Microsoft hits the switch on password-free smartphone authentication Microsoft is rolling out another way for smartphone and tablet users to protect themselves from phishing attacks as post-pandemic hybrid work pulls more and more workers under bring-your-own-device (BYOD) policies. By so doing, of course, it also ties up the security loose ends for businesses, who find BYOD "convenient" (cough …
Quote: "...protect themselves from phishing attacks..."
Please explain!!! Phishing attacks only work if an end user clicks a button or connects to a phony web address.
How does a certificate on a personal device "protect" anyone from inbound phishing emails or other inbound malware?
Because the majority of phishing attacks convince you to enter your credentials into a site that then goes and makes use of them to spam contacts, exfiltrate data etc
Certificate based has 2 benefits
1) The certificate can be configured to be used on particular websites only (so you're no longer relying on the user noticing a dodgy URL)
2) The private key is never sent to the server, so they can't pretend to be you
(Mostly) it doesn't work like that. It doesn't matter what certs you have installed: the point is that the certs (all of them) are local. They can only be used to sign the transaction that is in front of you on the screen. They can't be copied by someone and used to sign something else in the future, like passwords can.
It doesn't particularly help with the type of phishing emails which convince the CEO to send a panicky message to the accounts payment supervisor saying "pay this NOW!". But it helps with the ones which convince someone to log in to what they think is your AWS root account giving away the password.
> How does a certificate on a personal device "protect" anyone from inbound phishing emails or other inbound malware?
It doesn't stop phishing emails or malware.
The problem with currently widely used MFA is that it is not resistant to man-in-the-middle attacks.
A properly implemented TLS client certificate system should not suffer from these MitM attacks (although I have not read enough to understand the technical details of it). In addition, however, YubiKeys implement origin bound keys and token binding to thwart MitM attacks.
You could implement such a client certificate system via a web browser, storing the private key on the client, but this opens an avenue to phishing, whereby the attacker would seek to gain access to the private key.
My understanding is that the above scenario is thwarted by using a YubiKey because the private key does not leave the device; you're essentially communicating with the YubiKey via a defined protocol to generate a signed response to the remote site's challenge.
It seems hard to determine how resistant these keys are to local malware, but if you have local malware it would be much easier for it to just extract browser session cookies I would have thought. The YubiKeys seem to offer protection from remote access by requiring that the user touch them to activate. I don't think you could use an intercepted signed response (along with, say, key-logged user name and password) because the challenge given to the user and the challenge given to the attacker would be different.
I have to say, the YubiKeys do look to have an excellent balance between ease of use and high security. I'm currently using a password manager with a strong master password and OTP code, which is pretty secure, but it's very tempting to invest in one of these keys as well.
I skimmed through the stuff below while writing this. If you really want to know how it works, take a look:
https://www.yubico.com/blog/creating-unphishable-security-key/
https://developers.yubico.com/WebAuthn/
https://docs.yubico.com/yesdk/users-manual/application-u2f/how-u2f-works.html
No matter how hard the cool kids try, you cannot make a person secure with technology alone. You can wank over your multi factors, you can dribble with FIDO or whatevs. A person is a fucking person and they will be just as much a person as they can possibly can be. You cannot stop a person from being a person.
There are no shortcuts with security.
The cool kids think that now they have discovered and implemented decent crypto and some pretty decent ways to use it that doesn't make Aaron Schwartz n co roll their eyes in horror as their work is mangled.
That said, I have seen some great examples of phishing and the like being foiled by the troops on the ground being smart.
This doesn't stop the phishing. It limits the impact by making sure it can only cause trouble while the person is still convinced.
Passwords mean that once you are phished you are vulnerable until you change the stolen password (and if you are stupid enough to reuse passwords all your other accounts are vulnerable until you change all of them).
That said, this isn't new. Yubikey, and their competitors, have been offering this for some time. Although presumably Microsoft are making it easy to use and, much more importantly, easy to integrate into the enterprise.
I'm glad someone mentioned the competitors to Yubikey. There's at least a few, some of them are even open source. I have my eye on Nitrokey personally, I'll probably buy one next year, if they bring out a Nitrokey Storage 3 as I expect they will after they have updated their other keys to version 3.
Apple announced support for this technology in 2021 based on the W3C Web Authentication API WebAuthn. Created by the World Wide Web Consortium and the FIDO Alliance, whose members are Apple, Amazon, Google, Meta (Facebook), and Microsoft are all FIDO board members, as are major financial institutions, credit card networks, and chip and hardware firms.
It's basically a public / private key solution. You create an account on a website or server that supports WebAuthn and the user is prompted to authenticate using a device password or biometric TouchID / FaceID. That generates a public / private key pair and the private key is saved to the Apple device Keychain while the public key is sent to the website. The login becomes passwordless and the system you are logging into no longer has to worry about password leaks, etc. Apple can sync the private keys via the iCloud Keychain to multiple devices. The Keychain is protected by a hardware blackbox storage device built-in to the Apple SoC processors called the SecureEnclave. It's basically like TPM 2.0 but on steroids.
There is zero need to use a Yubikey on Apple devices. The limitation is Microsofts not Apple. Apple passkeys will work across macOS, iOS, iPadOS, and WatchOS on any WebAuthn enabled system with very minor requirements from the system provider. Requiring the Yubico hardware or App is ridiculous for Apple users but understandable from Microsoft's perspective. They have no concept of the Keychain and their devices do not have a SecureEnclave blackbox chip within a System On Chip. All they have is a TPM 2.0 chip which is not quite as good but better than not having a TPM at all. Apple's SecureEnclave is a black box write only secure storage chip built-in to the T2, A## SoC and all Apple Silicon M1 / M2 SoC chips. Every modern Apple device has a Secure Enclave. Private keys and secrets are written to the SecureEnclave and are never readable again. When authenticating the public key is generated based on password, FaceID / TouchID and sent to the SecureEnclave which merely responds with YAH or NAY on a match. If YAH, the device unlocks. It's used to control disk encryption, device unlock, etc., etc., etc. The SecureEnclave can only be written to and subsequently reset (erased) destroying all the saved private keys except the unique single key burned into the SecureEnclave at time of manufacturing which can never be changed.
The requirement of the Yubikey by Azure AD is a design limitation set by Microsoft and for now might be required on Apple devices but that doesn't mean "This Is The Way". Apple has a much more elegant solution already in place that exceeds the Yubikey which is inferior to a SecureEnclave. As of iOS / iPadOS 16, WatchOS 9, and macOS 13 Ventura. It's here now and ready for websites and servers that support WebAuthn to enable passwordless authentication.
Hopefully this will all shake out in the next two to three years and resolve all these security risks for the vast majority of people.
Errrr... how does using an Apple key allow me to log in from my Unix workstation, my wife's Windows PC, my Android tablet, etc?
And how do I log in to sort things out when my iPhone has been stolen?
A key is a separate physical token which works with many devices and which I can carry around on my keyring. And I can easily have another one at home if I want to have a backup login.
I much prefer the security key to be a small, light, physically separate token like a key or a card.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
