Is it time to access protected apps sans username and password combinations?
Yes, and if a new initiative catches on, it just may happen. Even if it doesn’t: When it comes to authentication, the time has certainly arrived for new ideas for eliminating passwords.
We hate passwords as users: They are a pain to create, remember and type – especially on mobile devices. And developers hate them, too. They are a pain to incorporate and manage into apps. If you think security practitioners like passwords, think again. Next time you are around your CISOs or security managers, ask them what they think of passwords. Have a cup of coffee or tea ready, and a chair. The rant may be awhile.
As we all know, people are terrible at managing passwords. Even people who should know better often don’t manage passwords properly; they reuse them across multiple sites and create easy to remember passwords.
With all of that in mind, information security Trail of Bits released earlier this week a service called Tidas. Tidas is a way for app developers to ditch passwords completely. The Software Development Kit enables app developers to shift app authentication from passwords to Apple Touch and iOS’s built-in encryption.
According to Trail of Bits, here’s how it works:
When your app is installed on a new device, the Tidas SDK generates a unique encryption key identifying the user and registers it with the Tidas backend. This key is stored on the device in the iOS Secure Enclave chip and is protected by Touch ID, requiring the user to use their fingerprint to sign into the app. Signing in generates a digitally signed session token that your backend can pass to the Tidas backend to verify the user’s identity. The entire authentication process is handled by the SDK and does not require you to touch any of the user’s sensitive data.
Also, the developers say, if the Tidas backend or one’s own servers where breached, the attackers wouldn’t gain any personally identifiable information and certainly no passwords. “Tidas doesn’t store any sensitive data outside the mobile device. A user’s encryption keys never leave their device’s Secure Enclave chip and cannot be compromised even if the app, the device or the server are hacked, the developers said.
All of the sensitive information, such as the user’s biometrics, are stored in Apple’s Secure Enclave.
Could this be embraced by users and developers? Will it prove to work as hoped? There’s no way to say at this point. But one thing I can say: The more innovative and novel ways to eliminate the password that come forward, the closer we all are to typing our final username/password combination. And good riddance, I say.