Since its release, Cisco SecureX has helped over 10,000 customers gain better visibility into their infrastructure. As the number of devices in many customer environments continues to increase, so does the number of products with information about those devices. Between mobile device managers (MDM), posture agents, and other security products, a wealth of data is being collected but is not necessarily being shared or, more importantly, correlated. With the new device insights feature in Cisco SecureX, now available for all SecureX customers, we’re changing that.
Introducing Device Insights
Device insights, which is now generally available, extends our open, platform approach to SecureX by allowing you to discover, normalize, and consolidate information about the devices in your environment. But this isn’t just another dashboard pulling data from multiple sources. Device insights fetches data from sources you might expect, like your mobile device manager, but also leverages the wealth of data available in your Cisco Secure products such as Cisco Secure Endpoint, Orbital, Duo, and Umbrella. Combining these sources of data allows you to discover devices that may be sneaking through gaps in your normal device management controls and gain a comprehensive view into each device’s security posture and management status. With device insights, you’ll be able to answer these all-important questions:
What types of devices are connected in our environment?
What users have been accessing those devices?
Where are those devices located?
What vulnerabilities are associated with each device?
Which security agents are installed?
Is the security software is up to date?
What context do we have from technologies beyond the endpoint?
Supported Data Sources
Now, you might ask: what types of data can I bring into device insights? When we created SecureX, we built a flexible architecture based on modules that anyone can create. Device insights extends this architecture by adding a new capability to our module framework. Here’s a look at what data sources will be supported at launch:
Bringing Everything Together
Once you’ve enabled your data sources, device insights will periodically retrieve data from each source and get to work. Some sources can also publish data in real time to device insights using webhooks. We normalize all of the data and then correlate it between sources so you have one view into each of your devices, not a mess of duplicate information. This results in a single, unified dashboard with easy filtering, a high level view into your environment, and a customizable table of devices (which you can export too!). To see more information about a device, just click on one and you’ll see everything device insights knows, including which source provided which data.
Getting Started
To get started with device insights, simply log into Cisco SecureX and click the new Insights tab! For more information about device insights, check out these resources:
Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.
Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.
Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google’s bug bounty program.
“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.
“Signature verification makes sure that the token’s payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side.”
The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.
Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.
Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.
A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that’s executed while an iPhone is “off.”
The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).
While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper entitled “Evil Never Sleeps.”
“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.
“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”
The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.
The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when run out of battery power or have been shut off. Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.
A message displayed when turning off iPhones reads thus: “iPhone remains findable after power off. Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off.”
Calling the current LPM implementation “opaque,” the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.
By taking advantage of this loophole, an adversary with privileged access can create malware that’s capable of being executed on an iPhone Bluetooth chip even when it’s powered off.
However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.
Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim’s Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.
“Instead of changing existing functionality, they could also add completely new features,” SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant “had no feedback.”
With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillanceconcerns that could arise out of firmware-level attacks.
“Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates,” the researchers said. “Thus, it has a long-lasting effect on the overall iOS security model.”
“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”
Apple has long been expected to transition to fully portless iPhones at some point, and for most users that makes perfect sense. But we’re seeing growing reports that the iPhone maker is first going to switch from Lightning to USB-C, and that raises a key question.
Is USB-C just a brief interim stage before iPhones go fully wireless, or do USB-C iPhones have a longer future … ?
Note that neither report means this is definitely happening. Kuo based his on supply-chain reports, and we noted at the time the uncertainties regarding these.
Apple likes to have multiple suppliers wherever possible, to allow it to negotiate better prices, and to reduce risk. If, for example, a major supplier of Lightning ports were to report Apple was planning to cut orders next year, that could mean nothing more than a rejigging of competing suppliers.
Similarly, USB-C suppliers talking about expecting a major boost in orders next year might again simply be Apple or other companies increasing orders with some suppliers while reducing them with others.
Bloomberg’s report was instead based on internal testing of a USB-C iPhone. I’m sure that report is accurate, but again, it doesn’t amount to proof. There is precisely a 100% chance that there have been USB-C iPhone prototypes within Apple’s labs for years now. Does ‘testing’ mean simply experimenting with these, or something on a more formal and larger scale?
However, both sources seem reasonably confident in their predictions, so let’s assume for now that they are correct. What does this mean for the future of iPhone ports? Here are my brief thoughts.
It would be an overdue move
I’m a big fan of port standardization in general, and of USB-C in particular. My ideal is a day when absolutely all wired connections are USB-C to USB-C, and I can finally ditch five of the six trays of cables I have, not to mention the additional one with assorted adapters.
I was a bit skeptical of Kuo’s report for this reason. While I’d welcome it, my immediate question was ‘why now?’. Apple started the switched to USB-C in the Mac back in 2016, and the iPad in 2018, so why wait another four years before the iPhone belatedly follows suit?
In particular, if Apple is heading toward portless iPhones, why go through the disruption now of a wired port change that would last for perhaps two or three years before a fully wireless iPhone?
If the reports are accurate, this is a very overdue move.
Most will be happy with portless iPhones
One possible explanation for the latter point is simply that the portless reports aren’t true, and Apple plans to stick with a wired charging and data-transfer connection option for the foreseeable future. However, I don’t buy that, for several reasons.
First, a portless iPhone is absolutely in line with Apple’s design direction. Sure, things have changed a little since Jony Ive left, but I do believe that his “single slab of glass” vision is Apple’s ultimate goal.
Second, eliminating a port reduces manufacturing cost and complexity. This, too, is absolutely in line with the company’s ethos – as the removal of the headphone jack demonstrated.
Third, removing the port improves reliability. It takes away the biggest entry point for dust and water, which will likely significantly boost the waterproofing standard. Additionally, it ends the fraying Lightning cable issue!
Finally, most iPhone owners don’t need a port – and even fewer will do so in the future. Few iPhone owners ever do any wired data-transfer, and most people can get their charging needs met through overnight wireless charging. For top-up charges, we’re seeing a growing number of wireless charging pads in cars, coffee shops, hotels, airports, offices … you name it. This trend will only continue. Same for power banks with MagSafe charging capabilities.
But there are still people who need a wired port
Apple cannot have things both ways: argue that the iPhone is a suitable camera for professional video use (albeit mostly as a B-cam or C-cam) while at the same time removing the only practical way to transfer significant amounts of 4K (and later 8K) video footage.
If you’re using an iPhone for pro video shoots, a wired port is a necessity, and USB-C is much better than Lightning.
Similarly, there will be a minority of people for whom wireless charging isn’t practical. If you are a really heavy iPhone user, and need to go significant periods between charges, then the faster speed of wireless charging may be a necessity rather than a luxury.
So there will always be some who need a wired connection (at least until wireless charging and wireless data transfer offer speed much closer to wired connections), even if they are a minority.
What’s my best guess?
I can see one of two things happening, at the point where Apple feels ready to make the change to portless iPhones.
First, the standard iPhone model(s) go portless, while the Pro models retain a wired port. This would make for a worthwhile point of differentiation for more serious iPhone users, while the vast majority of consumers will remain happy with wireless charging and AirDrop.
Or second, have the iPhone Pro Max be the only model to continue to offer a USB-C port. This would again be consistent with certain features being exclusive to the largest and most expensive model – like sensor shift and 2.5x optional zoom being exclusive to the iPhone 12 Pro Max.
I think Apple could probably take the second approach without upsetting too many people. Videographers are likely to appreciate the larger screen of the Pro Max, while anyone needing to push battery usage to the limits will obviously be buying the Pro Max for its longer battery life. So the two groups who most benefit from a wired port are already likely to choose the top-end model.
So that’s my bet. Sometime within the next few years, all but the iPhone Pro Max go portless, while the Pro Max gets or keeps a USB-C port. What’s your view? Please take our poll and share your thoughts in the comments.
Apple on Monday released iOS 15.5 and iPadOS 15.5 to the public following the release of the RC build last week. The update doesn’t bring significant changes, but it does improve the Apple Cash and Podcasts app.
iOS 15.5 new features
Apple says that iOS 15.5 makes enhancements to Apple Cash, with support for more easily requesting and sending money from the Apple Cash card in the Wallet app. There’s also a new feature in Apple Podcasts to help preserve your iPhone’s storage space and some bug fixes for HomeKit.
Here are the full release notes for iOS 15.5 according to Apple:
iOS 15.5 includes the following improvements and bug fixes:
Wallet now enables Apple Cash customers to send and request money from their Apple Cash card
Apple Podcasts includes a new setting to limit episodes stored on your iPhone and automatically delete older ones
Fixes an issue where home automations, triggered by people arriving or leaving, may fail
Here are some other changes in iOS 15.5 we’ve spotted so far, not mentioned in Apple’s release notes:
You can update your devices by going to the Settings app, then General > Software Update. Check out Apple’s website for more details about the security patches included with iOS 15.5.
It’s unclear whether this update will be the last before the first iOS 16 beta, which should arrive shortly after WWDC 2022 in June.
The only examples of a USB-C iPhone we’ve seen to date have been DIY versions, but Ming-Chi Kuo claims that Apple will make the switch from Lightning to USB-C next year, in the iPhone 15.
The report comes as something of a surprise, as although Apple has adopted USB-C for Mac and iPad, it had seemed the company planned to stick with Lightning until it switches to a completely portless phone …
Background
Apple began its adoption of USB-C for Macs back in 2015, with the 12-inch MacBook. It then went all-in with the 2016 MacBook Pro, before backtracking a little last year by restoring MagSafe, HDMI and SD card slots.
The iPad made the switch from Lightning to USB-C in 2018, with the 11-inch and 12.9-inch iPad Pro models.
That left the iPhone as the sole core Apple product with a Lightning socket. Since the iPhone retained the older connector for years after the Mac and iPad adoption of USB-C, the consensus view appeared to be that it would continue to do so until the first portless model.
USB-C iPhone 15 report
Apple analyst Ming-Chi Kuo tweeted today that Apple will make the switch to USB-C for iPhone in the second half of next year, which is to say the iPhone 15.
My latest survey indicates that 2H23 new iPhone will abandon Lightning port and switch to USB-C port. USB-C could improve iPhone’s transfer and charging speed in hardware designs, but the final spec details still depend on iOS support.
It’s expected to see existing USB-C-related suppliers of Apple’s ecosystem (e.g., IC controller, connector) become the market’s focus in the next 1-2 years, thanks to vast orders from iPhones and accessories’ adoption of USB-C ports.
The reference to USB-C suppliers benefiting for ‘1-2 years’ may indicate that Kuo then anticipates Apple will drop the port altogether.
9to5Mac’s Take
This is a somewhat odd report. Apple made the switch to USB-C iPads in back 2018, so if it planned to do with the iPhone too, we would have expected that to have happened by now.
It should be noted that although Kuo has a decent track record, he has more recently taken to tweeting simply thoughts or opinions about what Apple might do, rather than anything based on evidence. However, this tweet does specifically say that it’s based on his ‘latest survey,’ which means talking to suppliers.
Supply-chain reports can be of varying reliability. Apple likes to have multiple suppliers wherever possible, to allow it to negotiate better prices, and to reduce risk. If, for example, a major supplier of Lightning ports were to report Apple was planning to cut orders next year, that could mean nothing more than a rejigging of competing suppliers.
Similarly, USB-C suppliers talking about expecting a major boost in orders next year might again simply be Apple or other companies increasing orders with some suppliers while reducing them with others.
Kuo does seem confident in his interpretation of what he’s hearing from suppliers. It’s entirely possible that he’s right, but we wouldn’t count on it yet.
Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.
“When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number,” Google’s Jen Fitzpatrick said in a statement.
The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from skimming attacks wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market.
The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer.
Interestingly, while Apple offers an option to mask email addresses via Hide My Email, which enables users to create unique, random email addresses to use with apps and websites, it’s yet to offer a similar option for creating virtual credit cards.
The development comes a week after Google, Apple, and Microsoft banded together to accelerate support for a common passwordless sign-in standard that allows “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”
Additionally, Google said it’s expanding phishing protections in Google Workspace to Docs, Slides and Sheets, and that it plans to debut a new “My Ad Center” later this year to give users more control over personalized ads on YouTube, Search, and Discover feed.
What’s more, users would be able to request personally identifiable information such as email, phone number, or home address to be removed from search results through a new tool that will be accessible from the Google App.
Also coming is a new Account Safety Status setting that will “feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account.”
Other key privacy and security features unveiled at Google I/O 2022 include support for end-to-end encryption for group conversations in the Messages app for Android and the availability of on-device encryption for Google Password Manager.
Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.2
But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.
Free yourself with passwordless sign-in
Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator.
Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.
Strengthen security with multifactor authentication
One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.
Make sure your password isn’t the weak link
Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”
Some basics to remember—make sure your password is:
At least 12 characters long.
A combination of uppercase and lowercase letters, numbers, and symbols.
Not a word that can be found in a dictionary, or the name of a person, product, or organization.
Completely different from your previous passwords.
Changed immediately if you suspect it may have been compromised.
Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:
Only share personal information in real-time—in person or by phone. (Be careful on social media.)
Be skeptical of messages with links, especially those asking for personal information.
Be on guard against messages with attached files, even from people or organizations you trust.
Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
Ensure all the apps on your device are legitimate (only from your device’s official app store).
Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)
Passwordless authentication is becoming commonplace
As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.
In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:
Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.
These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Faster, easier and more secure sign-ins will be available to consumers across leading devices and platforms
Mountain View, California, MAY 5, 2022 – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.
Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.
An Expansion of Passwordless Standard Support
Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms.
These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins:
Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.
In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.
These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.
“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”
“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.
About Apple
Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.
About Google
Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.
About Microsoft
Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.
Google has officially released the first developer preview for the Privacy Sandbox on Android 13, offering an “early look” at the SDK Runtime and Topics API to boost users’ privacy online.
“The Privacy Sandbox on Android Developer Preview program will run over the course of 2022, with a beta release planned by the end of the year,” the search giant said in an overview.
A “multi-year effort,” Privacy Sandbox on Android aims to create technologies that’s both privacy-preserving as well as keep online content and services free without having to resort to opaque methods of digital advertising.
The idea is to limit sharing of user data with third-parties and operate without cross-app identifiers, including advertising ID, a unique, user-resettable string of letters and digits that can be used to track users as they move between apps.
Google originally announced its plans to bring Privacy Sandbox to Android earlier this February, following the footsteps of Apple’s App Tracking Transparency (ATT) framework.
Integral to the proposed initiative are two key solutions —
SDK Runtime, which runs third-party code in mobile apps such as software development kits (SDKs), including those for ads and analytics, in a dedicated sandbox, and
Topics API, which gleans “coarse-grained” interest signals on-device based on a user’s app usage that are then shared with advertisers to serve tailored ads without cross-site and cross-app tracking
To address criticisms that the model could possibly give Google an unfair advantage, the tech behemoth noted that the privacy-oriented systems will be developed as part of the Android Open Source Project (AOSP) to ensure transparency into the design and implementation of these solutions.
“Android will collaborate with the entire industry and app ecosystem on the journey to a more privacy-first mobile platform, and one which supports a rich diversity of value-exchange that benefits users, developers, and advertisers,” the company said.
