Introducing Passkeys

Why are they better than passwords?

In the coming months, you will probably change how you sign on to your favorite web sites.

Passkey support is coming to your devices and web sites to provide a sign-on process that is both more secure and more convenient than the familiar but annoying username and password system.

Passkeys were developed and supported jointly by Google, Apple and Microsoft through the FIDO Alliance.

Passkeys are superficially similar to the Logon with Apple or Logon with Google buttons you may have seen on some web sites. Passkeys, however, represent a single, unified standard logon mechanism that a web site can implement once, which then supports all platforms. The buy-in from major tech companies means that passkeys will probably be widely adopted.

This short video from iThemes (2:58) gives a quick overview of Passkeys. Although it is specific to WordPress and iThemes Pro, most of what is described is general-purpose.

This video from the Apple Developer Conference gives a good overview of passkeys in the first 7:30 or so. After that, the video goes deep into developer technical details.

To use passkeys to logon to a site, passkeys must be supported by both the web site and by your device. For a device to fully support passkeys, it must have biometric authentication. On Apple devices, that means Touch ID or Face ID.

However, you can use your phone (which has Touch ID or Face ID) to logon to a web site on a computer that lacks biometric authentication. You will simply scan a QR code presented by the site with your phone, and passkeys can log you in.

Biometric authentication is used only to identify you to your device. Your face or fingerprint is never transmitted to the website or outside your device.

To sign in, you will first enter your username or email address as usual. But, instead of entering a password, you will simply click Login with Passkeys, and your device will log you in securely. Since you don’t have a password, it can’t be stolen, either from you, or from the web site.

Once you have set up a passkey for a site on one of your Apple devices, it will be automatically available on your other Apple devices through iCloud. Remember, that it can only work on newer devices that have Touch ID or FaceID.

At present, there is no way to share passkeys between platforms, so your Passkeys created on an Apple device won’t easily transfer to your Microsoft Windows PC, or vice versa.

PassKeys is already supported in current versions of iOS (iOS 16.x) and MacOS 13 (Ventura). Microsoft’s implementation of passkeys is part of “Windows Hello”.

Right now, just a few web sites support passkeys, but the list is growing.

If you want to try passkeys yourself, there is a demonstration web site which lets you try creating a passkey and logging on with it.

Password Managers

Whatever password manager you are using, don’t get rid of it yet. Some sites will continue to use passwords. Passkeys will work in conjunction with Apple’s own password manager, Keychain. The popular password managers, Bitwarden and 1Password will probably have some sort of support for passkeys in the future.

If you are in the habit of writing your passwords down in a little black book, all you will need to record is the name of the website, your username or email, and “Use passkeys”. Anyone looking at that book would not be able to logon as you, because they won’t have your device or your face or fingerprint.

The same (lack of) information is probably what would be recorded in a password manager app. Again, it’s nice that there is no password for anyone to steal.

Beware Fake iCloud or App Store emails

There has been a recent spate of phishing emails purporting to come from Apple. Typically they show some sort of a purchase or subscription that you supposedly bought from Apple. As always, DO NOT CLICK LINKS in emails.

If you want to check your account, do so from within iTunes, or by logging in at iCloud.com or Apple.com yourself.

In the email there are some suspicious indicators if you look for them. First of all, the email is not from the domain apple.com.

Second, the mail addresses you as “Valuable Customer”, not by name.

This email is fake!

The bad guys expect you to be outraged that you are being charged for something you didn’t order — and that you will rashly click on the link they provided.

I don’t know what happens when you do that. Probably, it is a fake imitation of the Apple sign-in page where your credentials will be stolen. However, it may be some kind of attack that takes place merely by visiting the site.

Be safe out there, folks!

Two-Factor Authentication for Apple ID

Two-Factor Authentication and One-Time Passwords

MacMAD Meeting Topic for June 20, 2017

Your Apple ID is your single set of credentials for everything from Apple, including:

  • Email
  • iCloud files, calendars, contacts, etc.
  • Photos
  • purchases on the iTunes store
  • buying hardware on the Apple Store

This is pretty important stuff, right? You don’t want your credentials to fall into the wrong hands! Until recently, those credentials consisted of only your username and password, which seldom change. If a bad guy got hold of those, he’d have complete access to your Apple identity.

To help prevent that, Apple set up Two-Factor Authentication (2FA). With 2FA, in addition to username and password, you must also give a verification code. Verification codes are sent to your phone or other trusted device. The verification code is different each time you log on.

Two-Factor Authentication is optional for users. However, you may now be forced to use it if you use certain apps — those which access your iCloud account.

Some apps require access to your files in iCloud, and therefore need your iCloud credentials to do so. This is fine, but you don’t want them to have the keys to your entire kingdom, do you? You don’t want a calendar app to order a new Macintosh, or delete your photos.

To control such apps, Apple now requires them to access iCloud using a One-Time password. This allows them to bypass 2FA, but using a special password which is only useable by that app for limited purposes. Once you give a one-time password to an app, and it uses it, it can never be used again for any other purpose.

You do not need to store or remember one-time passwords. If for some reason you need to re-authorize an app, you can simply generate a new one-time password for it. Dennis explains how to do all this in these slides from this month’s meeting:

Apple Two-Factor Authentication 2017

 

 

 

VPN – Virtual Private Network Meeting Topic

MacMAD’s October, 2016 Meeting topic is VPNs (Virtual Private Networks). Here are some accompanying links and information.

People generally use a VPN for these reasons:

  • Security and privacy when using a public network, such as at a coffee shop or hotel.
  • To allow access to online content which is subject to geographical restrictions.
  • To allow remote access to a private local network such as your home network or your employer’s network
  • Provide privacy at home (prevent your ISP from knowing what you are up to)

VPN Features to Look For

  • Automatic connection and reconnection – prevents accidental leakage of unencrypted data
  • Choice of VPN endpoint – What country would you like to be in today?
  • Self Installation/Configuration – Avoids lots of technical settings

Client and Server

VPNs follow a client-server model. The client app usually runs on your computer or portable device. The server can be either a commercial VPN service or you can run your own VPN server at home on your router (some models) or on another computer. There are many (hundreds) commercial VPN providers. The following list is not at all complete.

Commercial VPN Providers

VPN Software

VPN Protocols

Your choice of protocol will probably be determined by what your server or provider supports.

  • PPTP – (Point-to-Point Tunneling Protocol) Old, do not use. No longer supported in macOS Sierra. or iOS 10.
  • L2TP – (Layer 2 Tunneling Protocol) needs IPSec or similar to be secured.
  • IPSec – (Internet Protocol Security) A modern protocol. Can work in conjunction with L2TP.
  • IKEv2 – (Internet Key Exchange version 2) A modern protocol.

Here’s the MacOS VPN Dialog in System Preferences

vpn-dialog
MacOS Network Preferences — adding a VPN interface

 

openvpn-1
The iOS app OpenVPN

July 2016 Security & Backup Meeting Slides

We’re trying something a bit different this meeting. So you don’t have to take notes, we’re putting the presentation on-line. And we’re doing it the Apple Way – using iCloud. You should be able to view these links on Mac or iOS. They are Keynote documents.

Here are the slides for tonight’s meeting as a shared iCloud (Keynote) document.

And here are the slides from November 2015’s Security presentation.

After clicking one of these links, you will be able to view the slides in your web browser, or you can download and open a copy in Keynote. Here’s what that looks like in iOS:

iCloud Share

Wireless Emergency Alert System Flops Badly

If it hasn’t happened to you yet, it will soon. Your phone or someone’s near you will alarm loudly, and you will see an important-looking message. This is the government-mandated Wireless Emergency Alert system in action.

This is an alert I received this morning on my android phone:

Amber Alert

A system like this depends on user acceptance to function properly. So far, the main reaction of users has been “How do I turn this off”? Why?

There are several serious problems with this particular alert and the system in general. First of all, the alert on Android is presented as a one-time modal dialog box. You have to press OK before you can do anything else. Most people will do that within seconds. On my phone, at least, once OK is pressed, the alert is gone. You have no way to retrieve or review it. How many people will remember the license plate number even a minute later?The only way I could capture the alert dialog was to take a picture of it with another phone. I understand that on iOS, the alert remains visible in the notification center. Can anyone confirm that? Two points for Apple if so.

I have no confidence in a system where I cannot review past history. Alerts should remain reviewable for some time, even if they are cancelled, if they appeared on my phone once, I should be able to look at them again.

The second problem is that the alert does not say who sent it. My first question on seeing one of these for the first time was, what app generated this alert? I had installed some weather apps, maybe it was one of those. I was vaguely aware of the WEA system, but wasn’t sure if that was the source of the alert I was seeing. The question of who sent the alert also applies at the agency level. Did this come from the governor, the corner police station, who?

Problem number three, the alert doesn’t say what to do. What do I do if I see the missing pickup? The weather alert said to turn on the TV, I believe, which is a little more useful. I can’t check that though, because there is no way to recall past alerts.

The fourth problem, is there is no way to get more information. Any half-baked messaging app will let you click to see a photo or web page. How about some photos of the missing person, the vehicle and the suspect? How about a weather map of the tornado warning area? We get none of that.

Another, less serious, problem is that users are unfamiliar with these alerts. They have never seen them before. I would suggest that in the settings for WEA, there be a button for users to generate a demo alert, just on their own phone, so they can see what the alerts look and sound like.

Ask about these problems, and you will hear that there are technical limitations — the system only allows 90 characters of text. I must say, that’s a pretty bad design. What do you expect from a government design? It needs to be changed. Some high school students could make a better system than this in an afternoon.

WEA (Wireless Emergency Alert) Overview

WEA sends alerts through the cellular system. The alerts are sent only to phones and cell towers in the affected area. The system only operates on relatively new phones. On AT&T, the Apple models supported are the iPhone 4S, iPhone 5, 5C and 5S.

The switches to turn off Amber Alerts and Emergency Alerts in iOS are in Settings/Notifications/Government Alerts. There is still the “Presidential Alert” which cannot be disabled.

I haven’t been able to determine for sure whether WEA alerts are supported on any model of iPad or not. They are not happening on mine which does have cellular.

Links

WEA Overview from CITA

A good blog post about problems with WEA

 

 

 

 

 

 

Mac and iOS Security Bug: GotoFail

Safari on both the Mac and iOS (iPhone and iPad) has a potentially serious security problem. This problem is especially worrisome for mobile devices that may be used on public WiFi. Apple has released updates for this problem, so go get them. You can test if your Safari browser is still vulnerable to this problem by visiting http://gotofail.com . If so, update your system.