SHOP CONTACT US
KR EN
KR EN
TrustKey
Global Group
The Best Partner for You

SUPPORT

We create technological value for the prosperous life of our customers.

Support ArticlesStay up-to-date on company and partner news, product tips, and industry trends.

Microsoft, Google do a victory lap around passkeys

Windows giant extends passwordless tech to everyone else

Jessica Lyons Thu 2 May 2024 // 23:03 UTC

 

 

Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN.

 

The additional support for Microsoft consumer accounts works across Windows, Google, and Apple platforms, and Redmond described the move as a step closer to its 10-year dream: "A world free of passwords."

 

As of Thursday, people can sign into their Microsoft accounts using passkeys via desktop and mobile browsers, and we're told mobile app support is coming soon.

 

The timing isn't coincidental. Today is also World Password Day, which, albeit a made-up holiday, usually marks the occasion for tech companies to brag about what they are doing to move away from requiring or encouraging users to remember or jot down in some way unique, strong passwords for each app and online service they use.

 

True to form, Google also marked the occasion by proclaiming that its year-old passkey support hit a milestone.

 

"Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts," project managers Sriram Karra and Christiaan Brand said.

 

When Microsoft rolled out Windows Hello and Windows Hello for Business in 2015, it was detecting about 115 password attacks per second, or so says Redmond's Vasu Jakkal, corporate VP for security, compliance, identity and management, and Joy Chik, president for identity and network access.

 

As of 2023, that number had increased 3,378 percent to more than 4,000 per second.

 

"Password attacks are so popular because they still get results," Jakkal and Chik wrote in a blog post announcing the passkey support.

"It's painfully clear that passwords are not sufficient for protecting our lives online," they said. "No matter how long and complicated you make your password, or how often you change it, it still presents a risk."

 

Passkeys are based on a FIDO alliance standard that's supported by Apple, Microsoft and Google. Think of them as password replacements.

 

The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.

 

Your device can secure that private key locally using something like a biometric face scan, a PIN, or a fingerprint. Thus if someone wants to break into your account, they'll need your device and that secret PIN or biometric scan to unlock the private key (or somehow get a copy of the private key). This is seen as more secure than making people remember or store passwords, and ensures a unique key-pair per account. For those wondering about multifactor authentication, it's kinda baked in: Typically a crook will need to get hold of your physical device, and your secret or physical part of you to access the private key.

 

"Because this key pair combination is unique, your passkey will only work on the website or app you created it for, so you can't be tricked into signing in to a malicious look-alike website," Microsoft explained. "This is why we say that passkeys are 'phishing-resistant.'"

 

Ultimately, they aim to simplify security for users by relying on a face or fingerprint scan instead of requiring people to remember a unique 47-character password for every damn app and website they access that includes uppercase letters, lowercase letters, numbers, special characters, and the name of your first pet but only if they were a parakeet.

 

"The best part about passkeys is that you'll never need to worry about creating, forgetting, or resetting passwords ever again," according to Jakkal and Chik.

To be fair, this is probably an overstatement. Criminals are a cunning bunch, and they may find ways to break this latest approach — and we're not talking about cutting off people's fingers or faces. 

 

But on this World Password Day, here's hoping we can bask in the simplicity and security of passkeys for at least another year.

 

 https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

MORE
Apr 11, 2024
5 easy tasks that supercharge your digital security

Protecting your personal data isn’t just smart these days—it’s a necessity. As the world grows more and more connected, your private info becomes more and more valuable. Whether it’s using leaked info from website breaches to hack into your other accounts or holding your personal computer ransom for money, malicious evildoers won’t hesitate to ruin your day if it puts profits in their pockets.

Source link 

MORE
#FIDO #FIDO2.0 Feb 29, 2024
FIDO 2.0's Answer to Credential Vulnerabilities

In an era where digital security is paramount, the persistent reliance on passwords remains a significant vulnerability for enterprises globally. FIDO 2.0 emerges as a timely solution, reimagining credential authorization using available technologies.


Legacy credential systems, rooted in the Internet 1.0 era, increasingly expose organizations to sophisticated AI-backed cyber threats. The 15% increase in attacks against Indian organizations, now averaging 2,138 attempts per week, can largely be attributed to these poorly secured credentials. As companies and industries continue to thrive throughout India and the region, security teams benefit from implementing new credential approaches, such as FIDO 2.0 stands from the very implementation of their networks. 

Despite CISOs and cybersecurity practitioners' efforts in network security, advanced authentication implementation, and staff training on cyber hygiene, it still only takes a single breach to bring operations to a halt.

Changing the credentials status quo

Despite diverse authentication methods, the prevalent use of alphanumeric codes for logins continues to compromise organizational security.

Recent years have particularly highlighted these faults in the Asia Pacific region. This has resulted in:

-    31% of global attacks as its digital transformation continues at a rapid clip across sectors.
-    The most hit sectors were governments, absorbing the brunt of 22% of the attacks
-    49% of all attacks led to the compromise of sensitive information, with 27% of successful attacks disrupting core organization operations. 

This goes beyond the financial and personal burden put on people as they try to understand if their information is compromised. 

In the past, these attacks were successfully conducted by identifying a vulnerability within a system and exploiting it using relevant tactics. However, today companies face two main threats, phishing attacks and device compromise.

Phishing attacks

The Microsoft breach was completely avoidable had they followed the FIDO2 standard, which they offer on their products and even required on their company GitHub. 

It speaks volumes about the harm of relying on legacy credential authentications. With the compromise of a single account through successful phishing attempts, hackers were able to put hundreds of organizations at risk– and the problem is scaling.

AI has significantly scaled and refined the accuracy of phishing attacks. While in the past, it involved blasting our poorly-written emails to many users, today’s attacks bring together AI-crafted messaging together with SMS push notifications and other forms of seemingly unthreatening behavior.
This has lowered the barrier of entry for threat actors, allowing them to wield greater technology without needing to have the technical know-how of how to exploit vulnerabilities. Instead, they can just ask employees to hand over the keys to the kingdom by clicking on a ‘change password’ link, responding to a seemingly harmless text, or putting in credentials to get rid of pesky messages that look just as if they are coming from the company’s IT department.

Once in, the threat actor has full access to whatever the tricked user had– but take note: while within a network, information can be extracted and permissions elevated by curating just the right message with AI once again. This evolution in phishing attacks not only represents a technological shift but also a critical operational risk for organizations.

Implementing FIDO2 removes the risk of a SIM Swap attack, IdP MITM Phishing attacks, Push bombs, OTP MITM attacks, password spraying and lost/reused credentials.

Device compromise

Organizations permitting remote work or personal device use face an additional security layer– unfamiliar devices.

IT operators have always struggled to identify and approve all devices on a network– again relying on usernames, passwords, and perhaps some other alphanumeric authentication technique. The danger lies in the possibility that these two-factor authentication methods may also be compromised alongside user credentials.

Adding to the compilation, single sign-on has grown in popularity, but if a user is compromised, so too are their profiles created across all the tools that they have given access to the single point. Even with examples of organizational approved SSO with a secure environment, no matter how secure those APIs and authentications are, if the front door is still secured with a username, password, and alphanumeric authentication then the risk is still ever-present

Ironically, much of the hardware distributed within organizations already features secure, uncompromisable biometric capabilities. This makes device compromise not just a technical challenge, but a significant operational vulnerability.

FIDO 2.0- Elevating authentication and standards

This failure to evolve login credentials along with other technologies has been acknowledged by Google, Microsoft, Amazon, Apple, and others. To address the security gap and prevent organizations from falling victim to credential attacks, the FIDO alliance created new standards that leverage the existing on-chip security needed to properly authenticate both individual users and the devices they are operating on.

Examples of devices that are already in the workplace today and conform to Fast IDentity Online 2.0 (FIDO) are those that already require some kind of biometric or token authentication. This includes those with facial recognition, fingerprint, or physical device tokens such as a card or NFC wand.

The strength of this system lies in its symmetry between user devices and software authentication. Similar to leading smartphones’ advanced authentication, FIDO 2.0 mandates reciprocal verification by organizations based on established approvals and credentials.

By adding this layer of protection, the username and password combinations that we rely on become only one part of a more complicated authentication process in an organization's overall security posture and a significant hurdle to threat actors.
Securing endpoints and the cloud
As phishing attacks continue to target all users, it’s no surprise that the big prize lies in penetrating corporations. 

Given the availability of these capabilities on corporate devices (and adaptability for older ones), urgent action by management to adopt these standards is essential to prevent potential multi-million dollar crises.

The integration of FIDO 2.0 standards isn't just a technological upgrade; it's a strategic imperative to fortify digital defenses in an increasingly interconnected world.

 



Why is FIDO2 more secure than Username/Password?

While I explored the inherent weakness in using a username/password authentication, FIDO2 relies on both a stronger authentication process.

To begin, each device or hardware token must be individually enrolled to allow FIDO2 authentication - this is done by creating a public/private key pair. In the case of an iPhone paired with a commercial identity provider like MS Entra ID or OKTA, the user interface will walk a user through this enrollment process. 

How it works under the hood: The public key portion is saved into the web service and assigned to the user identity. On the user device side, the private key is stored within the phone or laptop secure enclave. Upon user authentication to their enrolled web services, the web service prompts for the user for the “Passkey” (the private key stored within the phone or laptop), the user will then be prompted to unlock the device’s secure enclave allowing the private key to be used to complete the challenge/response part of the authentication process. The private key never leaves the device and is much more secure than a traditional username/password. 

Even though usernames and passwords will be used alongside FIDO2 authentication for some time into the future, in a FIDO2 implementation they can not be used without the private key challenge/response piece of the authentication process, this means that if the username/password is lost or stolen, it is of little value and can’t alone be used for authentication.

Source :
By Josh Blackwelder, Deputy CISO at SentinelOne

https://www.koreaittimes.com/news/articleView.html?idxno=129140

MORE
#passkey #securitykey Feb 19, 2024
I Stopped Using Passwords. It’s Great—and a Total Mess

Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.

 

For two years, my Netflix password has been: tricke22ry-notiLonal-freely-soSak-lice-slacken. Yes, really. It is a strong, unique password, and it ticked boxes for reducing the chances of me getting hacked. But for all its security protections, the password was a nightmare to type into an onscreen TV keyboard, and it constantly annoyed members of my family who shared my Netflix login. It’s just the tip of my password suffering, though.

 

I use a password manager to generate and store all the login details for the 337 accounts I’ve made—from pizza delivery and airlines to social media and online shopping—over more than a decade online. However, using a password manager compulsively and having hundreds of strong passwords likely puts me in the minority: Many people use the same password across multiple accounts or use passwords that can easily be guessed.

 

Unlocking Passkeys

Put very simply, when you create a passkey, the website or app you’re using generates two pieces of code. One is stored by the website or app; the other is saved on your device. When you log in, you prove it is you via a face scan, fingerprint, PIN, or however you’d usually unlock your device, and the two pieces of saved code communicate with each other. That means that creating a passkey as a user is relatively simple. All you have to do is visit your account’s security settings and go through the options to set up and save a passkey. In most cases, that’s just a few clicks.

Logging in to my Coinbase account is the perfect example of how passkeys can work. To sign in to the cryptocurrency trading app—which I largely had forgotten I had an account with—it now just takes seconds. Opening the iPhone app, I can tap on the option to sign in with a passkey, which sits alongside the choice to enter my email address or sign in with an existing Apple or Google account. I tap the passkey option, and a popup appears to ask whether I want to “Use Face ID to Sign in?” and says it will use the passkey saved in my iCloud keychain. A quick face scan later, and I am logged in. No password, no username—under 20 seconds to sign in.

However, there are a few things that caused me problems setting up passkeys—my first attempt was disastrous. In that case, my work laptop wasn’t running an operating system that supports passkeys. While waiting for it to update, the PayPal app kept glitching and wouldn’t let me complete the passkey process. Then I couldn’t create one specifically for TikTok as I used my work Google account to create the account. When I tried to set up a passkey for Amazon and needed to scan a QR code on my phone, I found that my password manager, Bitwarden, currently doesn’t support passkeys on mobile. 

 

Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

 

“The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

Most of my work is done on my laptop—and it's rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

The Password’s Long Goodbye

You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and GoogleMicrosoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

“They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.” 

 

The way we use passwords has been broken for a long time, but that’s finally changing. Over the past year, it has become possible to ditch the password and move to passkeys instead. Passkeys are generated codes—created using public key cryptography—that are stored on your device or in your password manager and let you log in to websites and apps using your fingerprint, face recognition, or a PIN. They can’t be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.

 

Google, Apple, Microsoft, Amazon, GitHub, PayPal, the UK’s National Health Service, OnlyFans, Nintendo, and more than 100 websites have started supporting passkeys. More than 8 billion online accounts can set up passkeys right now, says Andrew Shikiar, the chief executive of the FIDO Alliance, an industry body that has developed the passkey over the past decade. So, I decided to kill my passwords.

For the past month, I’ve been converting as many of my accounts as possible—around a dozen for now—to use passkeys and start the move away from the password for good. Spoiler: When passkeys work seamlessly, it’s a glimpse of a more secure future for millions, if not billions, of people, and a reinvention of how we sign in to websites and services. But getting there for every account across the internet is still likely to prove a minefield and take some time. 

 

source

 

MORE
#password #fido #passkey #MFA Feb 06, 2024
The end of passwords – and how businesses will embrace it

​by Kate O'Flasherty published 2024 Feb 02 

 

What will the end of passwords look like in practice and what can businesses do to prepare?

 

It’s widely accepted that passwords are a flawed means of security. People use weak credentials; they can be forgotten, guessed, or exposed in breaches and they’re often reused across services. 

Big tech firms including MicrosoftApple and Google have been moving towards a passwordless future for several years, with solutions such as security keys and more recently, passkeys, starting to take off as part of multi-factor authentication (MFA) setups. 

The FIDO Alliance – which most big tech players are members of – is pushing hard for the demise of the password. But what exactly does “the end of the password” mean, in practical terms?

The idea is to eliminate dependence on passwords as a “primary mechanism for user authentication”, says Andrew Shikiar, executive director and CMO at the FIDO Alliance. In practical terms, this means the end of using knowledge-based “secrets” as the foundation to create, sign in, and recover online accounts, he says. 

“Passwords simply aren’t fit for purpose to protect today’s connected economy. They are too burdensome for humans to manage effectively and too easy for attackers to leverage to hack into corporate networks.”

 

The end of passwords: Strong alternatives

There are multiple systems that could help usher in the end of passwords, but no one solution is perfect. For example, biometrics can be secure but come with their own downsides, says Michael Jenkins, CTO at ThreatLocker. “Windows uses facial recognition, which can unlock too quickly, so you might walk away and leave your laptop exposed while it’s still unlocked.”

Fingerprint systems are a lot harder to get around, he says. “But the downside is, it may ask for your PIN number instead. These are a lot easier to guess.”

Passkeys, meanwhile, are “a great idea”, but they still need to be implemented across every website and application, says Darren James, a senior product manager at Specops Software. In addition, they can’t be used for initial login to a device and they aren’t very portable unless you store them on a token – which can be lost, broken, or stolen.

Handling passkeys is very different from passwords, says Mark Stockley, senior threat researcher at Malwarebytes. “Both users and support staff are likely to be less familiar with them, which is a speed bump to adoption.”

Yet Shikiar argues that implementing passkeys for MFA is fairly simple and won’t require most businesses to completely overall their pre-existing security processes. This is because the core functionality is built into the majority of end-user computing devices, enterprise software stacks, and identity management services, he says.

“Many organizations are already using identity management solutions such as Microsoft Entra ID, which already has support for these solutions built-in,” concurs Mark Lomas, technical architect at Probrand. 

However, the end of passwords will be easier in some sectors and businesses than in others. It is important to recognize that certain sectors could be forced to continue to use passwords, says Stewart Parkin, global CTO at Assured Data Protection. “Organizations with legacy systems may be challenged in integrating new technologies, while regulatory requirements in certain industries can create the need to continue password-based authentication.”

Software not tied to modern authentication solutions won't be able to take advantage of modern passwordless solutions, or be linked to Entra ID, says Lomas. “It's typically legacy software that will be unable to make the switch. In this case, you'll need to find other routes to add protection, such as hosting the application in a virtual desktop environment like Azure Virtual Desktop and ensuring that access is protected by a passwordless login solution.”

 

The end of passwords: A future-proof successor

While there are multiple alternatives to passwords, passkeys are the only successor that “has the same availability and ubiquity”, says Shikiar. Therefore, they are the only currently available means to fully replace passwords, he says.

“Passkeys are built on open standards created within the FIDO Alliance and based on tried and tested cryptographic protocols,” says Shikiar. In addition, the technology is supported by all big tech and is device and operating system-agnostic, he says.

Passkeys are “far and away the best password alternative for online authentication”, agrees Stockley. “They are secure, easy to use and the cost of implementation is likely to get lower as they become more widely supported.”

But it’s important to realize that as we approach the end of passwords, replacements will have to compete with passwords which are themselves universally understood and very cheap to implement. “That's really hard,” says Stockley. “They're an authentication standard that dates from an era when managing low computing resources was the priority. Users understand them, support teams know how to support them and developers know how to implement them.”

Taking this into account, while some organizations may eventually go passwordless altogether, for now, many are supplementing passwords with MFA, says Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham.

In the future, he predicts a mixed authentication setup will be the main choice for many businesses. “Some systems and services could use traditional passwords, some MFA, and some passwordless.”

Shikiar says there is “no need for any company to hang onto passwords”, but he does concede they will need to be “phased out over time”.  Initially, companies may keep them to help with account recovery until other possession-based factors are established, says Shikiar. If you do decide to make further moves away from passwords, the transition will depend on the organization, says Shikiar. “Many will have disparate legacy systems to grapple with, while for others it is more straightforward.”

When taking the plunge, Shikiar recommends a prioritization exercise. “Discover those systems that can migrate most easily and are most urgently in need of higher security.”

Transitioning from a password-centric security model requires a systematic approach, says Parkin. Organizations should begin with a comprehensive assessment for risk management, followed by pilot implementations in less critical areas, he says. “The integration of multi-factor authentication as an interim step can pave the way for a more seamless transition.”

 

Businesses can also take a “privileged user” approach by identifying employees with access to sensitive applications, and examining who is the most vulnerable to attacks, says Shikiar. “Migrate these users to phishing-resistant authentication as soon as possible and from there, you can start to work your way across the wider employee base.” 

MORE
Forum Questions Future of Digital Identity, Path Forward

Panelists at a recent policy forum said passkeys with detection-enabled biometrics make for a more secure online future, but accessibility and digital equity concerns must be addressed.

January 29, 2024 • 

 

 

With data breaches that compromise personal info soaring — 2023 was a record year in the U.S., one report found — new methods of verifying identities are almost certainly on their way.


These will avoid reliance on passwords, Social Security numbers or other knowledge-based methods, thus helping diffuse the danger of stolen personally identifying information, said several panelists during a recent policy forum co-hosted by the Identity Theft Resource Center (ITRC).

“The era of reliable identity verification based solely on knowledge and personal information is over,” said forum speaker, Caitlin Clarke, senior director for cybersecurity at the White House’s National Security Council.

Finding reliable and secure ways to verify identities online is an issue of increasing importance for state government. It touches many areas of modern state government work, from stopping unemployment insurance fraud to keeping children from accessing adults-only content online. A growing number of states are also exploring whether digital, mobile drivers' licenses (mDLs) can bolster privacy.

This all makes new methods of verification vital. One is multifactor authentication, which is more secure than passwords alone, said FIDO Alliance Executive Director Andrew Shikiar, but he argued that passkeys are more secure yet, and strong enough to stand alone as a factor. Passkeys synced across devices via the cloud can also provide a smoother user experience, because people don’t have to re-enroll each separate device in the authentication method, and may bypass problems such as a user physically losing devices.

Individuals use passkeys to approve the login attempt on their devices by entering the same PIN or biometric they use to unlock that device, per the FIDO Alliance. Speakers also homed in on the potential benefits of biometric authentication and identification.

ITRC Chief Operating Officer James Lee advocated facial comparison-based user verification, which he emphasized was different from facial recognition. According to the ITRC, the key difference is that facial comparison compares a person’s selfie or live image against the photo of them on their ID, whereas facial recognition compares a face to those in a database of many faces.

But biometric checks must be handled carefully.

For one, checks must include liveness detection otherwise the system can be tricked, said Stephanie Schuckers, director of Clarkson University’s Center for Identification Technology Research. That means using sensors, accelerometers or challenge-and-response interactions to confirm it’s a real person, not a photo, video or deepfake.

Accessibility is a key concern, too. Not everyone has a smartphone or other device suited to capturing biometrics, Lee said.

Some cautioned against using biometrics as a primary solution, noting organizations must plan against something going wrong and collect only as much data as absolutely necessary. Otherwise the details they store could become a honeypot for hackers.

Schuckers said using approaches like the FIDO protocol enables biometric information to remain on users’ devices, avoiding organizations storing that information themselves.

Organizations can use still more methods too. The Social Security Administration (SSA)’s electronic Consent-Based Social Security Number Verification System is one example. It lets individuals permit a bank to contact the SSA to verify that identity details match those on file, said Jeremy Grant, coordinator for the Better Identity Coalition.

That model could be applied more widely, beyond just the financial sector. Grant’s Better Identity Coalition released a new report detailing policy recommendations and assessing government’s efforts thus far. The report praised federal promotion of multifactor authentication, but said the U.S. needs to do more to develop systems for digitally proofing identities across all sectors.

The report also urged the White House to create a task force of state, local and federal agencies focused on closing gaps between physical and digital credentials. The coalition urged federal agencies to ramp up efforts to create standards and guidance that could help states debut “remote identity proofing applications” for digital credentials like mDLs, as well as provide states with grant funding. Grant also praised mDLs programs, while advocating increased focus on using them to support online verifications.

The Better Identity Coalition’s report also cautioned that efforts to promote digital identity must not overlook the challenges of people who struggle to get core, physical ID documents.

Ben Roberts is director of Foundry United Methodist Church’s Social Justice Ministries, which runs an ID Ministry program helping community members get identification documents. Roberts said during the panel that people who are homeless often have their documents destroyed or stolen. And replacing documents can be difficult due to the fees, transportation and long wait times.

Still, plenty of trust-building may need to happen before residents are comfortable with government retaining and vouching for their ID data

 

[source:government technology. 2024.Jan.29 Jule Pattison-Gordon]

Facebook

MORE
Key Strategies for Enterprise Cybersecurity in 2024

As data theft becomes more public activity, businesses will require to be more transparent in their messaging. This would require businesses to admit the mistakes and also have to provide details to mitigate the issues.

 

By Nisha Sharma-January 4, 2024

 

 

As data breaches, threats, and frauds have become smarter, more intense, and more impactful than before, businesses will require tougher cybersecurity solutions for better chances at diminishing their impact.


According to Cybersecurity Ventures’s report


Cybersecurity Ventures

The attacks could be:

  • Data breach
  • Theft of intellectual property
  • Theft of personal and financial data
  • Fraud
  • Recovery and removal of hacked data and systems

Any of these cyber-attacks could do untold damage to the organization, so it is important for leaders to take suitable precautions to ensure minimal impact. With proactive monitoring and cyber safety tools, businesses could save billions in terms of financial and business losses every year.

 

So, what should be the focus for businesses to implement effective cybersecurity strategies in 2024?

Below are some ways enterprises can secure their businesses in 2024:

Strategy 1: Zero-trust Security Policies

Zero-trust security strategy will be a must-have approach in 2024 because:

  • Data breaches could cripple the brand:

A zero-trust model will ensure it can control the damage even before a breach occurs. It can initiate immediate restrictions to access points, network entries, servers, and system logins. The models can also limit the exposure of sensitive data by keeping firewalls updated all the time.

  • Network security:

Due to the increased use of a hybrid work models, the network security risks have increased over the last three years. With remote connections on the enterprise network, the perimeter may become weak and open to hacking. So, now enterprises need to deploy tools to support secure remote access at scale.

Perimeter-based security zero trust allow enterprises to securely and selectively connect users to applications, data, services, and systems on the cloud.

Zero Trust Security focuses on securing individual devices and users ahead of network security. Companies implementing zero trust security can:

  1. Protect sensitive data
  2. Conduct compliance auditing
  3. Detect risks faster
  4. Gain visibility into network traffic
  5. Control over access in cloud environments
  • Continuous verification:

  1. Zero Trust security strategy will help in continuous verification of users’ identity, device security, and types of data access points.
  2. Enterprises can update their end-to-end encryption anytime to protect IPs, keep devices secure and authentic, and detect malicious activities.
  3. Identity management will further improve data behavior analysis to identify potential threats and mitigate them.

Strategy 2: Multi-factor Authentication (MFA)

The enterprise cybersecurity in 2024 must focus on updating its multi-factor authentication parameters at scale.

The process of verifying identities will include a strong password management system, smart cards for verified access permissions, and fingerprint or face scans as biometric solutions.

An updated MFA system should enable “Notification through mobile app” method and an Authenticator to gain and provide access to key data sources.

Global Password Security Report reveals that

Password Security

Since mobile apps are becoming ubiquitous, companies need to ensure security of data access through the apps.

Amazon Web Services (AWS) has recently implemented policy that mandates a secure MFA for all accounts in 2024. This move will improve cyber security and reduce the risk of account hacking for its clouds. B2B customers signing into the AWS Management Console must use MFA to proceed.

  • Security Updates

To tighten enterprise cybersecurity, businesses must comply with modern data privacy regulations by government data protection authorities. To stay compliant, security teams should update systems and networks regularly.

  • Password-less authentication

In 2024, companies will see more adoption of passkeys and other MFA methods to access business assets.

Passkey adoption, along with biometrics, hardware tokens, and public-key cryptography, will replace the use of passwords.

These security technologies will also help mitigate phishing and social engineering, which target credential theft.

Here’s how it will reduce risk and boost security patches:

  1. Usage of proximity badges, physical tokens, or USB devices (FIDO2-compliant keys)
  2. Usage of tokens or certificates
  3. Use of fingerprint, voice, facial recognition, or retina scanning
  4. Use of mobile phone application for authentication

In its report Passwordless authentication market revenue worldwide from 2021 to 2030, Statista  says thatPasswordless

 

Strategy 4: Targeted Ransomware

As cybercriminals employ AI-driven ransomware, its impact is becoming more intense. With the help of AI, threat actors can deploy encryption techniques to penetrate data networks and other digital assets, easier and faster than before.

Here’s how enterprises can defend against ransomware in 2024.

  • Decryption Tools

Decryption tools are important for data recovery. They provide keys to unlock data from specific ransomware attacks.

There are different decryption tools for targeting threats, decrypting them, recovering data, and encrypting data. They help to safeguard sensitive data from exposure.

  • Multi-Layered security

Integrating multiple security layers across the digital assets will help to build a strong security system. These may include:

  1. Security Information and Event Management (SIEM) analysis logs for threat detection
  2. Regular Patch Management updates systems to spot and end vulnerabilities
  3. Endpoint protection to stop ransomware upon entry.
  4. Network segmentation that secure pathways and isolate attacks.
  • Backups

Backups are a critical activity in ransomware defense and useful for recovering data after an attack. Security teams can take backups effectively by employing the following:

  1. Backup encryption: It protects backup data from unauthorized access.
  2. WORM Storage: It ensures backups to remain unchanged
  3. Backup verification: It will conduct automated checks to confirm backup reliability

Also Read: The Impact of the Pandemic on the Future of Enterprise Cybersecurity

Strategy 5: Cloud Security

The advanced version of cloud cybersecurity is evolving into predictive and inventive security.

AI-driven security tools will help provide precise reports on the type of threats to expect. These predictive models can alert security teams about upcoming risks and attackers’ moves.

A Wrap up!

In 2024, cybersecurity risks will increase with the continuous digital transformation and technology deployment in enterprises. With emerging new technologies and tools, the threats are also constantly evolving. Interestingly, the same technologies that help fight threats will also aid attackers in creating the biggest risks.

How to use sharp technology is now in the hands of the security teams to ensure their enterprises stay safe and compliant.

source : Click

MORE
#password #Passkey Dec 08, 2023
If you're using a password on this list, change it now – hackers could break into your account in seconds

Passwords protect some of our most personal information from prying eyes, but despite their critical role, millions are still relying on lacklustre combinations to keep their data safe. And when we say "lacklustre", we really mean it.

 

A list of the most common passwords of 2023 has been published and shockingly "123456" is in first place. The uncreative password was used over 4.5 million times by users online, researchers say, with the word "admin" a close second with 4 million uses worldwide.

 

Cybersecurity researchers worked with the team at NordPass – the password management software developed by the same minds as NordVPN – to put together the definitive list of the most common passwords of the year.

 

To do this, they scoured a database of 4.3TB (that's a whopping 4,300,000MB) extracted from a number of high-profile password leaks on the Dark Web to find the passwords that people relied on more than any others. NordPass only received statistical information from the researchers, there was no personal data included in the findings sent to the password management team.

 

Hackers can break into accounts secured by passwords like "123456" and "admin" in under a second, researchers at NordPass confirmed. If you have any online accounts protected with one of these passwords, then it's time to change to something new – and much more secure.

Numerical sequences crop up throughout the most common password list, with "123456", "12345678", "123456789", and "1234" all making it into the top five. In fact, one-third of the top 10 consists of numbers alone.

Find the complete list of the 10 most common passwords at the bottom of this article. 

According to the research, people tend to rely on the weakest passwords for their streaming services, like Netflix, Disney+, and Prime Video, reserving their strongest passwords for online banking.

Commonly used passwords for streamers included the cringe-inducing "Netflix", "netflix123", "disney123", and "disney2020". While researchers found people typically reserved their best passwords for financial accounts, weaker options like "visavisa1" and "paypal123" still crop up in the list.

This is a pattern that comes up time and time again. NordPass found that different platforms influence password habits, with the fourth most common password used to secure accounts on Amazon being (surprise, surprise) "amazon".

Some websites have strict conditions for passwords, forcing account holders to use at least one letter, number, and special characters. These conditions have pushed passwords like "P@ssw0rd" into the top 30 passwords worldwide, but unfortunately, it's done little to make users' data safer. According to NordPass, "P@ssw0rd" can be unlocked by hackers in under one second. 

 

A troubling 70% of the list of most commonly used passwords can be hacked in seconds, researchers say.

Tomas Smalakys, NordPass Chief Technology Officer said: "With the terrifying risks password users encounter, alternative methods in online authentication are now essential.

"Passkey technology, considered the most promising innovation to replace passwords, is successfully paving its way, gaining trust among individuals and progressive companies worldwide. Being among the first password managers to offer this technology, we see people are curious to test new things, as long as this helps eliminate the hassle of passwords."

So, what should you do? NordPass recommends creating a strong password with at least 20 characters and a mixture of upper- and lower-case characters, numbers, and special characters. Personal information that could be easily guessed by those who know you – like birthdays, pet names, and hometowns – should be avoided. Always create a unique password for every online account, NordPass says.

If you're struggling to think of something, using the first letter from each word in a line of poetry, a saying, or a song lyric that you're unlikely to forget can be a great way to quickly generate what appears to be a completely random jumble of characters. 

 

Password managers are also a popular way of securing your online account. These applications generate secure passwords for every account, with these stored in an encrypted safe that can be accessed from any of your devices. To login, most of these applications only require a quick biometric check – facial recognition on the iPhone or a fingerprint scan on Windows PCs and Android.

NordPass is one option available alongside the likes of LastPass and 1Password.

Google and Apple both offer built-in password managers with their most popular products, dubbed Google Password Manager and iCloud Keychain respectively, that generate and store passwords.

Online accounts are increasingly turning to passkeys as a way to let users sign-in to apps and sites the same way they unlock their devices – using a fingerprint, a face, or an on-screen PIN. Unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than one-time codes sent via SMS. Microsoft, Google, Apple and the FIDO Alliance are working together to bring passkeys to the web as an industry standard.

Although there are high hopes for passkeys, with Google even calling its rollout "the beginning of the end of the password", they're unlikely to eliminate old-fashioned passwords for some time. For the time being, we're still stuck with passwords for a huge number of our online accounts ...as such, it's time to ditch "password123" and think of something a little stronger. 

 

Top 10 Most Common Passwords

  1. 123456 (used 4,524,867 times)
  2. admin (used 4,008,850 times)
  3. 12345678 (used 1,371,152 times)
  4. 123456789 (used 1,213,047 times)
  5. 1234 (used 969,811 times)
  6. 12345 (used 728,414 times)
  7. password (used 710,321 times)
  8. 123 (used 528,086 times)
  9. Aa123456 (used 319,725 times)
  10. 1234567890 (used 302,709 times)

 Original Article

MORE
FIDO Alliance study reveals growing demand for password alternatives as AI-fuelled phishing attacks rise

 

Increased desire for biometrics and awareness of passkeys increases imperative on service providers to enable stronger, more user-friendly sign-ins

  • Password usage without two-factor authentication (2FA) is still dominant across use cases – consumers enter a password manually nearly 4 times a day, or 1,280 times a year

  • But when given the option, users want other authentication methods – biometrics is both the preferred method for consumers to log-in and what they believe is most secure, while awareness of passkeys continues to grow

  • Online scams are becoming more frequent and more sophisticated, likely fuelled by AI – over half (54%) have seen an increase in suspicious messages and scams, while 52% believe they have become more sophisticated

  • The impact of legacy sign-in methods is getting worse – the majority of people are abandoning purchases and giving up accessing services online – this is 15% more likely than last year at nearly four times per month per person

The FIDO Alliance today publishes its third annual Online Authentication Barometer, which gathers insights into the state of online authentication in ten countries across the globe. New to the Barometer this year, FIDO Alliance has also begun tracking consumer perception of threats and scams online in a bid to understand anticipated threat levels globally.

The 2023 Online Authentication Barometer found that despite widespread usage of passwords lingering on, consumers want to use stronger, more user-friendly alternatives. Entering a password manually without any form of additional authentication was the most commonly used authentication method across the use cases tracked – including accessing work computers and accounts (37%), streaming services (25%), social media (26%), and smart home devices (17%). Consumers enter a password manually nearly four times a day on average, or around 1,280 times a year. The only exceptional scenario to this trend was financial services, where biometrics (33%) narrowly beat passwords (31%)* as the most used sign-in method.

This is especially interesting considering biometrics’ rising popularity as an authentication method. When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as favourite in both categories, rising around 5% in popularity since last year. This suggests that consumers want to use biometrics more but don’t currently have the opportunity.

“This year’s Barometer data showed promising signs of shifting consumer attitudes and desire to use stronger authentication methods, with biometrics especially proving popular. That said, high password usage without 2FA worryingly reflects how little consumers are still being offered alternatives like biometrics, resulting in lingering usage,” commented Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. 

Marketing Technology News: Aidentified Launches Data Insights Scan (DIScover), a Snowflake Native App in the Data Cloud

Scams are getting more frequent and more sophisticated – likely fuelled by AI 

This year’s Barometer also unearthed consumer perception of threats and scams online. 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated.

Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person.

Shikiar added: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions like passkeys and on-device biometrics more readily available, rather than iterating on ultimately flawed legacy authentication like passwords and OTPs.” 

Passkeys, which provide secure and convenient passwordless sign-ins to online services, have grown in consumer awareness despite still being live just over a year, rising from 39% in 2022 to 52% awareness today. The non-phishable authentication method has been publicly backed by many big players in the industry – Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, as has Apple, with other brands like PayPal also making these available to consumers in the last twelve months.

The impact of legacy sign-ins worsens for businesses and consumers 

The negative impact caused by legacy user authentication was also revealed to be getting worse. 59% of people have given up accessing an online service and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year. Poor online experiences are ultimately hitting businesses’ bottom lines and causing frustration among consumers.

70% of people have had to reset and recover passwords in the last two months because they’d forgotten them, further highlighting how inconvenient passwords are and their role as a primary barrier to a seamless online user experience. 

 

Original Article

MORE
Google Steps Up Its Push to Kill the Password

LESS THAN SIX months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further and will make passkeys the default login setting for users.

When you log in to your Google account, you’ll get a prompt to create a passkey and start using it for login instead of relying on your Gmail address and password. Google will be turning on the “skip password when possible” option in account settings, which is essentially the passkey green light. Users who don't want to kill their password just yet will still be able to turn that setting off so they don't receive the prompts.

 

Password-based authentication is so ubiquitous in digital systems that it isn't easy to replace. But passwords have inherent security problems because they can be guessed and stolen. And since it's so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts, making it easier for attackers to unlock all of those accounts in one fell swoop. Passkeys are specifically designed to address these issues and dramatically reduce the risk of phishing attacks by instead relying on a scheme that manages cryptographic keys stored on your devices for account authentication.

Google didn't share statistics on passkey adoption so far, saying instead in a blog post that “people have used passkeys on their favorite apps like YouTube, Search and Maps, and we’re encouraged by the results.” The company points out that passkey support is expanding across other apps and services. Apple and Microsoft both support passkeys. And companies like Uber and eBay recently launched passkeys, and they're coming to WhatsApp soon.

“Passwordless is something we set out to achieve 10-plus years ago, and we’re thrilled to not only see us already on the next step of the journey with passkeys by offering them by default, but also to see the great feedback from users who have made the switch,” Christiaan Brand, identity and security group product manager at Google, tells WIRED.

 

There's so much inertia on passwords around the world that even a player as big and influential as Google can't force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.

“We’ll keep you updated on where else you can start using passkeys across other online accounts,” the company wrote today. “In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys—making passwords a rarity, and eventually obsolete.” 

 

Original Article

MORE
FIDO APAC Summit 2023

FIDO APAC Summit 2023

August 28 – August 30

Silver Sponsor : TrustKey Solutions

 

The Asia-Pacific region is experiencing a significant shift in the landscape of authentication methods, with a growing interest in passwordless solutions. Traditional password-based authentication methods have proven to be vulnerable to various threats, including phishing attacks, credential theft, and weak password practices. As a result, organizations in Asia Pacific are actively exploring and adopting passwordless authentication as a more secure and user-friendly alternative. The Asia Pacific identity and authentication market is expected to grow during the forecast period from 2021 to 2028.

 

The FIDO APAC Summit 2023 brought together industry leaders, cybersecurity experts, and government representatives from Asian countries such as Japan, Singapore, Australia, and South Korea to explore the latest developments and success stories in FIDO authentication.

In particular, Google seemed to be focusing on spreading Passkey by supporting it on Chrome and Android.

 

  

 

At this summit, TrustKey operated an exhibition booth to introduce the new model B210 and showcase TrustKey Login Solution and PIV.  In addition, we met with leading companies such as DTASIA Vietnam, VinCSS, and CySack to discuss potential partnerships, especially with VinCSS.

Through this event, we had the opportunity to introduce TrustKey solutions' FIDO technology and had a rich networking experience. 

MORE
#appleid #setup #ios Sep 06, 2023
Use Trustkey to sign into your Apple ID account on iPhone

About FIDO security keys

FIDO security keys for Apple ID are an optional security feature designed for people (such as celebrities, journalists, and members of government) who want extra protection from targeted attacks on their account, including phishing and social engineering scams.

A FIDO security key is a small third-party hardware device that you can connect to your iPhone and use to verify your identity when signing into your Apple ID account. The physical key replaces the six-digit verification codes normally used in two-factor authentication, which keeps this information from being intercepted or requested by an attacker.


Set up Trustkey

TrustKey is a FIDO security key that allows user authentication by touch or fingerprint. It has been designed to satisfy FIDO2 Level 2 certification requirments.

 

You need to set up at least two Trustkey so you can use one of them as a backup in case the other one is lost, damaged, or stolen. You can pair up to six keys with your account.

Ÿ   Go to Settings > [your name] > Password & Security.

Ÿ   Go to Security keys > Tap Add Security Keys, then follow the onscreen instructions. 

 


 



Sign into a device, website, or app using a Trustkey.

Ÿ When prompted, insert your Trustkey.

Ÿ​ Follow the onscreen instructions

 

 

Use a Trustkey to reset your Apple ID password.

If you forget your Apple ID password, you can use a Trustkey that’s paired with your account to reset it.

Ÿ   Go to Settings > [your name] > Password & Security. (If you aren’t already signed into your Apple ID account on your iPhone, first use your paired security key to sign in).

Ÿ   Tap Change Password, then follow the onscreen instructions.

 

Use a Trustkey to unlock your Apple ID

If you try unsuccessfully six times in a row to sign into your Apple ID account, or if your iPhone detects other signs of suspicious activity, you’ll receive an onscreen notification that your Apple ID is locked. You can use your Trustkey to unlock it.

Ÿ   Tap Unlock Account, then follow the onscreen instructions to unlock your Apple ID.

Ÿ   If you think your account might have been locked because someone else knows your password, tap Change Password and enter a new one.

Ÿ   Tap Done.

 

Remove security keys.

You can pair up to six Trustkey with your Apple ID. If you reach the limit and need to pair additional keys, you can remove one or more of your paired keys. You can replace keys you’ve removed at any time.

Ÿ   Go to Settings > [your name] > Password & Security.

Ÿ   Tap Security Keys.

Ÿ   To remove all keys, tap Remove All Keys, then tap Remove.

To remove individual keys, tap the ones you want to remove, then tap Remove Key.

 

Note: If you remove all Trustkey from a device, the device reverts to using six-digit verification codes for two-factor authentication. 

MORE
#Austria #G310H #gov Jul 24, 2023
eosterriech.gv.at announces support for TrustKey G310H security key

eosterriech.gv.at, an interagency platform for immediate help and information on Austrian public administration information and issues, recently announced enhanced support for using FIDO2 security keys as MFA devices.
As a result, the TrustKey G310H security key is compatible and can be used with ID Austria.

Source:
Which FIDO security keys are compatible with ID Austria and where are they available?

Tokens that support FIDO2 Level 2 certified with WebAuthn can be used with ID Austria. This is currently fulfilled by:

• Trustkey G310H
• GoTrust Idem Key FIDO2
• Yubico Security Key NFC in schwarz (USB-A + NFC, USB-C + NFC)
• Yubico YubiKey FIPS Series (5 NFC FIPS, 5C NFC FIPS, 5C FIPS, 5 Nano FIPS, 5C Nano FIPS, 5Ci FIPS)

Common models usually offer connection via USB or NFC to your computer. They can be purchased in stores and can cost between 30 euros and 70 euros, depending on the model.
We recommend using them on the Windows operating system and using common browsers like Chrome or Firefox to ensure smooth operation.
An overview of FIDO2 support on operating systems and browsers can be found at https://fidoalliance.org/expanded-support-for-fido-authentication-in-ios-and-macos/.

To order your TrustKey today, visit amazon.com/s?k=TrustKey and start protecting your accounts with TrustKey as your ID Austria anti-phishing MFA.

 

 

 

MORE

Meet TrustKey’s expert.

CONTACT US

TOP
TrustKey Co.,Ltd./Address : (06236) 2F, 14, Teheran-ro 22-gil, Gangnam-gu, Seoul, Republic of Korea
Tel : +82-2-556-7878 Sales : sales@trustkey.kr / Technical : support@trustkey.kr / Fax : +82-2-558-7876

Copyright © 2020 TrustKey. All Rights Reserved.