密碼再見!網際網路聯盟推新式線上身份認證
A new web standard is expected to kill passwords, meaning users will no longer have to remember difficult logins for each and every website or service they use.
一種新的網路標準或將終結密碼的使用,使用者不再需要記住登入每個網站和個人裝置的賬號資訊。
The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam.
這種“網路認證”標準旨在使用生物識別和使用者已有的裝置替代密碼,比如安全金鑰、智慧手機、指紋掃描器和網路攝像頭。
Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.
使用者無需再記憶越來越冗長的密碼,而可以使用身體特徵或者已有裝置認證其登入資訊,通過藍芽、USB介面或近場通訊技術直接完成線上身份認證。
“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.
網路標準機構全球資訊網聯盟的董事長傑夫-賈福爾說:“網路認證能改變人們的上網方式。”
One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.
舉個例子,如果一名使用者想用電腦登入訪問一家網站,他們可以輸入使用者名稱,之後就會在智慧手機上收到提示。點選手機上的提示資訊就可以順利登入網站,無需輸入密碼。
WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.
“網路認證”標準將使使用者無需擔心受到網路釣魚攻擊,也不用擔心認證資訊被盜用,因為本身就沒什麼可偷的。每次使用者登入網站,都會生成特定裝置才可使用的一次性身份認證指令。
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance, one of the bodies pushing the new standard.
推動新標準實行的機構之一FIDO聯盟(線上快速身份認證聯盟)的執行董事佈雷特-麥克道爾說:“這些年來資料洩露和密碼資訊被盜的情況越來越嚴重,現在服務提供商是時候結束他們對易受攻擊的密碼和一次性密碼的依賴,並在所有網站和應用中使用可防止網路釣魚的線上快速身份認證了。”
WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.
“網路認證”標準還幫助人們為每個裝置使用獨一無二的登入資訊,而不是針對每個網站都使用相同的登入名和密碼。如果其中一個網站被黑,很多使用者的登入名和密碼都可能遭到進一步攻擊。
The W3C has moved WebAuthn to what’s called the “candidate recommendation” stage – the penultimate step before it becomes an approved web standard – inviting sites and services to begin implementing it. The web standards body announced that Google, Microsoft and Mozilla had committed to supporting WebAuthn, meaning that all major web browsers short of Apple’s Safari will implement the new standard.
全球資訊網聯盟已將“網路認證”標準列入“候選推薦”階段,這是網際網路標準最終獲得認可、邀請網站和裝置開始應用之前的倒數第二個階段。全球資訊網聯盟宣佈,谷歌、微軟和摩斯拉(火狐)已決心致力於支援這一標準,這意味著除了蘋果公司的Safari瀏覽器外,所有的主流瀏覽器都將實施這一新標準。
“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.
賈福爾說:“儘管網際網路安全存在諸多問題,我們也無法全部解決,但依賴密碼是其中最薄弱的環節。通過網路認證標準的多因素解決方案,我們將消除這一薄弱環節。”
Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key. But a single cross-platform, cross-service standard ratified by the W3C will mean that many more sites and services will be able to kill the password as the defacto login method.
已有數家網站和多種裝置使用類似的登入方式,谷歌和臉書等網站使用者可以選擇使用USB安全金鑰登入。但網際網路聯盟批准的單一跨平臺、跨裝置標準意味著將有越來越多的網站和裝置取消密碼這種實際登入辦法。
WebAuthn is the culmination of many years of work and the change will not happen overnight. But as it increasingly seems inevitable that our email or other online services will get hacked into, removing the password is an important step in improving online security and making using sites and services easier.
“網路認證”標準是數年成就積累的頂峰,這種改變並非一蹴而就。但隨著電子郵件和其他網路服務被黑客入侵越發不可避免,消除密碼是提升網路安全、讓網站和裝置使用更加便捷的重要一步。
