Jump to content

Password manager


Recommended Posts

  • Forum Support

Interesting article on what we might see in the future for password management.

https://9to5google.com/2022/04/19/android-google-account-passkey/

The security industry, as organized by the FIDO (Fast IDentity Online) Alliance, has been working to replace passwords given people’s tendency to use weak ones or reuse them. Two-factor authentication (2FA) has helped to remedy that but the future is “passkeys,” with Android and Google readying support.


AD
 
About APK Insight: In this “APK Insight” post, we’ve decompiled the latest version of an application that Google uploaded to the Play Store. When we decompile these files (called APKs, in the case of Android apps), we’re able to see various lines of code within that hint at possible future features. Keep in mind that Google may or may not ever ship these features, and our interpretation of what they are may be imperfect. We’ll try to enable those that are closer to being finished, however, to show you how they’ll look in case that they do ship. With that in mind, read on.

If successfully adopted, signing-in to a web service will no longer involve entering a password. This includes those that are auto-filled, which is the commonplace behavior of password managers built-in to today’s browsers and operating systems. Rather, the FIDO approach leverages cryptographic keys. Before a sign-in occurs, end users simply unlock their device (passcode, fingerprint, face unlock, etc). 

During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. 

FIDO Alliance

Instead of passwords, you will have “passkeys” that are stored on your device and the operating system’s associated cloud sync service. In the case of Android, passkeys – which is the name Apple will also be using – are saved to your Google Account (presumably a similar Password Manager is used) as explained by new strings in the latest version of Google Play services (version 22.15.14). 

<string name=”fido_passkey_welcome_title”>Hello passkeys, goodbye passwords</string>

<string name=”fido_passkey_welcome_text”>Passkeys provide better protection than passwords \u2013 and they\u2019re safely saved in your Google Account. &lt;br/&gt;&lt;a href=%1$s&gt; Learn more &lt;/a&gt;</string>

You’ll still have to know your primary Google Account (or Apple ID) password, especially when switching to a new device, but this fully realized future means that’s the only one you really have to remember.

Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost.

FIDO March 2022 white paper

Work in Play services is still underway, while third-party adoption is a big requirement for all of this to work. The string today suggests Google will be making a pretty user-facing push encouraging passkey adoption as seen by “Hello passkeys, goodbye passwords” and the cover image above.

 

  • Like 2
Link to comment
Share on other sites

13 hours ago, Mike J said:

Interesting article on what we might see in the future for password management.

https://9to5google.com/2022/04/19/android-google-account-passkey/

The security industry, as organized by the FIDO (Fast IDentity Online) Alliance, has been working to replace passwords given people’s tendency to use weak ones or reuse them. Two-factor authentication (2FA) has helped to remedy that but the future is “passkeys,” with Android and Google readying support.


AD
 
About APK Insight: In this “APK Insight” post, we’ve decompiled the latest version of an application that Google uploaded to the Play Store. When we decompile these files (called APKs, in the case of Android apps), we’re able to see various lines of code within that hint at possible future features. Keep in mind that Google may or may not ever ship these features, and our interpretation of what they are may be imperfect. We’ll try to enable those that are closer to being finished, however, to show you how they’ll look in case that they do ship. With that in mind, read on.

If successfully adopted, signing-in to a web service will no longer involve entering a password. This includes those that are auto-filled, which is the commonplace behavior of password managers built-in to today’s browsers and operating systems. Rather, the FIDO approach leverages cryptographic keys. Before a sign-in occurs, end users simply unlock their device (passcode, fingerprint, face unlock, etc). 

During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. 

FIDO Alliance

Instead of passwords, you will have “passkeys” that are stored on your device and the operating system’s associated cloud sync service. In the case of Android, passkeys – which is the name Apple will also be using – are saved to your Google Account (presumably a similar Password Manager is used) as explained by new strings in the latest version of Google Play services (version 22.15.14). 

<string name=”fido_passkey_welcome_title”>Hello passkeys, goodbye passwords</string>

<string name=”fido_passkey_welcome_text”>Passkeys provide better protection than passwords \u2013 and they\u2019re safely saved in your Google Account. &lt;br/&gt;&lt;a href=%1$s&gt; Learn more &lt;/a&gt;</string>

You’ll still have to know your primary Google Account (or Apple ID) password, especially when switching to a new device, but this fully realized future means that’s the only one you really have to remember.

Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost.

FIDO March 2022 white paper

Work in Play services is still underway, while third-party adoption is a big requirement for all of this to work. The string today suggests Google will be making a pretty user-facing push encouraging passkey adoption as seen by “Hello passkeys, goodbye passwords” and the cover image above.

 

Looks like FIDO is a reboot of PKI technology that has been around for a long time. With FIDO you would have a small USB hardware security FOB where your encryption keys are stored. This is big move in the right direction. The only problem is getting website/app and user adoption. I like that better than trusting Google to store your encryption keys.

https://fidoalliance.org/how-fido-works/

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...