comment

dwaite

macrumors 6502
Jun 11, 2008
355
277
No “we” aren’t.
[automerge]1581429482[/automerge]

FIDO is a second factor, not a replacement for the first factor (password).

U2F is a second factor only, but is the older version. FIDO 2 (CTAP2 + WebAuthn) allows for being a full passwordless authentication replacement.
 
Comment

dwaite

macrumors 6502
Jun 11, 2008
355
277
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN

To elaborate - you 'register' a 'FIDO authenticator' like a key fob at account creation time or while managing your account, which generates a cryptographic key pair. The public key gets associated with your account, while the private key never leaves hardware.

You can then use that key in the future to log in to that account. FIDO2 can associate save additional information such as an account identifier at registration time, allowing you to log in without providing any additional information. No typing in a username or password; just a tap/click to choose to authenticate, and then the action on the authenticator (button press?) to continue.

Older U2F models (and the equivalent flows for FIDO2 keys) require the site to present user-specific information in order to use the key after registration, because they don't necessarily have internal storage, or want to preserve limited hardware storage for private keys. For these cases, you have to identify the user first in order to get that user-specific information from the site - which is why these keys are only used for secondary authentication.

FIDO 2 allows you to use biometrics or a PIN code to do user verification on the hardware device, to do multi-factor authentication entirely by the hardware. You generally want to do multi-factor with FIDO (either on the hardware or in concert with a separate username/password), since otherwise you are only proving possession of the hardware.
 
Comment

[AUT] Thomas

macrumors 6502a
Mar 13, 2016
676
821
Graz [Austria]
Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.
That is absolutely correct. https://directrm.com/da-pin-pad-smart-card/ would solve the problem. That way the PIN is not entered on the devices keyboard. That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).
But that's just an example that we could have had a solution for that problem long ago...with barely any additional effort.
 
Comment

konqerror

macrumors 68020
Dec 31, 2013
2,298
3,693
That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).

Not really. Those PIN solutions solve the issue of password compromise. PIN cards like those, and even the EMV standard do not solve the problem of MITM attacks which have become prevalent. A simple phishing attack can defeat PIN cards and OATH tokens. FIDO U2F and FIDO2 solve this, but require hooking into the browser to obtain domain information.

The second problem that FIDO solves is one of privacy. The protocol is specifically designed so that the same token can be used by multiple users in combination with multiple sites without the ability to correlate use. In contrast, PIN cards and smart cards had the issue of "wallet explosion" in which security concerns meant that every account needed a different card by a different vendor.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.