back to article Microsoft hits the switch on password-free smartphone authentication

Microsoft is rolling out another way for smartphone and tablet users to protect themselves from phishing attacks as post-pandemic hybrid work pulls more and more workers under bring-your-own-device (BYOD) policies. By so doing, of course, it also ties up the security loose ends for businesses, who find BYOD "convenient" (cough …

  1. ICam

    Every time I read CBA...

    I think "Can't Be Arsed" in my head.

  2. Anonymous Coward
    Anonymous Coward

    More Explanation Needed (...for this confused old f*rt).....

    Quote: "...protect themselves from phishing attacks..."

    Please explain!!! Phishing attacks only work if an end user clicks a button or connects to a phony web address.

    How does a certificate on a personal device "protect" anyone from inbound phishing emails or other inbound malware?

    1. MatthewSt Silver badge

      Re: More Explanation Needed (...for this confused old f*rt).....

      Because the majority of phishing attacks convince you to enter your credentials into a site that then goes and makes use of them to spam contacts, exfiltrate data etc

      Certificate based has 2 benefits

      1) The certificate can be configured to be used on particular websites only (so you're no longer relying on the user noticing a dodgy URL)

      2) The private key is never sent to the server, so they can't pretend to be you

      1. Mayday
        Facepalm

        Re: More Explanation Needed (...for this confused old f*rt).....

        Now all we need to do is ensure that users only have “good” certificates installed, don’t install dodgy ones and don’t “click here to read this dodgy site anyway”

        1. Graham Cobb Silver badge

          Re: More Explanation Needed (...for this confused old f*rt).....

          (Mostly) it doesn't work like that. It doesn't matter what certs you have installed: the point is that the certs (all of them) are local. They can only be used to sign the transaction that is in front of you on the screen. They can't be copied by someone and used to sign something else in the future, like passwords can.

          It doesn't particularly help with the type of phishing emails which convince the CEO to send a panicky message to the accounts payment supervisor saying "pay this NOW!". But it helps with the ones which convince someone to log in to what they think is your AWS root account giving away the password.

    2. Anonymous Coward
      Anonymous Coward

      Re: More Explanation Needed (...for this confused old f*rt).....

      Makes more sense if could assign blame.

      None of this "it wasn't me guv"

    3. ICam

      Re: More Explanation Needed (...for this confused old f*rt).....

      > How does a certificate on a personal device "protect" anyone from inbound phishing emails or other inbound malware?

      It doesn't stop phishing emails or malware.

      The problem with currently widely used MFA is that it is not resistant to man-in-the-middle attacks.

      A properly implemented TLS client certificate system should not suffer from these MitM attacks (although I have not read enough to understand the technical details of it). In addition, however, YubiKeys implement origin bound keys and token binding to thwart MitM attacks.

      You could implement such a client certificate system via a web browser, storing the private key on the client, but this opens an avenue to phishing, whereby the attacker would seek to gain access to the private key.

      My understanding is that the above scenario is thwarted by using a YubiKey because the private key does not leave the device; you're essentially communicating with the YubiKey via a defined protocol to generate a signed response to the remote site's challenge.

      It seems hard to determine how resistant these keys are to local malware, but if you have local malware it would be much easier for it to just extract browser session cookies I would have thought. The YubiKeys seem to offer protection from remote access by requiring that the user touch them to activate. I don't think you could use an intercepted signed response (along with, say, key-logged user name and password) because the challenge given to the user and the challenge given to the attacker would be different.

      I have to say, the YubiKeys do look to have an excellent balance between ease of use and high security. I'm currently using a password manager with a strong master password and OTP code, which is pretty secure, but it's very tempting to invest in one of these keys as well.

      I skimmed through the stuff below while writing this. If you really want to know how it works, take a look:

      https://www.yubico.com/blog/creating-unphishable-security-key/

      https://developers.yubico.com/WebAuthn/

      https://docs.yubico.com/yesdk/users-manual/application-u2f/how-u2f-works.html

  3. J. Cook Silver badge

    So... It's a virtual SmartCard then?

    Because Depending on the Yubikey one buys (notably the $49 USD one), and with some mucking around with an On-prem AD, you can use the hardware Yubikeys as smart cards as well. (along with the other features...)

    Neat idea, though.

  4. ITMA Silver badge

    Ah yes - BYOD

    Otherwise known as Bring Your Own Disaster...

  5. ITS Retired

    A pin code for a ByOD? Isn't a pin code another name for a password?

    1. ITMA Silver badge

      Erm..... Yup

    2. tfewster
      Facepalm

      Isn't a pin code another name for a really weak password?

      FIFY. Even worse, PIN codes are easy to read by watching someone type them (even if they're not echoed to the screen as in a phone call) and rarely changed

      1. MatthewSt Silver badge

        The main difference is that the PIN code is only valid for that device (unless users have re-used pin codes across devices, but you'd still need one of their devices).

        1. Graham Cobb Silver badge

          Yes, this is the point. It isn't the PIN which provides the security (in fact it works almost as well if you don't use a PIN at all!). It is the physical key (like the old-fashioned number generator keyfobs but this time with a cryptographic challenge/response).

  6. Paul Hovnanian Silver badge

    Microsoft on smartphones

    So this affects like what? Four people?

  7. Anonymous Coward
    Anonymous Coward

    Did I miss the expiry time?

    Vast amounts of **** no longer accepts any certificate with a lifetime over 2 years.

    And if "devs" are making it we'd be lucky to get a month validity.

    ( yes PKI is a stupid design)

  8. Anonymous Coward
    Childcatcher

    More wankery

    No matter how hard the cool kids try, you cannot make a person secure with technology alone. You can wank over your multi factors, you can dribble with FIDO or whatevs. A person is a fucking person and they will be just as much a person as they can possibly can be. You cannot stop a person from being a person.

    There are no shortcuts with security.

    The cool kids think that now they have discovered and implemented decent crypto and some pretty decent ways to use it that doesn't make Aaron Schwartz n co roll their eyes in horror as their work is mangled.

    That said, I have seen some great examples of phishing and the like being foiled by the troops on the ground being smart.

    1. Graham Cobb Silver badge

      Re: More wankery

      This doesn't stop the phishing. It limits the impact by making sure it can only cause trouble while the person is still convinced.

      Passwords mean that once you are phished you are vulnerable until you change the stolen password (and if you are stupid enough to reuse passwords all your other accounts are vulnerable until you change all of them).

      That said, this isn't new. Yubikey, and their competitors, have been offering this for some time. Although presumably Microsoft are making it easy to use and, much more importantly, easy to integrate into the enterprise.

      1. onefang

        Re: More wankery

        I'm glad someone mentioned the competitors to Yubikey. There's at least a few, some of them are even open source. I have my eye on Nitrokey personally, I'll probably buy one next year, if they bring out a Nitrokey Storage 3 as I expect they will after they have updated their other keys to version 3.

        1. ICam

          Re: More wankery

          Oh, I didn't know about those. Maybe I'll go with one rather than a YubiKey then...

  9. Omega Wolf

    Do Android users need to download an app or will the current MS Authenticator app be updated for this?

  10. jbrickley

    Apple announced this last year, they called it "passkey"

    Apple announced support for this technology in 2021 based on the W3C Web Authentication API WebAuthn. Created by the World Wide Web Consortium and the FIDO Alliance, whose members are Apple, Amazon, Google, Meta (Facebook), and Microsoft are all FIDO board members, as are major financial institutions, credit card networks, and chip and hardware firms.

    It's basically a public / private key solution. You create an account on a website or server that supports WebAuthn and the user is prompted to authenticate using a device password or biometric TouchID / FaceID. That generates a public / private key pair and the private key is saved to the Apple device Keychain while the public key is sent to the website. The login becomes passwordless and the system you are logging into no longer has to worry about password leaks, etc. Apple can sync the private keys via the iCloud Keychain to multiple devices. The Keychain is protected by a hardware blackbox storage device built-in to the Apple SoC processors called the SecureEnclave. It's basically like TPM 2.0 but on steroids.

    There is zero need to use a Yubikey on Apple devices. The limitation is Microsofts not Apple. Apple passkeys will work across macOS, iOS, iPadOS, and WatchOS on any WebAuthn enabled system with very minor requirements from the system provider. Requiring the Yubico hardware or App is ridiculous for Apple users but understandable from Microsoft's perspective. They have no concept of the Keychain and their devices do not have a SecureEnclave blackbox chip within a System On Chip. All they have is a TPM 2.0 chip which is not quite as good but better than not having a TPM at all. Apple's SecureEnclave is a black box write only secure storage chip built-in to the T2, A## SoC and all Apple Silicon M1 / M2 SoC chips. Every modern Apple device has a Secure Enclave. Private keys and secrets are written to the SecureEnclave and are never readable again. When authenticating the public key is generated based on password, FaceID / TouchID and sent to the SecureEnclave which merely responds with YAH or NAY on a match. If YAH, the device unlocks. It's used to control disk encryption, device unlock, etc., etc., etc. The SecureEnclave can only be written to and subsequently reset (erased) destroying all the saved private keys except the unique single key burned into the SecureEnclave at time of manufacturing which can never be changed.

    The requirement of the Yubikey by Azure AD is a design limitation set by Microsoft and for now might be required on Apple devices but that doesn't mean "This Is The Way". Apple has a much more elegant solution already in place that exceeds the Yubikey which is inferior to a SecureEnclave. As of iOS / iPadOS 16, WatchOS 9, and macOS 13 Ventura. It's here now and ready for websites and servers that support WebAuthn to enable passwordless authentication.

    Hopefully this will all shake out in the next two to three years and resolve all these security risks for the vast majority of people.

    1. Graham Cobb Silver badge

      Re: Apple announced this last year, they called it "passkey"

      Errrr... how does using an Apple key allow me to log in from my Unix workstation, my wife's Windows PC, my Android tablet, etc?

      And how do I log in to sort things out when my iPhone has been stolen?

      A key is a separate physical token which works with many devices and which I can carry around on my keyring. And I can easily have another one at home if I want to have a backup login.

      I much prefer the security key to be a small, light, physically separate token like a key or a card.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like