WE'RE BIG fans of security keys. Which sounds like an odd statement. But as we've been saying over the past few years, just a password in this day and age is not going to cut it, and although biometrics are becoming more common and more reliable, a physical key is nigh on foolproof (unless you leave it lying around labelled with what it is).
Microsoft has been part of the two-factor authentication (2FA) wave since the launch of Windows 10, but up to now, using such keys like the recently released Yubikey 5 from Yubico, or Google's native effort, have required a separate app from the Windows Store, rather than simply "just working".
But no longer! The company has announced that from now on, FIDO2 keys (the agreed standard for 2FA login) will be supported across Windows 10 and Office, as well as Xbox Live, OneDrive, Bing (whatever that is) and Skype. This joins the Edge browser support previously announced. But nobody uses that either.
"Passwords are bad for the planet. They're bad for people. They're the easiest way for attackers to get in, and in the case of account takeovers, they're even a way to force people out," said Rob Lefferts, vice president Microsoft Security, glossing over the fact that Google has offered FIDO support for several years and in fact Microsoft is very late to the party.
The difference between Google and Microsoft, however, is that Microsoft will allow you to use your key for single-factor authentication. In other words, use your key, you're logged in, no user names, no passwords.
For the technically minded, the key's information is placed on a Trusted Platform Module on the physical machine. This is then compared with your cloud credentials to one side and your FIDO2 info, with the device acting as its own gatekeeper.
The good news is that FIDO2, being a standard (as well as FIDO being the name of the big-tech consortium behind it), is going to give you this kind of functionality on any site or platform that supports it. You won't end up with a bunch of plastic dongles on your keyring.
Already, Google, Facebook, Dropbox and a number of other big names will allow FIDO key either as first or second-factor authentication. Once the big browsers support it natively too, we could start to see it being used in conjunction with password safes in order to effectively expunge the password forever. μ
But it might never see the light of a PC bay
It's nothing we haven't seen before, but it's still the best iPhone yet
Firm gives scanner flaw the finger
Ermine is the same but stoat-ally different